Spam Control Considered Harmful
Cal Thixton - President - ThoughtPort Authority of Chicago
cthixton at thoughtport.net
Wed Oct 29 18:56:16 UTC 1997
Phil,
The problem with the 'Caller-ID' idea is verifying that an email address is 'valid' (assuming you have a reasonable definition for 'valid'). About the only thing that sendmail can do is verify a reverse lookup is equal to its forward lookup. We do this and it helps because we can then block sites from MX'ing through us based on a ruleset (e.g. customer list).
In an effort to research from where we get spammed, we get a daily report (see below) of the sites that spammed us, who they were trying to spam and from where they came from. The most frequent pattern we are seeing are spams from simple dialup PPP accounts purchased all across the country; AT&T, UUNET, SWBell, BellSouth, etc... I know where they came from and yet knowing that does not help. We cannot block all of UUNET just because some ppp customer used our servers to spam.
cal
"I live in a house of brick instead of a tent of canvas because I have little faith in my follow man (and mother nature) being 100% perfect 100% of the time; they are only 99% perfect 99% of the time. The remaining 1%'s are a real pain. So, I tuckpoint my mortor, own a dog and watch my things. This keeps me busy and gives me purpose."
Begin forwarded message:
Date: Tue, 28 Oct 1997 14:05:36 -0500
To: Scott Hazen Mueller <zorch at orbit.hooked.net>, nanog at merit.edu
From: Phil Lawlor <phil at agis.net>
Subject: Re: Spam Control Considered Harmful
At 10:14 AM 10/28/97 -0800, Scott Hazen Mueller wrote:
>That said, I feel that the only technological solution to the spam problem is
>a large-scale re-structuring of Internet mail to provide for secure
>authentication and cost sharing for received e-mail. The scale and cost of
>such a deployment makes something like that a political and social problem,
>however.
What if the equivalent of "caller ID" was built into sendmail? Making sure
that the sender is a valid email address.
AGIS is looking for viable solutions to the overall problem. We have moved
any customers that we receive UBE complaints into AS 3830 (which is
getting emptier), making them even more visible. This assists in blocking
SPAM domains at the router level. For those using the Vixie like
approaches, this works. Notwithstanding, this thread focuses on the threat
of such efforts.
Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119
X-Sender: phil at agis.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 28 Oct 1997 15:41:25 -0500
To: nanog at merit.edu
From: Phil Lawlor <phil at agis.net>
Subject: Re: Spam Control Considered Harmful
In-Reply-To: <19971028143402.15058 at scfn.thpl.lib.fl.us>
Sender: owner-nanog at merit.edu
At 02:34 PM 10/28/97 -0500, Jay R. Ashworth wrote:
>Properly configured sendmail's do this, mostly.
^^^^^^
I am not a sendmail expert, but I am told that it is in the forgery area
that it could be improved. Forgery and relay hijacking seem to be the
largest areas of abuse. If these areas could be improved, it could go a
long way to solving the problem.
Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119
X-Sender: phil at agis.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 28 Oct 1997 19:27:49 -0500
To: nanog at merit.edu
From: Phil Lawlor <phil at agis.net>
Subject: Re: Spam Control Considered Harmful
In-Reply-To: <19971028183254.40102 at scfn.thpl.lib.fl.us>
Sender: owner-nanog at merit.edu
At 06:32 PM 10/28/97 -0500, Jay R. Ashworth wrote:
>Indeed. As we noted last month on the topic of ingress filtering, you
>have to catch this stuff on the _intake_ side, to have any real hope of
>spotting the offenders.
Back to sender verification (equivalent of caller ID).
This would allow better reporting of AUP violations to the sending domain
from the receiving domain. Logs could be used to document the violation.
Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119
Date: Wed, 29 Oct 1997 02:15:52 -0600 (CST)
From: Operator <root at thoughtport.net>
To: security at thoughtport.net
Subject: Relay Block SPAM: thoughtport
Who they are to:
44 webmaster netter.com.210.115.122.108
8 kstrieke bdcast.com.206.156.255.28
6 ygoldman hotmail.com.205.253.105.90
4 service etrade.com.208.254.139.3
4 service etrade.com.208.254.139.114
4 majordomo bapp.com.205.253.105.90
4 flashflood flashflood.com
4 clifton ix.netcom.com.207.93.45.122
2 tuneup qdeck.com.205.253.105.91
2 slawson iu.net.207.227.183.38
2 silisanise aol.com.207.53.21.153
2 siliconel aol.com.207.53.21.153
2 sileyboy aol.com.207.53.21.153
2 silentz aol.com.207.53.21.153
2 silenth2o aol.com.207.53.21.153
2 silaswight aol.com.207.53.21.153
2 silasmanue aol.com.207.53.21.153
2 silant aol.com.207.53.21.153
2 sil228 aol.com.207.53.21.153
2 rpatel bitconsulting.com.208.254.139.114
2 redsoxbry aol.com.207.53.20.108
2 redsox8674 aol.com.207.53.20.108
2 redsox21 aol.com.207.53.20.108
2 redsox2000 aol.com.207.53.20.108
2 redsox2 aol.com.207.53.20.108
2 redsox1975 aol.com.207.53.20.108
2 qtgal100 aol.com.207.53.20.135
2 qtfiddler aol.com.207.53.20.135
2 qtetsinger aol.com.207.53.20.135
2 qtesweet aol.com.207.53.20.135
2 qtess14u aol.com.207.53.20.135
2 qtenc aol.com.207.53.20.135
2 php46 aol.com.207.53.20.169
2 phoyt31329 aol.com.207.53.20.169
2 phoxy8 aol.com.207.53.20.169
2 phoxphyre aol.com.207.53.20.169
2 phoxman aol.com.207.53.20.169
2 phoxeast aol.com.207.53.20.169
2 phoenixwmn aol.com.207.53.20.169
2 nwc gun.com.192.41.5.95
2 mreisel sn.no.205.253.105.93
2 majordomo bap.com.205.253.105.90
2 kmiche01 thoughtport.com?
2 jal pilot.net.165.124.30.53[165.124.30.53]
2 info flyfrontier.com.153.36.240.239
2 ez connected.com.205.253.105.90
2 dj01 netter.com.208.208.223.19[208.208.223.19]
2 clifton ix.netcom.com.207.93.45.66
2 aparker infonorth.com.tom_cunningham
2 aallen3939 aol.com.207.53.20.103
2 aallen365 aol.com.207.53.20.103
2 aallen3106 aol.com.207.53.20.103
2 aallen2177 aol.com.207.53.20.103
2 aallen1980 aol.com.207.53.20.103
2 aallen1 aol.com.207.53.20.103
2 MACIAS NETTER.COM.199.35.191.5
2 Chris_Ivers/NC/FD/USA/Kelly kellyservices.com.165.124.30.53[165.124.30.53]
2 103467.2127 compuserve.com.206.133.160.189
1 No Relay
Domains they are to:
44 netter.com.210.115.122.108
18 aol.com.207.53.21.153
14 aol.com.207.53.20.169
12 aol.com.207.53.20.135
12 aol.com.207.53.20.108
12 aol.com.207.53.20.103
8 bdcast.com.206.156.255.28
6 hotmail.com.205.253.105.90
4 ix.netcom.com.207.93.45.122
4 flashflood.com
4 etrade.com.208.254.139.3
4 etrade.com.208.254.139.114
4 bapp.com.205.253.105.90
2 thoughtport.com?
2 sn.no.205.253.105.93
2 qdeck.com.205.253.105.91
2 pilot.net.165.124.30.53[165.124.30.53]
2 netter.com.208.208.223.19[208.208.223.19]
2 kellyservices.com.165.124.30.53[165.124.30.53]
2 ix.netcom.com.207.93.45.66
2 iu.net.207.227.183.38
2 infonorth.com.tom_cunningham
2 gun.com.192.41.5.95
2 flyfrontier.com.153.36.240.239
2 connected.com.205.253.105.90
2 compuserve.com.206.133.160.189
2 bitconsulting.com.208.254.139.114
2 bap.com.205.253.105.90
2 NETTER.COM.199.35.191.5
1 Relay
Sites they are from:
45 abs.netsgo.com
18 d00408.msy.bellsouth.net
14 d00168.msy.bellsouth.net
12 d00134.msy.bellsouth.net
12 d00107.msy.bellsouth.net
12 d00102.msy.bellsouth.net
8 ColumbiaMO-28.usi.com
7 1Cust114.tnt1.bloomington.il.da.uu.net
5 day-fl2-58.ix.netcom.com
4 1Cust3.tnt1.bloomington.il.da.uu.net
4 0.124.30.0
3 greatideas-38.starnetinc.com
2 transera.com
2 sdn-ts-011coauroP10.dialsprint.net
2 day-fl2-02.ix.netcom.com
2 1Cust239.tnt14.dfw5.da.uu.net
2 0.208.223.0
1 bastion.mecklermedia.com
Traces to sites that have no name
trace these:
0.124.30.0
0.208.223.0
Looking Up 0.124.30.0
route: 0.0.0.0/1
descr: HALF-DEFAULT-ZERO
descr: The Reasonable Default Network Project
descr: This prefix is one of three which is designed
descr: to accomplish several things. Firstly, ICM
descr: will be offering a set of robust and hardened
descr: default-oriented prefixes which will be made
descr: reliably available to some of AS1800's peers and
descr: things downstream from them. The routing announcements
descr: will be supplemented with a box that sends back
descr: appropriate ICMP messages; at some point we will
descr: also make a view of the default-announcing box's
descr: knowledge of global routing available to folks
descr: who wish to accept the default announcement.
descr: Secondly, this announcement is designed to assist
descr: ANS in the transition away from advisories. We expect
descr: that this will allow people to send in far fewer
descr: advisory updates than is done currently, without
descr: breaking reachability between ANS's customers and
descr: the rest of the world. This is good for both ANS
descr: and everyone else.
descr: Thirdly, ICM will be running some experiements on
descr: sheer amount of traffic that follows an ultimate
descr: default, although this must be done without
descr: examining that traffic for content without explicit
descr: permission from the originator. We expect that this
descr: will help identify and fix problems in the global
descr: routing system.
descr: questions, comments and flames to: smd at sprint.net, roll at stupi.se
origin: AS1800
advisory: AS690 1:1800 2:1239
mnt-by: MAINT-AS1800
changed: selina at ans.net 951011
source: RADB
Tracing to: 0.124.30.0
traceroute to 0.124.30.0 (0.124.30.0), 30 hops max, 40 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Looking Up 0.208.223.0
route: 0.0.0.0/1
descr: HALF-DEFAULT-ZERO
descr: The Reasonable Default Network Project
descr: This prefix is one of three which is designed
descr: to accomplish several things. Firstly, ICM
descr: will be offering a set of robust and hardened
descr: default-oriented prefixes which will be made
descr: reliably available to some of AS1800's peers and
descr: things downstream from them. The routing announcements
descr: will be supplemented with a box that sends back
descr: appropriate ICMP messages; at some point we will
descr: also make a view of the default-announcing box's
descr: knowledge of global routing available to folks
descr: who wish to accept the default announcement.
descr: Secondly, this announcement is designed to assist
descr: ANS in the transition away from advisories. We expect
descr: that this will allow people to send in far fewer
descr: advisory updates than is done currently, without
descr: breaking reachability between ANS's customers and
descr: the rest of the world. This is good for both ANS
descr: and everyone else.
descr: Thirdly, ICM will be running some experiements on
descr: sheer amount of traffic that follows an ultimate
descr: default, although this must be done without
descr: examining that traffic for content without explicit
descr: permission from the originator. We expect that this
descr: will help identify and fix problems in the global
descr: routing system.
descr: questions, comments and flames to: smd at sprint.net, roll at stupi.se
origin: AS1800
advisory: AS690 1:1800 2:1239
mnt-by: MAINT-AS1800
changed: selina at ans.net 951011
source: RADB
Tracing to: 0.208.223.0
traceroute to 0.208.223.0 (0.208.223.0), 30 hops max, 40 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 12925 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/19971029/562b534e/attachment.bin>
More information about the NANOG
mailing list