how to _really_ stop spam
barb at netrack.net
Sat Sep 6 22:30:29 UTC 1997
How many of you ISPs are sick of dealing with spam
after the fact?? You get complaints from the world
after spam from one of your customer's is sent out -
via whatever clever way they have to beat the latest
incoming spam filters. Your customer doesn't care.
It's called spam & run. Disable their account and
they spam & run elsewhere. This does nothing to
stop spam - only wastes your time.
Measures like the BGP filtering and incoming sendmail
hacks are hip. But they do not stop spam.
The BGP blackholes all IP traffic, not just mail.
Disabling mail relay is indeed hard - especially for
ISPs where your business _is_ relaying mail. Legal
action is worthless - spammers just move or relay
off-shore or otherwise out of whatever jurisdiction
we want to impose.
It's like trying to fight a fire pointing your
extinguisher at the dancing flame-tips. Go for
the base! The analogy I like best is the "Whack-a-Mole"
game at the arcade. You're reflexes aren't fast
enough to deal with the spammers. We need the heavy
artillery and we need to go for the throat. Whacking
even most of the moles doesn't fix your yard. Blocking
incoming spam doesn't keep the bandwidth from being
I have two preventative tactics I'd like to see
pursued. Given infinite hours in the day, I'd do
them myself. The ONLY way to deal with spam once and for
all is for responsible ISPs to proactively enforce
anti-spam policies. Then we can have whitelists
instead of blacklists.
1) filter outgoing mail
2) validate new users through a "spam" bureau
Impossible you say?
No, impossible is fighting spam from the WRONG side.
-Filtering outgoing mail
Responsible retail ISPs should deny any and all OUTGOING
smtp connections through border routers from hosts that are
not validated as spam free. Wholesale ISPs should require
their retail ISP customers take these spam free measuers.
1) First make your own outgoing mail relays spam free:
o limit number of recipients to something reasonable (<10)
o validate all headers (no forgery, valid return addrs)
o relay only for your hosts and customer hosts (by ip, not domain)
o throttle connections from any one internal ip (eg. <2/minute)
o allow only simple DNS based addresses (no %!:)
Most of this can be done in sendmail compat(). A specialized
tool that fits in like smap would be great for this.
2) Have a different mailing list host - lock it down tightly
and make sure that all lists only allow postings from list
members and no one message can be sent to multiple lists.
3) Allow outgoing smtp connections from your mail relay(s)
through your border routers.
4) Make all your end-user customers relay through your now
spam-free outgoing mail relay.
5) Any non-end-user customer that wants to make direct smtp
connections out needs to make their relay spam-free as above.
Otherwise they have to go through your relay. Have a
separate legal contract/AUP to enable direct smtp. Charge
more money for this service if you want - it will cost you
more in the long run in hassle for these customers.
6) Lock everyone else out - deny outgoing smtp.
The main thing that happens by doing this is you are preventing
any of your customer from using a third-party relay!! Imagine
that. Even if your outgoing mail relay doesn't do any validation or
throttling, you are still preventing external third-party
relaying AT THE SOURCE. The hardest part of fighting spam from the
receiving end is the presumed-innocent-third-party relaying. Requiring
end user hosts to relay through a local outgoing mailer is much
easier than disabling relaying on every potential third-party
host on the network.
Sure this is expensive in terms of the outgoing mail relay
server(s). But I'll put money down that you are already spending
much more in dealing with spam complaints after the fact.
This is NOT censorship. This is responsible mail delivery.
The message origin is the ONLY place you can do some of this
If enough ISPs do this, then we can maintain a proactive list
of spam-free ISPs. Forget the blacklists. They'll only get
you sued. We need whitelists - ISPs from whom we trust mail
is spam-free. All other mail should be stamped as suspect
and dealt with on the receiving end accordingly.
I challenge UUNET, PSI, and Earthlink to be the first to adopt
this method and/or fund the development of outgoing ISP mail
This doesn't fix the entire problem. Nothing will. But
until origins are willing to proactivley enforce their
policies, we're just reacting to an ever changing spam
profile and we'll never react quite fast or effectively
enough. I'll bet the handful of companies who have made
public apologies lately wished they had been proactively
filtering outgoing mail.
-Validate new users through an anti-spam bureau
Most spam comes from independent individuals contracted to
do marketing. Either that or they've been scammed into some
Internet get rich quick scheme. Those people sign up for a new
account with an ISP, promise to pay $X/mo, spam, get cut off,
and move to another ISP. Most ISPs require no
identification whatsoever to sign up a new user. It's
no wonder that prosecuting spammers is close to impossible
because the ISPs don't even have customers' legal name or
a valid phone number or mailing address.
I submit that any responsible ISP should not accept any
new user account application without:
1) some form of identification to validate name
2) valid phone number (you call it and get that person)
3) valid mailing address (usps.gov is wonderful)
For a business customers, contact the secy of state to
validate the company exists and get the names of corporate
officers. Check their DnB listing.
Now what if you also checked the new user's ISP usage
history in a central database - just like a bank checks
TRW for your credit history? Are you going to accept
a new user that was kicked off of 5 of the last 6 ISPs
for violation of AUP? I hope not. But until that
database exists, you are taking a chance that each new
user is a potential spammer. These users are costing
you real money. Just like a bad credit risk, an ISP
has a right and a responsibility to check a new user's
The only problem with this approach is how to unambiguously
track such information in the database. Being an advocate
of privacy, I'm vehemently against using the SSN for such
a purpose. Same with driver's license number. Credit card
number can change too often. As with databases like TRW, full
name (as appears on a driver's license or other form of
bonefide identification and should be validated) plus birth
day should be sufficient.
Aside from these wish list items, the _best_ way to fight
incoming spam is a combination of incoming blocking (my
personal blacklist is pretty long including all AGIS nets)
and accepting only incoming mail (user agent filters) that
explicitly lists a recipient in the header that you accept as
being you. The more lists and aliases you are on (webmaster,
hostmaster, postmaster, ad infinitum) the harder this gets. For
most end-users, this is 100% effective. I've done it for me and it
effectively blocked _all_ my incoming spam except those which
are personalized and have my actual email address (or a
valid alias). These folks you add to your sendmail spammer
blocking database. The only drawback with this method is
that you no longer get bcc mail. I put all my spam mail
aside and peruse it once a week to look for real mail that
might be a bcc, a low-vol list I forgot I was on, or otherwise
was misfiled as spam.
Barb Dijker, Manager
P O BOX 17565, BOULDER CO 80308-0565 USA
+1.303.938.0188, fax +1.303.938.0177
More information about the NANOG