FTC vs. Open SMTP Relays 329
HighOrbit writes "Cnet reports on news.com.com that The U.S. Federal Trade Commission, several state Attorneys General, and Australia, Canada and Japan are sending this letter (pdf) to operators of open relay mail servers to educate them on the dangers of open relays and how they help spread spam. Although the letter does not threaten direct law enforcement action, it does let open relayers know that they have been noticed and warned. The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"
Oh hell. (Score:4, Funny)
How am I supposed to find out about herbal viagra, hot co-eds, batteryless flashlights or stainless steel if this succeeds?
I'm going to write my Member of Parliament about this.
Education is the key (Score:5, Insightful)
Re:Education is the key (Score:5, Funny)
Wha? (Score:3, Informative)
Anyway, I'm glad to hear this. In the last 12 months or so, my e-mail has gone from at most 4 or 5 spam messages a day to at least 25 each day, without my changing my online habits (w/ regard to who gets my e-mail address) in any significant way.
I don't think it's a admin problem. (Score:3, Interesting)
Granted this isn't an open relay but if you have a list of everyone at intel (or not just figure out their email addresses via a web sear
Re:I don't think it's a admin problem. (Score:2, Insightful)
It's called SMTP.
The key is... (Score:2)
That said - Spamming people that way takes a lot more effort. The spammmer has to open SMTP connections himself to every mail server he wants to spam people on. This takes a lot more resources than putting 1000 addresses on a BCC list and firing the message off to an open relay that does all the hard work.
Re:The key is... (Score:4, Interesting)
I hate to say it, but this isn't nearly as much work as you might think. All it takes is a little special coding and some database maintenance -- something serious spammers would be more than willing to do. By maintaining a table of mail servers for each domain, a program could easily be created that scans through the list of email addresses, selects the correct mail server for its domain and then routes the email directly through that server. The most work would be maintaining the table of mail servers, but they could just target the big ones like Earthlink, AOL, MSN, Yahoo, Hotmail, etc. If this ever happens, you may see a rise in the popularity of Ma & Pa ISPs again.
On a good note, spammers who directly route through the recipient's mail server will be much easier to track down -- unless they break into another computer system to do their dirty work.
Re:The key is... (Score:3, Informative)
All it takes is a little special coding and some database maintenance...
By maintaining a table of mail servers for each domain
There is already such a table. It's called DNS. (example: 'dig @localhost slashdot.org MX' returns: slashdot.org. 86400 IN MX 10 mail.egl.net.)
The procedure that you describe is how a mail server works, other than it gets the server IP via DNS rather than a local DB lookup. There is nothing preventing the spammers from running their own servers rather th
Re:I don't think it's a admin problem. (Score:3, Informative)
Re:I don't think it's a admin problem. (Score:2, Insightful)
Re:I don't think it's a admin problem. (Score:3, Interesting)
What would be the spammers reaction? Quite easily forge 1000 headers in a single email?, using up all resources of your checker and causing a denial of service?
The SPAM phenonanom (sp?) is somewhat of a battle at the edge of crakerdom; it's the "what can I get away with" philosphy.
My users may have very valid emails from servers in the
checking headers (Score:3, Interesting)
obviously nobody is going to even try, but a yahoo, aol, msn, Earthlink, or hotmail are going to have hundreds of smtp machines load balanced off one IP address, set up ten out of a hundred to check headers throughly and it'll stop a lot of spam.
I know that your thinking that this would be like the dutch-boy with his finger in the dike, here why I think it would be effective
1. a spam campain that generate a
Re:Let's define an open relay... (Score:2)
This is why spammers use open relays, so they can bounce traffic and use multiple originating IPs, so it's non-trivial to blacklist. If all the spammers did was send mail d
Re:I don't think it's a admin problem. (Score:3, Interesting)
Looks like... (Score:5, Informative)
http://www.securityfocus.com/archive/1/321307/2
Re:Looks like... (Score:2)
Re:Looks like... (Score:3, Funny)
Yeah, all 9 of them
Re:Looks like... (Score:2, Informative)
IBM Unix servers are probably leading the performance race at the moment, although Sun are due to release UltraSPARC IV this year which might see them leapfrog IBM again.
Re:Looks like... (Score:3)
convincing? (Score:5, Insightful)
all this time thinking its just horrible admins who dont know how to do their job, or are to lazy to do it right
Re:convincing? (Score:3, Informative)
Usually, they don't actually want it, they are just clueless. There's the odd individual [toad.com] who might claim to have justification for operating an open-relay, but in my experience, there is absolutely no reason for it these days
[Disclaimer : I have the highest regard and respect for John Gilmore; I just think he's wrong about this particular issue.]
Re:convincing? (Score:5, Informative)
Re:convincing? (Score:2, Insightful)
Of course, all mail server software should ship/install with open relaying disabled by default. Every MTA I know of has some kind of configuration file or dialog, and the installer/admin should be aske explicitly if s/he wants to let anyone on the Internet send mail to anyone else on the Internet via hir server.
This is a problem with software (from OS's to everything else) - ALL SOFTWARE SHOULD
Re:convincing? (Score:2)
Well, the common excuse is that remote workers (with their own Internet access) need to send mail, and want to just configure their mail client to connect to the company's mail server.
Never mind that this is horribly insecure.
Rather than deal with the crap of helping people set up their e-mail clients, or using authentication, or setting up a VPN, I decided to just set up web mail access instead.
More secure (uses SSL). No client configuration. Since all mail folders are stored on the server, the
Re:convincing? (Score:3, Interesting)
Maybe the documentation for their mail server is only in English and they only know some other language(s) so they can't find out about how to properly use the server. Supposedly this is part of the problem with open relays in Asia.
Re: (Score:2)
Re:Anonymity (Score:5, Insightful)
I prefer to use anonymous mail (hotmail, yahoo, etc
-Ab
Re:Anonymity (Score:2)
Hotmail is not anonymous - originating IP address is carried in the mail headers.
Re:Anonymity (Score:2)
A long time ago, in an internet far, far, away... I recall that somebody had an "anon server" running in Sweden or Finland or someplace like that, back when anonymity was considered unusual on the 'net. They knew your real e-mail, but nobody else did.
The stated policy was that you could have anonymous mail there, but of course they had an abuse policy. Mostly, the abuse policy was against bulk mail but IIRC it was also prohibited to threaten someone with bodily harm.
The idea that you could actually be
Oh joy... (Score:3, Funny)
50% of the people recieving the letter will be the wrong person and not have a clue what it is.
10% will read it and panic, but ultimately it won't get to the sysadmin and nothing will change
20% will have some obscure reasons for using open relays
and 20% of all statistics are made up as they are typed.
Re:Oh joy... (Score:2)
Some simple logic in order? (Score:5, Interesting)
The threat of being blacklisted would make me change my ways, as I have nothing to gain and everything to lose should that happen. I would presume the same is true for most sys admins out there, who run *honest* servers.
Now let's say that the few "Open Relay" servers that are left are threatened, but they don't take action. Pardon my conspiracy theory, but it may very well be that these "innocent" open relays are in fact sponsored by spam clearinghouses, in which case server admins have monetary incentive to NOT close their relays.
I'd imagine the few open relays that are left are supported by spammers in some way, as they are key in spreading spam, and most people don't want spam passing through their systems anyway, so any anti-spam person would probably close their relays as soon as they are first notified.
So to relate this to the article, I'd say that a letter from the FTC that doesn't threaten *legal* action will provide no more incentive to these system administrators to close the relays; thus the letters become little more than a waste of paper...
Just my thoughts on the matter.
Re:Some simple logic in order? (Score:5, Funny)
I agree, it's a terrible waste of paper. I think instead the FTC should send out mass e-mails about this and... uh.... wait a minute...
Re:Some simple logic in order? (Score:5, Insightful)
Re:Some simple logic in order? (Score:5, Interesting)
Interesting thought, but I doubt anybody's going to pay to have an open relay stay open. There's just so many of them out there from which to choose! ;)
I would imagine they all fall into one of the following groups:
Besides, I'd hate to have a business relationship or paper trail with an open relay provider in case it ever becomes possible to sue over an open relay. I'm no lawyer but I'd think you'd be an accessory by paying them to provide a questionable service.
Re:Some simple logic in order? (Score:2)
Egos to big.
This is often the worse one to fix. Because they will not beleave any independent party telling them that their security is flawed or just Crap. Then they will get openly hostile to that party because they are a threat of thier "I am Administrator so I am God" persona.
Compared to the correct action of receaving news about your system of saying "Thank You" and if you know how to fix it then they fix it, if you didnt know how to fix it, then you ask for help. These people w
Re:Some simple logic in order? (Score:3, Insightful)
Sometimes, the fact that the gov't says "don't do that" vs Roman Kazan of escape.com (he sux0rs) holds more weight. It's the same respect you show a cop than say, some random stranger. The source of a request always affects how you answer.
Guys, how many time
Re:Some simple logic in order? (Score:3, Interesting)
"Are you ORDERING me to close my relay?"
"No, I am simply making a suggestion that you do so."
"But you are not ordering me to do it, is that correct?"
"That is correct."
"Good day officer, and thank you for your suggestions."
Re:Some simple logic in order? (Score:2)
My question is... how many people are simply ignorant of the nature of an open relay, or don't know they are running one. Personally, I see no reason at all that I would want to have a relay open to spammers who could steal my bandwidth/CPU/etc to send crapma
Re:Some simple logic in order? (Score:3, Insightful)
Hanlon's Razor: "Never attribute to malice that which can be adequately explained by stupidity."
Re:Some simple logic in order? (Score:3, Insightful)
Does anybody outside the US care ? (Score:2)
I think its GREAT (Score:5, Insightful)
Good job (i don't say that too often about my gov...
Re:I think its GREAT (Score:2)
I think many times here on /. we have a double-standard for when things happen to us vs. when it happens to others.
Just my two cents...
Threats or actions? (Score:4, Insightful)
Maybe if the threat hasn't worked then they should actually be blacklisted?
Re:Threats or actions? (Score:2)
Personally, I think the huge quantities of bounced mail, high load, etc. a much better encouragement to fix the problem than the remote possibility that something would bounce.
Considering lack of spam legislation otherwise (Score:5, Funny)
I know what to do! (Score:2)
Then, we can sell them these great ideas on how to double their manhood, get back a full head of hair, and info on how to fix their credit!
Also refered to as "The flight of the Democrats" (Score:2)
Re:Also refered to as "The flight of the Democrats (Score:2)
Re:Considering lack of spam legislation otherwise (Score:2)
Too little, too late (Score:2, Insightful)
It seems things have degenerated to the point that a more drastic solution will be required (such as the email tax we
Not in the lifetime of TCP/IP (Score:5, Interesting)
Rumor has it that there's a whole bunch of open relays out there which are owned by the spamhausen. (I'd love to see some evidence to the contrary, but that's asking proof of a negative, so I won't hold my breath.) If we accept that rumor as fact for the sake of argument, all the FTC letter is going to do is tell said spamhausen that their crap is getting to the target audiences, and they'll happily redouble their efforts.
It's been said before, but it's worth repeating. The best way to eliminate spam is not to go after the machines (and coincidentally the people in charge of the care and feeding of them). Go after the people and companies hiring the spamhausen...the ones pushing their "herbal Viagara" (sic), pr0n, better mortgage rates, and so forth down the wire and into our overloaded mail accounts. Take away the revenue stream, and all those open relays will go idle until someone puts them to better use (for example, Quake 3 servers).
Just my two cents' worth...save up the change for a root beer or something.
Re:Not in the lifetime of TCP/IP (Score:3, Insightful)
Why keep them open? Why would a spamhouse want to share its resources? I'm sure they just distribute their load so isp's don't complain about bandwidth, switch around often, find spam-friendly isp's, etc..
Re:Not in the lifetime of TCP/IP (Score:2)
Ha ha, it is to laugh. Is there any form of advertising that is illegal? These days, businesses are allowed to do pretty much whatever they want in pursuit of a profit. As long as it's not an outright scam, it's okay. Taking advantage of suckers and advertising to get them is what made America great. P.T. Barnum isn't reviled by history.
Re:Not in the lifetime of TCP/IP (Score:2)
The problem is: the revenue stream isn't going to go away because people do click through on spam and spend money at the advertised site(s). I've had the unfortunate opportunity to have my e-mail address placed in the reply-to line and, I'll te
Southern states taking the lead? (Score:5, Interesting)
You gots ta be kiddin me (Score:5, Insightful)
I seriously doubt it. The one time that I informed a sysadmin that he had an open relay I got back a long e-mail on how "this is the way the internet works", that may have been true in times past but it certainly was no longer true in 1996, and it even seemed a bit snotty.
Now these guys are going to get a letter from the 'lowley' government? LOL, unless it comes from Bill Gates, in most cases, or Linus in others, they will blow it off or try to have a stupid flamewar.
Re:You gots ta be kiddin me (Score:3, Insightful)
Works better than pretty much every other method I've tried.
Most Open Relays are Overseas (Score:2, Informative)
What's the FTC going to do to them, lock them up in Guantamino bay??
Could it? Would it? (Score:4, Interesting)
Imagine my utter surprise when I returned from running to the PO and Baja Fresh, during lunch, hit [Get Msgs] and Nothing was there to download!!!
I've been getting from 120-180 Ralsky-grams a day and nothing in the space of 45 minutes is downright unbelievable. I zipped over to the news to see if his house had been raided or he'd been kill by an irate sysadmin. Nothing on the news about it, maybe something is happening? If so, he and his animal food trough wiper friends will probably take a little while to shift over to some other sites and get caught up.
I'd be fired (Score:5, Insightful)
Right now, 70% of all the mail that arrives at our domains is spam. Perhaps half of that gets filtered, but that still leaves an uncomfortably large amount.
RedHat did a good thing by disabling sendmail receive/sending on default installs of 8.0 and forward. Now if they would only turn off portmapper and a few other things...
Government is here to help you? (Score:2, Insightful)
I support the intent of this letter, but do we really want the government to start going after third party mail server operators? It seems like a real slippery slope of government regulation and intervention. Better get that sendmail.cf file perfect the first time or Big Brother will come knocking to straighten you out!
I would prefer if the FTC spent their time going after the spammers, which are the real problem.
Why Warn? (Score:3, Insightful)
Not me. Close 'em down. Period. Now.
--Richard
We did this (Score:5, Interesting)
The real problem? Wierd foreign programmers who don't understand How Things Work and moreover don't care, and executives that just want a working system and to hell with being a good netizen.
Re:We did this (Score:3, Insightful)
You do realize that in the large perspective - in which the Internet should be seen - it is you that are foreign, don't you ?
If you are so clever and understand How Things Work, why didn't you just shut the relays down and implement a solution that worked ?
Re:We did this (Score:2, Insightful)
The real problem? Wierd foreign programmers who don't understand How Things Work
Yeah, sum of them ferners donnt evn now ho to spell "weird."
It's not where they're from, it's how (poorly) they're trained. And take my word for it, there are good flag-waving 'Merikuns who are just as poorly trained.
Re:We did this (Score:2)
Even better, try smtp-auth. There is ZERO reason to run an open relay. People doing so should be shot, blacklisted, and rooted.
Re:We did this (Score:2)
It'll be hard for anyone to argue for continuing to keep the relays open if it means they can't have an internet connection at all.
Re:We did this (Score:3, Insightful)
I work from home and use my corporate SMTP server all the time, without them needing to run it as an open relay. Even my ISP (the cable company) has enabled SMTP Auth.
sendmail (Score:4, Funny)
I've been convinced for a while... I just haven't figured out the sendmail config syntax yet
R$* . $| $* $: $1 $| $2
R$*.dialup.$* $| DIALUP $@ DIALUP
Rdialup.$* $| DIALUP $@ DIALUP
R$* $| $* $: $(Spam $1 $:NOMATCH $| $1 $) $| $2
RNOMATCH $| $+ . $* $| $* $: $>lookat_domain $2 $| $3
R$* $| $* $@ $>comp_value $1 $| $2
"R$". What The ????
Re:sendmail (Score:5, Informative)
Geez, Sparky, lay off the sendmail.cf - that's for masochists. Everyone else uses m4. 6 lines of simple macros with human-readable names is easier to maintain, too.
Where have you been spammed from? (Score:2)
Almost there (Score:2)
Spammers (humans) themselves need to be stopped. (Score:4, Informative)
Also, there may be legitimate reasons to have OpenRelays. Much like there are legitimate reasons to have DVD copying software. Maybe only a few good reasons, but enough that they should not be banned outright.
The only legal action that these legal folks should be taking is against those spammers using deceptive practices, which is about all of them these days. For instance the false sender information and the innability to be removed from the list. Life was okay when you could get removed from a mailing list and you really wouldn't get any more spam from them, but now they just use it as a confirmation that the email is active and to send more email.
Open SMTP relays are not the problem any more than Open Routers are. Find the individuals that are sending these things and you will stop the problem.
Re:Spammers (humans) themselves need to be stopped (Score:2)
Right. Every little bit counts. Take a look at your mail server logs sometime, there ARE relay raping bots out there, and they DO find open relays, and they DO find spam.
Closing the open relays will help some. RBL the ones that do not get closed, that will help some too. Go after the guys paying the spammers, that will help some. Track down, arrest, and jail guys that release SMT
some perspective (Score:2)
anti-spam server (Score:2, Informative)
honeymail [intercosmos.net]
Which is an anti-spam opensource forked SMTP server.
self-healing open relays (Score:2, Funny)
The FTC should send their PDF letter to postmaster@<open-relay-host>. However, it may get lost with all the spam flowing through there, so the FTC should send many copies over and over and over and over again to that host. Now
Thanks guys! (Score:4, Funny)
Watch, for their next letter, they're going to warn about the dangers of using Microsoft products!
Thinking globally? (Score:2)
I guess that every 91,050 [telecomcorridor.com] helps!
I wonder if Richardson has a "Minister of Spam"?
Funny Signatures (Score:2)
Yeeeaaahhh, riiiight.... (Score:3, Insightful)
Well for Fred's sake, if the threat of being blacklisted hasn't worked, then how the hell "attempting to educate them" will?
If it only cuts the open relays in half... (Score:2, Insightful)
Too little, too late (Score:5, Informative)
Here are some articles covering proxy abuse [lurhq.com] and the Sobig virus/Spam connection [lurhq.com] which detail some of the current techniques of spammers and how to fight them.
A multi-facited approach is needed (Score:3, Informative)
1. Legitimate mail servers that are open because of old software installs that haven't been updated, perhaps because that's a low priority. Here, education is a good first step, but threatening to blacklist them and actually following through if necessary will do the trick.
2. Legitimate mail servers that are open because they're running very old software that's difficult to patch because of its age. Here, the admin may know that there's a problem, but he or she doesn't have the time to dig around for hard-to-find fixes, and retiring the old machine might not be an immediate option. MAPS has a good idea with its list of patches for various MTAs. I tended to get more successful communications with admins when I told them that MAPS had these resources for them to use. FYI, here's the link.
http://www.mail-abuse.org/tsi/ar-fix.html
3. Machines that are running MTAs but aren't an organization's real mail servers. These would be around because someone did an OS install that didn't really need a mail server, but they put it in anyway, then promptly forgot about it. They may not even know what they did. In this case, blacklisting that server doesn't mean much. Whoever administers the official mail servers could care less because that isn't a machine that is their official server, so why should they care? This could be a problem in a large organization, where you may have a bunch of uninformed bozos setting these things up faster than you can blacklist them. In this case, the only way to get results is to just blacklist the organization's entire IP space. Yes, I know that this would impact the real mail servers, which may be secure, but it'd also get the admins to take note and apply a clue-stick to the ones throwing insecure machines onto the network.
4. Servers with admins who don't speak English. Having informative material available in different languages would be a good thing. The Chinese admin you e-mail might actually care about the problem if he could understand the issue a little better. If nothing else, having the info in various languages negates the argument that these admins don't have resources to fall back on.
5. Servers on networks where the admins just don't give a damn. We've discussed this on Slashdot before, especially regarding Korean and Chinese networks that are getting blanket-blacklisted. I hate to see siginifican't chunks of the Internet being walled off, but if that's what it takes, then so be it. These brain-dead admins will either have to eventually clean up their networks or have no one else who'll receive their mail. In either case, the problem will take care of itself.
Re:Much better idea: (Score:2, Insightful)
Sue the US government for having open borders that allowed terrorists to enter my country and commit their atrocities.
Sue the maintainers of BUGTRAQ and similar resources for breaking the security-by-obscurity that was working so well for so long for all of us.
Sue slashdot for maintaining an open forum for anyone with enough electricity dancing through their nervous system to cause them to bash the keyboard in mute
Re:Much better idea: (Score:2)
This whole email spam crap is based on assumptions that people will "do the right thing" and we all know there's a subset of people that will take advantage of this. Long story short, we need a backwards compatible SMTP protocol based on private keys. No private key
err yes that is true (Score:5, Interesting)
Here in Calif. unless you lock it up, with an approved security device or trigger guard YES you are and can be held responsible for gross negligence and possible homicide...no one has taken the homicide charge yet buty there have been cases of negligence enforced I believe...
I agree with you on the Key issue regarding email though...
Re:Much better idea: (Score:2)
Your argument is much like saying that if you leave a window down and someones steals your car and runs over a kid, that you should go to jail. Lets make the people responsible(spammers and car thieves) responsible for their actions, not the relatively innocent middleman. Having an open relay
Thanks (Score:2)
simon
Re:Make up your minds Slashdotters (Score:2)
I would challenge you, FreeLinux to come up with specific examples of where the same person has said that 1) the government is excessively involved in everything and 2) is subsequently upset to be spammed.
The point is - slashdot is read by many people - and there will always be range of opinions.
Believe it or not, most people consider this to be a GOOD thing.
Re:Make up your minds Slashdotters (Score:2)
Heh. Clever.
What's really going on (Score:5, Insightful)
You're taking a very simplistic view of the world. (Score:5, Insightful)
The government is not a single, unified entity with thousands of members acting towards the same goals. It is a collection of institutions each with their own goals and agendas, often operating at cross purposes.
To move beyond the point above, the FTC is as splintered as the rest of the government. It's starting to use the existing laws to go after SPAM, which is good. However, the portions of the FTC responsible for the whole High Definition Television mess is doing a less than spectacular job. The odds are good that the people involved in one project are not the same people involved with the other. Hell, each "Project" as I described above most likely consists of dozens of smaller units, no doubt mired in the same political issues as the organization as a whole.
Some people in the government are doing good things, others are doing bad things, most are just doing their functionary but morally neutral jobs.
The US Government is not "Evil" or "Good," and trying to paint it as one or the other is short sighted, childish and smacks of blind zealotry.
Please stop trying to see the world as black and white / good and evil. The real world is far more complex than that, as are the institutions that function within it.
One last example: Sony. Go through the Slashdot archives, and you'll find stories where they're the her, and stories where they're the villain. This is a reflection on the way actions of specific groups within the company were perceived, not on the "Evil" or "Good" nature of the company as a whole. Slashdot is not failing to "Make up its mind" but is reflecting the fact that sometimes a company does good things, and sometimes it does bad things.
And by the way, contrary to popular belief, Slashdot does not have one "Mind" to make up on any issue. It too, is a collection of individuals with their own agendas, views and opinions. If you are expecting any kind of unity of Slashdot users on any one topic, then you are insulting the intelligence of said users. We are individuals. This site has readers who love the Government and never question it's actions, and people who hat it with every fiber of their being. The site also has people at every level between the extremes.
"Love your country unconditionally. Love your government only when it deserves it." -- Mark Twain
Re:You're taking a very simplistic view of the wor (Score:2)
I beg your pardon! Over the last year it's been consistently explained to us by our leaders that the world consists of good people (us) and evil people (them). These evil-doers who hate freedom (actual quote, no less) and those who harbour them must be destroyed, because they are evil (presumably, once that happens, everything will be good), and we are good.
I don't know where you get your information from, but that is the official sta
Re:Make up your minds Slashdotters (Score:2, Interesting)
Re:Make up your minds Slashdotters (Score:5, Insightful)
Who is this collective "you" that you're talking about? Do you realize that you're in a big room, eavesdropping on a thousand conversations, and you really don't know exactly who is expressing each individual opinion that you hear?
If I say that I like to eat a good steak, and someone else says that "meat is murder", neither of us is guilty of hypocrisy just because we were both in the same room when we uttered our opinions.
That's the way it works in the real world, and it's the way it works in "virtual rooms" like slashdot. I'm sorry, but you are going to have to stop thinking of online forums as one large group of clones with identical programming.
Unless you can specifically find a fixed individual who has uttered incongruous statements, you have no grounds for your complaint. And even when you do, your complaint is only valid with respect to that individual...not everybody else who happens to be there at the time.
Re:relay (Score:2, Interesting)