Major ISPs Publish Anti-Spam Best Practices

wayne writes "The ASTA, an alliance of major ISPs, has just published a set of best practices to help fight spam. The list of ISPs include the likes of AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast. The recommendations include such things as limiting port 25 use, rate limiting email, closing redirectors and open relays, and detecting zombies. For details, see the ASTA Statement of Intent (pdf) or any of the ISP's antispam websites."

I don't want to sound pessimistic

[TheOtherAgentM]

...but the people that would really read these things are the one that know how to avoid most spam already, aren't they? I doubt my parents would even stumble across any of these resources in their daily submitting of their email addresses to every form they can find.

Best practices,... published?

[Bill, Shooter of Bul]

Spammers are like a retrovirus. The will adapt to any system you construct. Creating a list of what every major isp will do to combat them will only serve to accelerate their evolution and make them more effective spammers.

Balance

[it0]

I hope they find the right balance between just providing the internet and locking it down so it can't harm the average consumer.

limit port 25

[markan18]

As long as i still can run my own smtp server.
They can limit outbound port 25 because i still can forward my email through their official smtp server. If they limit inbound port 25, it will suck big time.

Whatever...

[Bif Powell]

...let's just all do something before the government really starts to regulate things. I'm stupid about such things, so out of curiosity why hasn't the w3c or the people who write the RFCs come up with some new SMTP spec?...please...

Re:Best practices,... published?

[AviLazar]

And just like all crime, all we can do is fight back. We either find the weakness ourselves and fix it, or we find out that a criminal (spammer) found a weakness and we fix it. To sit and do nothing would be really bad (imagine windows XP with all the flaws dating back to windows 3.1) :)

How about "no more delayed bounces"

[Anonymous Coward]

I'd be very happy if everyone could get their act together and reject undeliverable addresses during the SMTP transaction. Delayed bounces are responsible for most of the backscatter which pollutes my mailboxes and logs these days.

Qmail, I'm looking at you. People who don't run something like LDAP on their secondary MXs, I'm looking at you.

I'm almost to the point of blocking the null sender from certain hosts, just because they are nothing but crap. I know all about the RFC (and rfc-ignorant.org), but they're causing a serious problem for the rest of the world.

The worst part is for people who run control panels like Plesk. They have to run qmail (no choice in the matter), and so they either become a delayed bounce source, or they enable the catchall and get to suck down all that mail. They can't win.

ISP's need to act

[nagora]

If someone has an open relay box because of some Trojan horse program surely their ISP are in the best place to notice the traffic patterns in and out of their port 25. Cut them off and when they call to complain tell them to sort their machine out or find another ISP.

But, of course, that might cost the ISP's money. So instead we get a "best practice" document which preaches to the converted and achieves nothing.

TWW

Re:Best practices,... published?

[WormholeFiend]

one example of bad spammer behavior I've seen, which is totally new from the usual types is spammers sending email pretending to be my ISP, complete with legit-looking special offers from said ISP...

but with a suspicious attachment or a spurious "click here if you don't want to receive such notices anymore".

I shudder to think how many people will fall for those evil tricks.

Re:Don't forget SPF

[Smallpond]

SPF should be checking envelope MAIL FROM, not From: header. If your bank is forging the envelope, then you should block them, since their software is borken.

Re:Best practices,... published?

[jkabbe]

One major reason that spammers are using zombies is that ISPs cracked down on spammers and closed a lot of open relays. Are you suggesting these weren't good ideas? Just because a spammer may find another way to spam doesn't mean we shouldn't shut down the known methods of spamming if we know how.

Re:Best practices,... published?

[surreal-maitland]

just like we should not publish our source code because then hackers will find exploits, right?

Re:Best practices,... published?

[Have Blue]

Spam does not have to be made impossible to be eliminated; we just have to reduce response rates to the point where it's no longer profitable and wait for professional spammers to die off.

Re:Best practices,... published?

[deadmongrel]

Spammers are like a retrovirus. The will adapt to any system you construct. Creating a list of what every major isp will do to combat them will only serve to accelerate their evolution and make them more effective spammers.
Spammers always try to be one step ahead of the game. Just by keeping the best practices a *secret* wound't help to combat spam. Its the business model that needs to be attacked. Money is made somewhere and that is where we have to attack. Having said that, I think its important we keep these fighting techniques open. A lot of people would benefit from it. Also, just like security, obscurity would be of no help.

Protect your own domain name

[Talking Toaster]

best practices to help fight spam. The list of ISPs include the likes of AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast.

Something that would really help is for these big companies to protect their own domain names by going after anyone who forges the headers as such. These days if someone isn't already in my whitelist they are probably going to get caught in my spam filters if they use any of these domain names.

Under most circumstances I think it is a bad thing for a company to throw lawyers at someone until there is nothing left but a smoking hole in the ground, but I think I would make an exception for spammers. These companies not only have the resources to make spamming unprofitable, but they have a valid, and vested interest to do so.

Penalties

[Anonymous Coward]

If you want to kill spammers, kill thier source of income. Fine the hell out of the people ADvertising through them. Hit where it hurts (the bottomline) and spammers would be out of a job.

Re:I don't want to sound pessimistic

[pavon]

Seeing as how these are guides for system administrators, I don't see how your parents need to know any of this. Besides it isn't a knowledge problem that this solves, but a business problem.

This is a loose agreement by ISP's about what they need to do on thier part to confront spam. These things would improve the situation, but ISP's are reluctant to implement them out of fear that the user will become angry with the tightened security problem and go to another ISP. And I am not talking about spammers, I am talking about everyday users who don't like to be told to patch thier systems or get off the internet.

So what this guidelines does is provide a unified front - a lowest common denominator policy that all the ISPs are willing to implement. It will improve the situation somewhat, but will not be too noticable by the user, and to the extent that it is they can't leave and go somewhere else because all the major ISP's will be doing it.

Re:Best practices,... published?

[Anonymous Coward]

They will adapt to any system you construct.

In theory, yes. In practice, given enough time, yes. But it usually takes quite a bit of time and it makes anti-spam filters better. How? Well, generally speaking, spammers have a standard set of tricks that they stick to. When a lot of people stop giving them the ability to use those tricks, they just try harder to find suckers that will.

For instance, formmail.pl is a traditionally vulnerable spamming hole. When it was fixed (and when NMS became popular), a hell of a lot of spamming opportunities were made unavailable. But spammers still try and find vulnerable versions, as there are always a few lurking out there.

If we reduce the suckers significantly, spammers not only go to more effort to find them, but the set of suckers they have to operate with are smaller (hence, easier to track down and blacklist).

When the number of suckers drops below a certain point, it's true that spammers do have to invent new tricks. But that is hard and expensive (at least compared with a spammers usual workload). It may also be illegal, making it much easier to crack down on spammers. For instance, now that open relays are almost non-existent, spammers have been forced to pay programmers to write viruses/worms/etc for hosts to send through.

Re:Best practices,... published?

[MissTuxie]

one example of bad spammer behavior I've seen

Have you ever seen any GOOD spammer behavior?

Re:Mail admin here, my solution was port 26

[silas_moeckel]

Why dont you get with the rest of the planet and use 587 for client mailers to connect to your server and run authentication??? It's a port that shouldent be blocked by anybody but a corperate system and if they are blocking it you shouldnt be trying to get around it :)

Re:Related article on Reuters

[Tripster]

Is it reasonable to expect that your average home user will act as responsibly as a company's system administrator at keeping their systems patched?

If they keep getting fined and/or booted by ISPs then yes it is reasonable to expect it. After all, our public highways are safer because we expect people to learn to use vehicles and to also properly maintain them mechanically. If you drive around with no brakes and cause and accident you will be held accountable.

What would you prefer? When you have idiots getting infected by viruses by actually entering a password to the encrypted zip attachment it means said user sorely needs some education about proper usage of the device in front of them. Since all the TV/Radio/Newspaper stories telling these same idiots not to open unannounced attachments don't seem to work then hitting them in the pocket book or removing them from the information highway entirely might be a better education method.

Really, the users are only stupid if you keep on letting them do the same old things without educating them, for those extra stupid you need more extreme training methods.

Re:Take what they say with a grain of salt

[Desert Raven]

You have to presume that it's far more common than anyone would suspect

Actually, pink contracts aren't even necessary for spammers anymore. With major providers like MCI/UUNet, who will only kick off spammers if they spam from their space, and the wide availability of compromised systems to use as relays, spammers can have completely bulletproof hosting from the largest backbone provider without negotiating special contracts.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Whatever...

[firewood]

SMTP is so entrenched everywhere that writing a new spec is like making a new internet. In theory, it's easy, in reality everybody would bitch that their email doesn't work.

New net protocols have always displaced old protocols without requiring a new internet. Like Gopher (et.al.), SMTP will soon fade away because it already doesn't work. At the current rate-of-increase of spam, allowing current SMTP email onto your network will soon become (if not has become already) the same as paying a gangster to DDoS your network.

You are wrong.

[warrax_666]

Blocking outbound port 25 has the effect that zombies cannot send mail to SMTP servers listening on port 25. (Incidentally, it also has the effect that completely legitimate and well-behaving mail servers on the network cannot do so either -- unless there is some form of more or less manual unblocking which the customers can apply for/use)