Internet Vigilante Justice, SPAM, and Copyrights 316
pdw writes "An interesting article about how vigilante justice on the Internet by anti-spam advocates can be just as threatening to the Internet as those proposed for copyright advocates."
I wish I was a "vigilante" (Score:2)
You're no fun. (Score:3, Funny)
His relay is open (Score:5, Insightful)
His mail server is an open relay, and he still doesn't realize it. Worse, he's a lawyer. These are the people that will be setting policy.
I wonder if it is even worth e-mailing to explain the situation to him.
Re:His relay is open (Score:3, Informative)
All ISP's need to scan customers for annoying vulnerabilities. It is not a violation of privacy, it helps everyone. Especially if we want to eliminate sources of spam.
Re:His relay is open (Score:5, Informative)
His mail problem is that he doesn't understand what an open relay really is.
He says "I block SOME relayed mail, so therefore my relay isn't completely open, so therefore it's not an open relay."
Well, if a door is ajar, are you going to argue that it's not open? If it's not closed, it's open.
How? (Score:2)
Re:How? (Score:3, Insightful)
A good 10-20% of all the spam I get has headers forged to look like it came from me or from mailer-daemon on my site. Allowing mail to go through based on where it claims to be coming from, rather than where it actually is coming from, is just plain stupid. Spammers lie. Their entire business model is based on a lie, so why would you assume that they'd never lie about being from your domain?
Re:How? (Score:4, Interesting)
However, the reason to not do this is that it's insecure. A large percentage of the spam I receive claims to be from the domain that it's being sent to, so his system would happily relay it.
The second reason should trump the first reason, but obviously if you're a clue resistant lawyer with a chip on your shoulder, it doesn't.
For those who appreciate irony, consider this --
He's basically written this big diatribe, which to spammers says `hey! you can relay through my mail server!' ... so a spammer finds it, and forges their spam to allow it to go through it, and uses it to spam the world. Then somebody gets flooded with these spams, and sues our friend Bret. They can even use his article as evidence that his mail server was open and he knew it, but that he refuses to secure it.
Re:How? (Score:3, Insightful)
The flip-side of this liberty is that I have the full right to accept or deny any email I want and I have chosen to block email from open relays, so if Mom & Pop want to mail me, they'll have to make their server secure enough to meet my standards.
Btw, I'm using DSBL [dsbl.org] for my open relay and open proxy blocking...
Re:How? (Score:3, Insightful)
Most Mom & Pop's don't run thier own mail servers. If you don't have the knowledge to secure your mail server then you shouldn't be running one. You should use your ISP's. If you don't know how to drive a car, you probably shouldn't drive until you get some education. Take a cab or bus instead. It's the same thing.
Lawyers, Hipocrasy, idiocy (Re:His relay is open) (Score:2, Interesting)
He claims they caused damage, but all they did was fulfill HIS request to double-check his server, and didn't in any way disrupt any functionality of his server, other than using an existing hole
Another spam-pigeon who thinks his right be leave his ass flapping in the wind overrules the rights of others who don't wish to get a gazillion messages bounced off his insecure server.
A few quotes to laugh at:
I asked the blackhole list service if it would kindly re-scan my mail server and make another determination as to whether it was an open relay
For one, the Danish antispam organization falsified an email header to gain access to my mail server
At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.
Debating on anonymously spamming this guy with a few, 'got spam? you're a moron' messages from his owner server... - phorm
Ad Hominem (Score:2)
Re:Ad Hominem (Score:2)
Re:Ad Hominem (Score:2)
Re:Ad Hominem (Score:2)
Re:Ad Hominem (Score:2)
So while your statement is true that the blacklist operators wield much (maybe too much) power, they have that power because their system at least works. And one reason why there's no better way to deal with spammers is that there's no legislation in place so one could sue spammers and ruin their business.
Re:His relay is open (Score:2)
In other words, he wants to solve his security problem via legislation rather than the appropriate technical fix. He's upset because someone "lied about their identify" (gasp! on the internet? I hope he doesn't go into many chat rooms) and was thus able to send mail.
This guy is an idiot. He has an open relay. He should be hit on the head with a lead pipe (in the conservatory?) for his idiocy, and his machine flooded out of existence for his open relay. Now THAT is vigilanteism.
Re:His relay is open (Score:4, Informative)
Anyway, ASIP only allows you to selectively allow relaying based on domain name, just like this guy is doing. It, of course, doesn't explain this as the documentation is truly useless. Also, it doesn't allow you to do IP-based selective relaying, which is what people actually need.
This is a completely useless feature. You can simply do "MAIL FROM: somelocaluser@yourdomain.com" and it allows mail through. Then, in the actual mail message, you add a header "From: spammer@otherdomain.com", and the second thing is what most users (who don't read relay headers) will see.
Someone else figured this out, and on a Friday evening, our server started spewing out LOTS of spam.
Now, I couldn't simply put up another mail server, as ASIP keeps all of its mail in one large, monolithic file, so I couldn't, for instance, export the mail to a qmail machine. Instead, I put the ASIP box behind a firewall so that NOBODY could connect to it. Then, I set up a secondary MX record for the box pointing to a Linux machine running qmail. Then, I poked a hole in the firewall to allow mail to the ASIP box ONLY from the Linux box (and from a couple other IPs for which it actually needed to do the relaying in the first place). Yes, this is quite a hackish solution, but Apple's software was extremely defficient and I was sick of working with it.
The point? This is an open relay, and it will be abused once some spammer runs out of open relays that don't even do "MAIL FROM:" checking. Whether or not this guy is an idiot, I don't know, but what I do know is that this guy needs a real admin.
Re:His relay is open (Score:2)
If an email server is open to spammers who choose to be dishonest about who they are (i.e. all of them) then it is open. No point trying to argue that it is closed. If these people had any honesty would they be trying to sell the questionable products and services they do? To the people sending spam it doesn't get much more open.
What you've missed is that you're having trouble sending email because a very great number of people want you to have trouble until you close your relays in a certain way. A little group in Denmark has no power at all unless what they say is reasonable and accepted by said people. The RIAA would have to pass the same test to have addresses suspected of involvement in piracy banned also and doubt they would have the same kind of support, as they are not addressing an issue that is universally annoying (as is spam), and they have generally made asses of themselves - but they could try to do the same thing, yes. You could too - start your own campaign to have those Danish guys ignored! Oh but wait, everybody agrees with them and not you.
Too bad you feel you have to file a lawsuit. You might win, and the guys in Denmark might have a good laugh and have their stereotypical image of an American lawyer confirmed. They might even have to stay out of the USA, but you still won't be able to send your email. The net effect is probably that you will be invited to kiss some Danish ass. For real results you would have to file suit, and win, against everyone who does not accept your email. Kind of like the RIAA choosing to target tools that facilitate copying rather than the people who actually do the copying. Has that strategy worked?
Now the RIAA appears to be targeting individuals - finally they understand! You might like to read this if you think the RIAA could demand blocking like those guys in Denmark - ISPs don't appear ready to acts as rent-a-cops for the RIAA.
http://news.com.com/2100-1023-957332.html
"But at the same time, any private operator at an end point in the Internet's architecture can restrict the flow of content to a user."
For an "internet attorney" you don't appear to understand much about the internet. Unless, as I suspect, this is just hyperbole from a guy who wants to get his own way.
Re:His relay is open (Score:2)
Open relays are still bad. He is still a moron.
Re:His relay is open (Score:2)
"You can reach him at bret [] lextext [dot] com."
Re:Is is still an open relay? YES!!! (Score:3, Interesting)
telnet naam.pair.com 25
.
Trying 209.68.1.237...
Connected to naam.pair.com (209.68.1.237).
Escape character is '^]'.
220 naam.pair.com ESMTP
HELO test.lextext.com
250 naam.pair.com
mail from: randomuser@test.lextext.com
250 ok
rcpt to: bret@lextext.com
250 ok
DATA
354 go ahead
Hello Mr. Fausett,
your mail server is wide open. please fix it.
250 ok
quit
221 naam.pair.com
Connection closed by foreign host.
So it seems the article published in New Architect is wrong. It is defamatory and it is claiming that the guy is innocent while he's guilty as sin.
I guess that's what passes for lawyers nowadays...
Please DO NOT flood the poor guy with email. He's enough trouble already: He's a lawyer, he's been caught pants down after claiming he wore belts and suspenders, he's a lawyer, he's been blacklisted, and he's a lawyer.
So let me get this right.... (Score:3, Insightful)
Sounds like he should have been blocked. Come on, at the very least do some ip checking. It sounds like his server wasn't a textbook open relay, but it was pretty close.
Maybe he should use this to his advantage? (Score:2)
Anyway, I think he should pick up the phone and call the dudes in Denmark. I think that being on an e-mail black hole list means never being ABLE to say you're sorry...
Test fails = relay (Score:2, Insightful)
Authenticating by the domain that the sender says he is from is very weak...
Holes like this are what keeps the spam coming to my mailbox...
Re:Test fails = relay (Score:2)
Not an open relay? Hardly (Score:4, Informative)
Well, setting your sender's address to a trivially guessed domain name (such as the reverse-mapped address of the host), you effectivly have an open relay. Guess what spammers are doing: they are using known-good addresses, and try sending spam from those addresses MX hosts in the hope that the MTA do this foolish kind of access check.
This has been discussed since at least five years, and has been a point in the many faqs and howtos on how to lock down your MTA for a long, long time.
If you really need to send mail through your MTA from arbitrary IP addresses, you need to employ authentication. Again, this is hardly a new technology, and many documents explaining how to combine SSL and authentication for SMTP exist.
I don't get it... (Score:5, Interesting)
How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user.
One word: Authentification.
You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.
Uh, it may not be a totally open relay in the literal sense of the word, but surely that still means it can be used to send spam, as long as the spammer figures out who to identify himself as - and if the Danes could do it, then it can't be that hard?
Any spam-block that relies entirely on the "from:" header is broken by design. What, spammers disguise their identities? Never!
Re:I don't get it... (Score:4, Funny)
Yeah! Don't misunderestimate the value of authentification!
Re:I don't get it... (Score:2)
Remember: It all depends on what you mean by the word "is."
Re:I don't get it... (Score:2)
Credibility lost in the second sentance (Score:2, Interesting)
When that appears in the first paragraph the rest loses credibility. Anybody qualified enough to be commenting on SPAM should be aware that simply by opening the email you may have verified the address as valid (if it contains an external image).
-----
interested in inventions [royalinventions.com.au]?
Re:Valid e-mail address confusion... (Score:2)
Seen it all before (Score:4, Insightful)
"Waah, I'm being blocked by your nasty list! I demand you stop blovking me or I'll drop piano's on all your heads! and I'm a lawyer!"
"A. no-one's blocking you, they're justing *choosing* not to accept email from known open relays (or whatever the perp feels accused of)."
"You're abusing my First Amendment Rights to 'Frea Speach'"
"Our list is based in the Gobi Desert. *Our* first amendment guarantees the right to tea with yak butter."
Also, searching for his email address to see if he had ranted on usenet, I found this: Archived Article [google.com]
an Excerpt (from the above article by "R. A. Hettinga" ):
New Architect is a Microsoft/DotNet magazine. This article is
agitprop for Microsoft's identity solutions: UDDI, Passport, and Palladium.
Any reputation framework that arises in the wild would reduce the
profitability of a Microsoft solution, so they are going to badmouth it,
sue it, etc.
dave
Re:Seen it all before (Score:2)
And if it isn't, it still serves the bastard right for running an open relay and not getting it. Wow, you can send spam by lying to his mail server, let's sue some Danes for pointing it out.
Re:Seen it all before (Score:2)
I don't use blacklists anymore. They aren't effective at blocking spam. What they are effective at is making it easy for spammers to find an open relay that the 95% of the internet not using the blacklist will accept traffic from. I wonder how much tougher the blacklists are making it on the rest of us who find them ineffective as a solution, or even as a bandaid.
Re:Seen it all before (Score:2)
The making-it-easy-for-spammers argument seems to be identical to the exploitable-bug-disclosure argument. You keep a vulnerability secret, and it gets exploited by a small group of abusers for a long time. Make it publicly known, and it gets exploited by a larger group of abusers for a shorter time. I guess different people have a different opinion on which of those alternatives is better.
suggestion for someone (Score:2)
The writer is a moron (Score:2, Interesting)
I fail to understand how this can be a valid argument against bad-maintained blackhole lists. The author was listed because *anyone could use his server to relay just by using a MAIL FROM command sporting his domain name*. Sheesh! When you configure your relay ACL, you use *IP ranges*, not domains (an awful lot of spammers forge all the headers in the messages they throw out). Even better, you use SMTP AUTH. That guy didn't bother to implement a technically valid solution, and thus his mail server definitely *could* be abused. No wonder it has been put on a blacklist...
BTW, this doesn't mean there aren't stupid blacklists out there listing innocent people. But this article proves nothing. Moreover, there are now better ways to filter spam, based on message content checksum, like Vipul's razor [sourceforge.net]. This is not the first time people bitch and moan about their badly-configured relays being censored by the antispam Nazis (I remember a guy, from the EFF I believe, that did the same thing some time ago) but they simply are irrelevant. Their solution is to RTFM and play by the rules. Period (grrrr, I really dislike bad admins :-/.
Not a troll, but (Score:2)
----
* a phrase used on Slashdot about as often as "Why do all those Supermodels keep throwing themselves at me?"
Re:Not a troll, but (Score:4, Informative)
Not an open relay? (Score:5, Insightful)
Anyhow, IMHO this is an other blabla piece from someone who doesn't realy has an understanding of what he's doing.. Typical american sollution.. let's sue..
Re:Not an open relay? (Score:2)
However, the fact that it's a re-check implies that the Danish site previously checked his mailserver without permission. I still think it's silly for him to sue over that, but that does give him a slightly better case.
Re:Not an open relay? (Score:2)
NOBODY can force me to accept your mail.. It's that freedom of press/owner of the machine thing.. Shout al you want, but you can't force me to listen and such..
Is this guy for real? (Score:3, Insightful)
Now what's needed is a simple to use tool to help users determine if their systems can be comprimized. Any ideas?
Re:Is this guy for real? (Score:2)
Besides, "e-mail server checkers" ought to be very close in what they look for regardless of the platform the server is running on. Why the heck can't we easily get whatever scanner that the blacklisters are using?
Re: (Score:2, Insightful)
Re:So he had an open relay... (Score:2)
It's like me inviting you into my home and then instantly suing you for trespassing for coming into my home.
Re: (Score:2)
Some good, some bad... (Score:2)
Second, once you're listed on a black hole, it can be hell to get off. My company had a secondary domain that was used for customer emails. It was, indeed, an open-relay due to misconfiguration. Eventually it got blackholed and our admins realized the mistake they'd made and set out to fix it. They did fix it eventually, but by that time the server was being slammed by spammers trying to use it as an open-relay. And on top of that trying to get the black hole list to remove the domain was difficult - it took well over two weeks, while the black hole-ing occurred in under a day. Eventually the entire domain was just dropped, since even with the open relay closed the spammers were still abusing the hell out of our pipe.
That said, as best I can tell the author of the article barely even tried to remedy the situation. Yes, the black hole system forged a header to hit his open relay. Duh. So do spammers. If they could do it, so could (and will) others, and that's why you're black holed. But I'm sure he could've contacted the people running the black hole to find out what he could do to fix the problem. Instead it looks like he just wants to take them to court.
Finally, black holes/black lists/spam filters/etc. aren't solving the problem. The bandwidth is still being chewed up, and as is pointed out in the article, the block lists act like honeypots for the spammers - everytime a new site is added the spammers find a new site to spam from. Sure, if you participate in the black hole you won't deliver the spam, but the bandwidth has already been sucked up from the backbones, and you're still using CPU power to deny the spam. As much as I'd like to see lawyers stay the hell away from the Net, I don't see any other way to stop spam than to make it illegal. It may be that most of the relays are foreign, but most of the spammers are in the US or another Western country. Anti-spam laws could significantly help.
Re:Some good, some bad... (Score:2)
I live in Utah, with a pretty good anti spam statute [com.com].
However, though I could be in the process suing a few dozen people a day, I simply do not have the time or the desire to persue any of these. Not when Spamassain grabs about 90% of all spam, and sends it to my Spam folder, where I review the headers looking for false positives, and then they get deleted. Total time for me, 3 minutes.
Anti-spam statutes, while good for keeping honest merchants in check, will do nothing for the multitude of pr0n, Nigerian and penis enlarger spams I get every day.
What am I going to do, sue the entire nation of Nigeria? From what I hear, only one guy has all the money, and he is dead, or so it says in an e-mail I just got from Azabi Manzuna...
Re:Some good, some bad... (Score:2)
Kintanon
Re:Some good, some bad... (Score:3, Insightful)
I'm sorry, but I'm really failing to see what part of this is not the spammers' fault... or yours. Certainly it wasn't the listing service "abusing the hell out of [your] pipe" or slamming your servers. And you say your admins "did fix it eventually." Was that in a day, a few weeks, a year, or what? A mere two-plus weeks to be taken off the blackhole advisory list sounds very reasonable under the circumstances.
Sounds like the blackhole service did you a favor. Certainly they limited the damage your company did to the rest of the Internet by passing along all that spam while the relay was open.
Re:Some good, some bad... (Score:2)
A couple days I think. The issue was that the request for retesting was submitted and didn't occur for 2-3 days, followed by another week to disappear from the list.
I can understand that it's not entirely desirable to immediately test, since less-than-honest types could "fix" the server, have it de-listed, and then remove the fix. But an immediate test followed by 2-3 retests at random intervals would be a better alternative methinks.
When your business gets blackholed and you're unable to send email to large portions of the net, I'm sure you'll think that "2 weeks" is an entirely reasonable time period. Thankfully our primary domain wasn't the one blackholed (as it didn't have an open relay).
Certainly they limited the damage your company did to the rest of the Internet by passing along all that spam while the relay was open
Nice theory, except that mail logs show that no spam was forwarded through the open relay until it appeared on the black hole list. This was a domain that had been setup for at least a year and wasn't used anywhere except for a domain registration and private, customer-only email use.
Re:Some good, some bad... (Score:2)
Blacklists ARE solving the problem. I subscribe to SpamCop.net [spamcop.net] and I get about 50 spams filtered out daily. Bandwidth is NOT chewed up because the message is never sent--just a small rejection notice.
Links to Incidents in the Past (Score:2)
MAPS Attack [dotcomeon.com]
No sympathy (Score:2)
I'm afraid I've got little sympathy for the author of the article. He is running an open relay. Yes, for someone to abuse it they've got to forge the headers. That spammers do this is news? I don't think so. So, he runs an open relay, it gets detected, he gets added to a blackhole list until he closes it, he's now upset that the list operator won't accept "Well, someone would have to lie to abuse my server, so it shouldn't count." as an excuse. Pardon my complete lack of sympathy for him. This isn't vigilante justice, this is simple shunning by the community. If he wants to restrict his server to authorized users, he should do just that. POP-before-SMTP and SMTP AUTH exist, they can be used. Requiring that someone forge his domain in a From: header is not securing a relay.
Follow up article... (Score:5, Informative)
Point being, if they can forge a header to get on your computer, a spammer can very easily do the same thing. An interesting thing on my campus is the technology department regularly scans and tries to hack into FTP sites running on campus, and sends an e-mail to the admins if they're successful. Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it. This seems to be a new effective form of security that's emerging, since we can't depend everyone to stay up to date with the latest security issues, such as the Mr. Faussett in the article. I think vigilante is the wrong term, these blacklist ops are doing everyone a favor by helping to clean up insecure sites, which in the end saves everyone money. I propose we call them "Freelance Security Advisors" or something like that.
So you don't mind if I test your home security? (Score:2)
Sometime in the next week or so, I am going to stop by your home and probe for any security problems that a burglar might exploit. I know we have never met before but its in your best interests. Since I have the best of intentions, I am sure you won't mind. You wouldn't want to leave your home with security holes in it?
Re:So you don't mind if I test your home security? (Score:4, Insightful)
Sometime in the next week or so, I am going to stop by your home and probe for any security problems that a burglar might exploit.
You sir, are of subhuman intelligence.
There is a distinct difference between a University testing the security of systems directly connected to its own network and jackasses like yourself equating it to random strangers "testing" a systems security.
To clarify in terms of the flawed analogy you provide, no one should have trouble with their landlord testing their home's security, as the landlord is the one who is responsible, and who fixes it when it is broken. That is not the same as inviting any random stranger off the street to do likewise.
Re:So you don't mind if I test your home security? (Score:2)
Wow! Coming from an expert, that must be a compliment. My analogy stands as we are talking about an unknown third party probing your mail server without your permission. The poster I responded to narrowed that focus. I re-expanded it to the subject being discussed in the thread.
Now grow up, child. Take the insults elsewhere.
SPAM and the dangers of blacklists (Score:2, Interesting)
First off, why is earthlink who is the domain of quite a bit of spam itself running a blacklist? Secondly, why couldn't they have at least bothered to send a courtesy automail to let us know? We finally found out when the sender of the original "spam" tried to send another email to her friend at earthlink. At that time it took a series of calls to earthlink to even find the department we needed to talk to! And then I found out that we'd been on their blacklist for MONTHS!
Blacklists should be carefully administered and you should develop your own as it's really not that difficult to set up blocks for individual domains. Too many domains are blocked by error or because one company put another on a blocklist that got circulated but never bothered to circulate that spamming domain had been fixed and removed from teh list.
Of course, a contributing problem is that many mailserver admins don't bother to keep proper security (or even keep their security patches up to day) for their server. It's way too easy to find a mail server that is VERY open to people outside the actual domain. But any truly working solution to the problem will have to involve responsible actions on the part of the "blacklisters" and the mail admins.
Re:SPAM and the dangers of blacklists (Score:2)
I heartily disagree with you.
Theft of bandwidth is a real problem.
Harrassment is a real problem.
RBL's go a long way to solving these real problems for me.
So, exactly what real problems don't the blacklists address?
Re:SPAM and the dangers of blacklists (Score:3, Interesting)
Your concern about failing to circulate blacklist removals is misplaced with regard to DNS based blacklists. The data expires in a finite amount of time from the cache, and removal processes are working pretty damned good. I've watched a number of notices posted on news.admin.net-abuse.email asking to be removed from the SPEWS list, and I check out whether they have fixed the problem or not. In most cases I find that the data had already been removed from SPEWS by the time I checked that (so now I check SPEWS first before checking to see if the problem is fixed).
Private blacklists are a problem because there's virtually no way to track them all down and get removed from everywhere (once you fix the problem). That's why we need central DNS based blacklists. But what we also need is to shield these central lists from stupid lawsuits from people who refuse to fix their problems or simply don't have a clue. Those who even so much as threaten to sue the list operators instantly get their IP addresses and domain names put in thousands of private blacklists where no one even looks to see if anything is ever fixed. And when they end up shutting down the central lists, they make things worse due to all the private lists. That's the primary reason SPEWS is so secret. Sure, it comes across to people who didn't know about it as a "Star Chamber" thing. And I didn't use it for several months until I verified it actually works to list what needs to be listed, and removes things when fixed.
Vigilante Justince and the Wild West (Score:2)
SPAM is as much a social problem as a technical problem. Blackhole lists attempt to solve the social aspects of the problem with a technical solution - the idea being that the sender of spam is shunned and ignored when trying to communicate. I don't have all the answers but solutions like Vipul's Razor [sourceforge.net] seem a bit more like technical solutions to the technical aspects of the problem.
Likewise, domain registration operates much like the wild west. He who hets there first, gets the loot. I was attempting to register an expiring domain at one point. It had expired 90 days previous and still had not been released by Verisign. I consulted my perfered domain registrar, who's generally vary helpful staff gave me this wild west analogy and suggested that my only recourse was to lodge a complaint with ICANN. We all know how helpful ICANN can be [icannwatch.org]...
Any new technology opens up oportunities for baser elements of human nature to bear their collective ugly head. Over time the practices will iron themselves out and until then people like the lawyer, author if this article will probably have to suffer unless they want to contribute a positive solution. The Internet will eventually grow out indulging these childish behaviors but until then, we can only do what's best to protect ourselves from the poor choices of others.
--CTH
Sensationalist half-wit gets published (Score:2, Interesting)
For one, the Danish antispam organization falsified an email header to gain access to my mail server. Illegal access to a computer system is, if not a criminal violation, then a trespass on my private property.
Except that he previously admitted to asking the antispam people to check his mail server. So it isn't trespass if you invite them in. Or it's entrapment on his part, right?
As I've discussed previously in this space, one of the novel legal theories now catching on for these kinds of unacceptable accesses to computer systems is a centuries-old tort called "trespass to chattels." At a minimum, I ought to be able to sue the Danish company for the damage it caused me from its illegal access.
Alternatively, you could secure your f'ing mail server properly.
But in spite of all that, I could probably get an injunction, or least a dollar or two to compensate me for my injuries and establish that I have been wronged.
Always the lawyer
Who knows whether the organization is a real legal entity or just some name cooked up by a group of self righteous individuals.
At some point along here I gave up reading. This guy is a whining, deluded, litiginous fuckwad. And a bit xenophobic (maybe he had a bad experience with a Danish girl once
Okay
It isn't difficult to imagine that the RIAA could pressure a sufficient number of ISPs into subscribing to this copyright blackhole list and blocking access to their users, or to any traffic emanating from them.
Except (you half-wit), the RIAA would likely use pressure. The anti-spam list doesn't force ISPs to use it
I hate spam as much as the next guy. If I found out my mail server was an open relay (which we did at one point), I sure as hell would spend my energies fixing the problem, rather than ranting about it and plotting a lawsuit.
I really hope that if he decides to take legal action, some judge with half a brain will say "You could've solved this yourself in half an hour
Sheesh.
Re:Sensationalist half-wit gets published (Score:2)
He didn't ask them to test his server the first time they did it. The 2nd time served to reveal that their method was to trespass.
I hate spam as much as the next guy.
You have no idea what the next guy likes, dislikes, hates, doesn't hate, or how much he does. Part of the problem with these vigilante groups is projection. They think everybody places as much importance on their efforts as the vigilantes do. That ain't so.
And FWIW, the DNS blacklists are no longer an effective tool for the antis. They are much more effective at providing a list of useful open relays to the spammers. This of course, creates the illusion of "just cause" in the minds of the antis: "Hey, look how many spammers are using this open relay whose IP address I am publishing to the world. I'm doing a great job." Meanwhile, the 95% who aren't receiving email through servers using the blacklists are innundated with junk mail from the relays so helpfully identified by the antis.
Yeah. Good job.
Just a thought..... (Score:4, Funny)
Way too common (Score:2)
I was recently a victim of this problem. A machine at my former hosting provider (JTLnet, and they were already my former hosting provider before this incident) got infected by an email worm, and started propagating to everyone in that machine's address book - which seems to've included their entire customer-contact list. Being a modern email worm, it picked one address from that address book to spoof as the source of the messages, and I was the "lucky" guy so I ended up getting all the bounce messages.
There's a lot more to the story, but it's mostly about JTLnet and it's not their faults that are relevant here. The more interesting story is the part played by Verizon (my DSL service provider). Here's a major provider to millions of people, and their mail server was set up so it would happily propagate the worm's spoofed emails. A little experimentation quickly revealed that as long as the original FROM line (the SMTP one, not the one in the header) matched my email address the message would go through, regardless of where the connection came from. Unbelievable.
There is the tiniest shred of an excuse, though. I do remember being annoyed when they shut off SMTP access from outside their network entirely, so I couldn't reply to messages received on that account while at work. However, there are other ways to deal with the problem without allowing worms to spoof email through subscribers' accounts. SMTP authentication would be the obvious solution. A web interface for subscribers to specify which hosts could send email through their account would also have stopped the worm in its tracks. There's no excuse for a provider employing that many people to take the cheesy way out.
Blacklists are problematic (Score:5, Insightful)
The truth is that these home-grown spam mitigation methods do have their problems.
One of them is evident in the article: well-meaning users often do not understand what might be insecure about their server configurations, or what might need to be done to fix them. I am very comfortable with sendmail configuration, and I can tell you that setting up the authorizations correctly for mobile users to be able to send email safely is a narrow, twisty labyrinth in comparison to the big, flashing exit door marked "promiscuous relay".Another problem in the home-grown nature of these solutions is the tendency for them to be personality-driven, instead of professional. Often, IP addresses (or even whole ISPs) are placed on blacklists because the blacklist maintainer does not mind creating a little collateral damage if they think it might create a little extra pressure on a spammer or an ISP.
Some blacklists have blocked out entire hosting companies, including some of the biggest ones on the net, simply because they did not think they acted with sufficient alacrity against spammers in their midsts. This kind of wild overkill is unfortunately too common, and perhaps it's a good argument in favor of for-profit blacklisting, which would probably exert some good influence on the question of list quality.
Earthlink rejects mail from any IP address that belongs to a dial-up pool that attempts to connect to their SMTP servers.
Ostensibly, this is done to reduce "direct-to-mx" spam, which is a very common spammer tactic. Unfortunately, it also makes life harder on the home linux enthusiast, or home business operator who might be running their own perfectly legitimate sendmail server. All part of the collateral damage in the spam wars: Internet access and Internet business are slowly becoming more expensive and possibly moving out of the reach of people with limited means.
So what should we do?
First, I think that current law against junk faxes should be extended to include junk emails. This would not eliminate spam, but it would give us the ability to correct the spammers who operate out in the open.
As a Libertarian, I want to jealously guard the right of the people to freedom of expression. But that right does not and cannot include the right to expropriate other people's time or money. You have a right to make your voice heard. You do not have a right to force me to pay for it.
Second, I think that we should be careful about the blacklists that we use, and prefer those operated by recognizable and accountable companies wherever possible.
Finally, I think that for the forseeable future, filtering at the user desktop will be necessary.
(Cards-on-the-table time: I am working on a new solution for end users to eliminate spam from their inboxes. It is based on a new method, and it will work for any user who uses a POP email account. It will be ready for public beta soon. Please write to me if you want to learn more.)
The struggle against spam is definitely picking up, and I think that a new equilibrium is approaching.
Re:Blacklists are problematic (Score:3, Insightful)
The attitude that only "l33t hax0rs" should be allowed to run software is, sadly, just as common as it is wrong.
Mail servers are hard to configure, people have businesses to run, and accidents happen.
The right question is: "how do we make misconfigurations less likely?" Not, "how do we more effectively disdain folks to whom they occur?"
The Author Responds... (Score:2, Informative)
Rather than focus on what constitutes an "open relay," which is really a technical issue rather than a policy issue, I'd rather see more thought given to the damage caused by blackhole lists. Are we really interested in championing their use? Spam today, something else "offensive" tomorrow? How different is this than when Chinese ISPs decide to block Google? As vile as spam is, I don't think this is the right tool.
My response to the original letters sent in by New Architect readers:
Thanks.-- Bret
www.lextext.com [lextext.com]
Re:The Author Responds... (Score:3, Insightful)
Quoth the poster:
But you did ask the blackhole list people to check your server, yes? You do have the right to access your server in any way you see fit and to permit others the same access, correct?
If I contracted with a security testing firm to test the security of my office, I'd be severely annoyed with them if they did not try to lie their way past the office manager who watches the front door.
Re:The Author Responds... (Score:2, Interesting)
- Both groups maintain lists that are optional for subscribers. Are you willing to trust Cybersitter's judgement in what is offensive or not? Fine, buy their software and use it. Want to tweak the definition of what's "offensive"? Cybersitter lets you do that too. The most important word here is "optional" - you don't have to use Cybersitter if you don't agree that their list is fair, accurate, or otherwise useful.
- Both groups contain ways to get off the list. Was your site mistakenly identified by CyberSitter or some other filter software? Most of them have ways to get in touch with the list maintainers and have your site re-evaluated. Similarly, most blackhole list operators feature prominent instructions on how to get yourself removed from their list.
You didn't mention the rest of the story in your New Architect followup, but what happened after you updated your mail software? Did you contact the blackhole list operator again? Did they test your server again and find it secure? Did they remove you from their list?Similarly, you and/or your ISP don't have to subscribe to blackhole lists if you/they don't want. You ask what would happen if someone (say, the Chinese government) starts making a blackhole list of sites that deal with something they they consider offensive? (say, western media, Falun Gong, etc.) The answer is that you and most ISPs probably won't subscribe to such a list. They can blackhole as many sites as they want... but most of the world won't care, or even notice.
Open-relay blackhole lists thrive not because "vigilantes" are cramming their brand of justice down our throat, but because enough people agree with their philosophies that they're freely willing to make use of the product they're offering.
If not, then you may still have a legitimate complaint. But if they did, then I think the system worked the way it was supposed to.
You said that your "software and your definition are now upgraded". The opportunity for you to upgrade both your software and your understanding of what an open relay have been around for a very long time now. I think that by running your own mail server, you raise yourself to a higher level of Internet citizen. No longer just a casual web user, you have to take the responsibility of maintaining your server, keeping up with security patches and issues, and just generally being a good Net citizen. Blackhole lists are something of a last resort for people who won't/can't take care of the problem in any other way. Now that you've solved the problem and your site has emerged from the blackhole, I would take it as a lesson learned and go on from there - not spend 1/3 of a magazine column trying to figure out what the best way to sue a Danish company is.
P.S. Here's a quick, automated way for anyone to check and see if their mail server is an open relay:
> telnet relay-test.mail-abuse.net
Blackhole lists are opt-in (Score:2)
You have to explicitly subscribe to someone else's judgement in order for it to have an effect on what you block.
Your argument about the putative "RIAA P2P blacklist" is flawed, in that you would have to go out of your way to elect to subscribe to RIAA's judgement.
A much more salient argument might be Palladium, which is effectively a black list of people who do not used Palladium, and which holds you hostage via the use of monopolistic power in the marketplace. A black list which forces you to use it -- which is not "opt-in" -- is much more of a threat.
PS: In your original argument, you had exactly one valid point, which was that the original probe of your email server -- before you asked them to recheck it, thereby giving them permission -- was in fact a criminal trespass on your system. On the other hand, from a legal standpoint, it's probably easy to argue "attractive nuisance" in defense of the original probe, particularly if your mail server had been reported by a third party who had received SPAM via it.
-- Terry
Re:Blackhole lists are opt-in (Score:2)
The problem is that he has no direct or indirect proof that the "original probe" even occurred. I could easily imagine a scenario where an irate user forwarded a spam to the unnamed blacklist administrators who added Lextext's address based on the header contents. Since you and I don't know who the blacklist admins are, and Lextext isn't telling, we have no way of knowing that their policy requires them to verify open relays before blacklisting them.
In a nutshell, unless Lextext has server logs to prove that the blacklist admins previously scanned his system, I have no reason to believe that they actually did so.
I tried explaining this to him via email, but I think the point was lost on him.
Re:Blackhole lists are opt-in (Score:2)
I've heard this rant so many times. Most ISPs, such as Earthlink, allow users to turn off the spam filtering. Got one that doesn't, and won't whitelist for you? Then move on.
One thing we do not need to be doing on the internet is encouraging incompetence by continuing to pay them. If they don't, or can't, run spam filtering for you the way you want it done, then yes, it is time for you to move on. That's why we have competition and free trade.
Re:The Author Responds... (Score:2)
Damn straight. I would never, ever, invite a klansman over to my house, just so he could yell hatred out of my windows. Why then should I have to allow him to yell hatred out of my TCP ports?
Same goes for anyone that I personally have a dislike for, and that could be trivial. If I don't think that people should part their hair on the left, then I'm not going to let them on my server.
After all, it's my server, and I pay for the bandwidth myself.
Re:The Author Responds... (Score:3, Informative)
If the list operator who tested your mail server did not test it by using the proper practices, which includes doing everything that spammers are known to be doing, or known to be capable of doing, then it would be the list operator who had failed to properly and correctly test your server. If it had been marked as closed, because of that, when in fact it was still open, then it would be the list operator who would have been negligent.
Security practices, and spam prevention is a form of security practice, do include performing tests that mimic what the security prevention is supposed to prevent. Your mail server is supposed to prevent relaying of forged addresses. So you have to do forged addresses to test that facility.
The only thing the list operators did wrong that I can see is they failed to get your signature in writing on a piece of paper that explained it to you. Had they done so, that piece of paper would have stated that they would be performing a test that adheres to current best practices in security testing, and that test would include every form of forgery and trickery known.
The ends not only do justify the means, they are also absolutely required!
Also, some mail server software is defective in ways that certain types of attempts, which spammers might try, and therefore have to be tested in a thorough test, could cause that defective software to fail, and may result in damage to your mail server. If that happens, your remedy should be with the maker of the defective software, unless the defects were documented and avoidable by proper configuration.
And if you want to have a private dialog about this, I am willing to explain it in more detail if you need that. I am not a lawyer, so I can't give it to you in purely legal terms, but I can certainly give you some real life analogies. You can find my email address a number of ways, such as the domain registration of one of my web sites.
Legal action needed (Score:2)
Prime example is this idiot author. I'm not security expert -- in fact, I (gasp) don't even know how to set up a server. But I can recognize a security hole as big and obvious as the one his system has. If all someone has to do is forge a from address in the header to use your system for their e-mail without authorization, your system is completely insecure. This author displays his complete ignorance when he says, "the system was doing what it was supposed to do". Every system does what its supposed to do, and that's depends on how it was programmed by the programmers and set up by the administrator. That doesn't necessarily mean every system is doing things the right way.
That this story was posted on
At the very least, your service should request password and user-name verification. IP-address verification possibly, if you don't want to allow your users to be able to access it from any remote location. Someone needs to slap this author with the clue-stick. He fell off the a 300ft high dumb tree and hit every branch on the way down.
The author does, however, make two interesting points, though these are hardly news. (1) It takes forever (i.e., weeks) to get off a blackhole list; this is understandable, since these things are run by volunteers, and it takes time to verify. (2) Blackhole lists are used by spammers, which allows them to slam any domain on the list. This is something which needs to be fixed. I think this is that rare case where security through obscurity works. The only people who should know all the domain names on a blacklist are those running it. People running domain-names that have been placed on a blacklist should be notified so they can fix it, and if they want notify the public. But because these blackhole lists are available for anyone to see, spammers use them and effectively DoS those who are on the list, making their life difficult.
Oh yea, almost forgot. The title of this post is "Legal action needed," because I think laws are needed to deal with this problem. Spamming might not be particularly profitable, but its also not at all unprofitable; theoretically, it probably wouldn't even cost a cent to send spam to everyone on earth with an internet connection. Thus, spammers will continue spamming, because they have no reason not to. Even if only one out of a thousand people actually buy something from that "make your dick bigger by jilking" spam, it still amounts to something worthwhile for the spammer.
They will never stop unless there is a strong cost associated with spam. So what I propose is tagging very high high fines onto any spammer -- millions of dollars. Enough to bankrupt an individual and keep him in debt for a long time, or enough to send a company into Chapter 11. I'll admit that we won't catch many spammers; maybe 1 out of a 1,000. But when you can't catch most people who do something and punish them accordingly, the way to stop an activity is to say we'll punish anyone caught inordinately.
I strongly disagree with the misguided notion that somehow dealing with our spam-problem violates the principles the internet was founded on. This is just an example of community action to deal with a problem.
The anonymity that the net gives us is valuable because it allows those who have controversial opinions to speak privately; because it allows those who have inordinate interests (i.e., occult or pornography) to pursue them in privacy without fear of public scrutiny; because it allows us to share information though P2P networks without fear of a slap-down from the RIAA. No useful purpose is served by spammers using annonymity; it neither promotes a public good, nor facilitates them in excercising their rights; rather, it facilitates them in doing harm to the public and violating the rights of others. The community is dealing with that problem in many ways.
One of them is blackholes. Crude, but somewhat effective. Simplest method. It is valuable not so much because of the spam that it blocks, but because of the action it forces service providers to take -- securing their systems against spammers.
Another is bayesian filtering, as was recently mentioned on
Another method -- one I prefer -- is simply blocking any messages from those whom you don't have in your address book or on your "accepted senders list". This effectively blocks out all spam. You have to, however, keep an updated list of accepted e-mail addresses.
There are many others.
No method is perfect. My method blocks all spam, but also will block anything from anyone who I don't have on my accepted senders list; so I have to be vigilant in maintaining such a list. Bayesian methods effectively have no false positives or false negatives, so are pretty damn good. The primary usefulness of blackhole lists is making services secure their systems.
Misinformed. Badly. (Score:2)
Any mail server worth its salt needs to look at more than just the 'From:' header. It needs to look at the originating IP address of the machine trying to send the message. If said address is not part of the mail server's local domain, the traffic should be rejected with extreme prejudice.
The article reads very much like a whine from someone who doesn't know enough about how a mail server works (or is supposed to work) to be running one; "Those Evil Censorous (sp?) Anti-Spam Nazis forged my domain name and cracked into my system! How dare they?! Even though it's the same trick a spammer might pull, how dare they?!"
This guy needs to get a clue. Quickly. In fact, I'm going to make sure to block his server out of mine when I get in tonight.
But wait! (Score:2)
Spammers never lie or forge domain names! So of course it's unfair that this lawyer's mailserver was blacklisted. . .
Bah. With all the money lawyers make, you'd think he could buy himself a clue.
My response to the author via email (Score:2, Interesting)
(http://www.newarchitectmag.com/document
open relays and figured I'd email you with my experience. For my day job,
I work network security (handling spam complaints, hacking, etc) for an
extremely large public educational institution, so I see an extremely
large number of spam complaints, spam issues and whatnot every day.
If your mail server is allowing mail to be relayed to it through the
domain it advertises, it is an open relay. Period. An open relay is a
relay that permits an unauthenticated, unidentified host on the network to
send mail through it. Your claim that you are not running an open relay
simply because you only allow mail from users on your domain demonstrates
a fundamental lack of understanding of the mail protocol. The FROM
field is not any kind of authorization, it's not a login, it's completely
arbitrary and should never be used to allow or disallow mail except in
rare cases where virii may email out with fixed FROM addresses that are
known to not be legitimate.
Your mail server advertises what domain it claims to be (and likely has
reverse dns to supply a spammer with the domain), therefore it's trivial
for any spammer to (as the denmark organization did) simply but a from
address of your domain. And are they lying? It might be interesting to
note that since your mail server is sending the message, the mail ~is~
from the domain they put in the from field.
The issue is not that some anti-spammers spoofed a from field. The issue
is that your mail server allows relaying of spam email. I'm sorry you see
it otherwise. There are other effective ways to secure your mail server
so you can travel and still have access to it, but your current
'protection' is not.
If you would like more information on how exactly you can configure your
mail server to not be an open relay and still allow remote access, please
feel free to respond via email and I'd be glad to help.
RBL Vigilante Jackasses... (Score:3, Interesting)
If they make a mistake, you and your organization are screwed until they decide to admit their mistake and correct it -- if they ever do. They have cute, pat answers to explain away any responsibility for their behavior and generally refuse to communicate with those they block. I have had a nasty experience recently with "relays.osirusoft.com" where a client of our was using them as a part of their Postfix RBL configuration. Some Nazi^H^H^H^H German nominated our mail server as a spamhaus when we were not. Without being tested, our server was blacklisted -- I checked my logs and saw no check on the date we were listed. We received no notice, no automated robot checked out server or would anyone respond to my inquiries, just accusations that I was supporting SPAM--an absolute lie. If you are listed, you have to be an evil SPAM supporter with their mentality.
It took one month of constantly e-mailing their retest e-mail address. Daily checking of my mail logs and seeing that their robot was being rejected from relaying, yet, we were not taken off the RBL. Finally, after a month, we were removed. Nothing changed in our configuration, no notice was given as to why we were removed nor why we were added outside of the nomination origin. We were just lucky that "relays.osirusoft.com" decided to do what's right but was too cowardly to admit they were wrong. Hiding behind the anonymity of the Internet with no responsibility to the people they harm. We will never know how many e-mail messages were lost because of "relays.osirusoft.com"'s mistake.
Pathetic.
I wrote to this guy back on July 25 (Score:3, Informative)
Here is what I wrote to this guy back on July 25 when the article had just come out. I never received a response from him. Was he totally embarassed by his idiocy once it was explained to him? I guess so.
<lettertext>
I just read the article you wrote on New Architect Magazine entitled "Blind Vigilantes; Blackhole lists offer dark prospects". I feel you have missed certain points in your analysis, and as a result, you misunderstand what is going on. That's OK, because the majority of network administrators still do, too. As a lawyer you would not be expected to know this kind of stuff. You clearly know a lot more about it than the average lawyer. I'm writing in hopes of filling in the gaps. I sincerely hope you have the time to read this. It's long, but I think this is important.
First of all, I use these blackhole lists myself, so it is possible that your reply to me could bounce back. I can override it if I know the IP address of your mail server. But I won't know it until there is a server log telling me about it bouncing. What I'll do is get your IP address at that time, add it to the exception database, and you can repeat the reply later on. Or you can send me mail from Hotmail, which I believe is not blocked anymore.
I want to fast forward to the point in your article where I think the main misunderstanding is:
One of the methods spammers use to send their mail through a mail server configured like yours is to do exactly what you are complaining about. I see upwards of 10,000 of these a day on my servers. The spammers have these massive lists of email addresses, quite many of which are valid. What they do is look up which mail server those users would use, which is not hard because that's exactly what the whole system is designed to be able to do. Every delivered piece of email had to do that. Once they have this information, then they forge that user in their FROM line and start sending mail to the user's server. In the case of a server set up to test only the domain name in the FROM line, it works, and the spam message gets sent on its way.
That's why your mail server is considered to be an open relay, because it is possible for a spammer to use it, despite the fact that they are doing something illegal such as forging your domain name. If it lets a spammer forward mail, it's an open relay.
It is standard practice for every program (there are several available) which does the open relay tests to try dozens of different ways to fool a mail server into forwarding mail. Forging the domain name of the users of that server is one of the simpler tricks. There are some that are more complicated. These programs are simply doing exactly the same thing that a spammer would do. It's the same principle used by security test programs which test whether or not a computer can be broken into. They have to pull all the punches a hacker might try. Otherwise such programs will fail to detect a flaw and the program itself will be worthless.
I periodically run tests on all my mail servers to make sure I have not accidentally configured out the relay controls. I watch these tests take place, and they do this forgery exactly as expected.
Actually, that is not true. Read on and this will be explained.
Last year, one of my client companies, a local web hosting business, had a case of one of their customers running a spamming operation right from the server they were paying my client to use, in violation of their AUP. The customer got cut off, and my client asked me to help him clean up the mess. In so doing, I obtained a copy of not only the spamming software (a special version intended for running from web servers), but also a copy of a big list of about 1.5 million addresses.
There was something very interesting in this list. The first 1000 or so entries were email address that were familiar to me. They were OTHER SPAMMERS. That's right, other spammers have their own names in these lists. What that means is if any spammer discovers an open relay, the others find out about it fairly quickly. The "spammer network" as I might call it is very well connected. They all see the successes of the others. And much like wild animals on the African Savannah when one makes a kill, the others circle around to take their own bite out of the carcass. That's what is happening to your server.
The anti-spam group have some of their addresses on these lists, too. That's how they first find out if your mail server is an open relay. They get spam that some spammer who found it relayed through. That's how you were first put on the list.
The blackhole lists are run through a distributed database called DNS. This is the same thing that allows looking up a domain name to get the numeric IP address which the routers use to send packets to the correct destination. But the point about it is that DNS works as a general distributed database, and unless someone runs the DNS server wrongly, there is no mechanism to get a list of these addresses. All that can be done is to pick and address and do a lookup. Unlike a regular database, there is no means to do a query lookup like "give me all the IP addresses which are open relays".
In reality, there are sometimes some breakdowns in that security and the blocked addresses can get out. I've acquired one such list myself. But for the most part, spammers do one of two things. They scan the net at high speeds looking for open relays, and they scan through their mailbox which is on the lists to check for good pickings in recent spam they received.
They have a legal defense. You actually gave them permission to do the scan. Although you did not know the scan involved the address forgery, their defense is that the practice is the only way to test to see if a mail server is an open relay (that is, if it could be used by a spammer who would forge the address). As mentioned above, this and many other tests like it are standard practice in security testing (and testing for an open relay is simply one form of security test).
This is why when an open relay listing is in the database they will not remove it by periodically testing on their own accord. That would truly be illegal. They require you to consent to the test before they will do it. And again, the standard for these tests is to do exactly every know trick a spammer would try.
It is not their test that put you in the list in the first place. It was the fact that they received a copy of spam that some spammer relayed through your server first. It is that spammer that trespassed on your server and caused you the real harm.
Those who compile the database are just the messengers. But your real problem is that these guys are just the little fish. The big ones are even harder to reach. They are rumored to be in Bulgaria, an Eastern Europe country formerly behind the infamous Iron Curtain.
And there is the risk that they would win if they were present to defend their practice. They would certainly bring up the point that the original listing was due to a spammer discovering your open relay, and that they received permission from you to test their server.
The choice to use the information from blacklists to reject delivery of email in a mail server is something the owner of the mail server would do. This becomes a private property issue. I have the right to refuse any mail into my mail server I wish (except on the basis of the few parameters law now prohibits, like gender, race, religion, etc). I have the right to get my list of IP addresses to block from anywhere I like. If Joe down the street tells me he blocked email using his private little list of IP addresses and it cut out 90% of his spam, then of course I'd like for him to share it with me.
Could there be an issue of libel here? Sure, there could. But it's a clear line between saying "You are a spammer" and saying "Your mail server allowed a spammer (who uses forgery) to send spam to me, and when you gave me permission to test it, I found that by mimicking just what the spammer would do, it was still allowing it."
I do worry that the techniques used to reduce and prevent spam could be put to less noble uses. I also worry that facilities that exist on the internet to allow anonymous communications (which some people sometimes need to have) are abused by spammers (there are techniques to reduce that abuse) and in turn blocked by anti-spammers.
Personally, I don't consider the anti-spam movement to be less noble than peer-to-peer file sharing. The vast majority of what is shared on those networks is copyrighted material being shared well beyond the rights of the copyright owners. While I'm not advocating that those file sharing programs be outlawed, or the networks they use be shutdown, I do consider it to be less noble a thing that the effors of the anti-spam community to help keep mailboxes cleaner.
It depends on who is doing the breaking. If I break connectivity in my own server, even if I use information from someone else that I choose to use, who offers that information to me freely (I didn't illegally copy it), then what law have I broken? What tort have I committed? Who have I harmed? If it involves my customers in a service I provide to them, then it's a matter of the business relationship between me and that customer. In practice, my customers want the spam blocking since it proves to be very effective against spam.
As to your mail server. It is an open relay, and it needs to be closed.
If a thief enters a building by opening an unlocked door, it is breaking and entering. Merely opening the closed door was breaking, as opposed to the door being wide open. It does not matter if there was a lock on the door or not. It does not matter if the lock was left unlocked. It is still breaking.
Your mail server has a closed door, but it has no lock. You are making the assumption that spammers won't do the "breaking in" thing with address forgery. But they do. What you need is the equivalent of a lock on your mail server. Instead of just checking the FROM line to see if it has your domain name on it, it needs to check something that a spammer simply cannot forge at all. Usually this is an IP address. If you want to be able to use your mail server from other locations, then the IP address is not good enough. There is another method that is used which requires you to log in to READ your mail first. The way that works is when the mail reading login is done, the server notes what the IP address is from which the successful login came, and puts that IP address in a list which is valid for sending mail for some period of time, say maybe 30 minutes to an hour. Thousands of people use this technique successfully. It's typically called "SMTP after POP" (in reference to the POP protocol used to read mail in most cases).
The following has a number of useful links to help in testing and closing an open relay:
</lettertext>
SPAM is like AOL - (Score:2)
Junk-Filter that works. End of problem!
SMTP and POP (Score:2)
So what if mail servers accepted SMTP for inbound mail only, and required POP for outbound mail? Mail arriving from points unknown would be accepted via SMTP, but mail heading out would need that initial authentication -- no more forged headers. I think it's a great solution: it's compliant with IETF standards that are in place today. There's one problem.
Since PMMail, and I assume its short-lived Windows version PMMail 95, I haven't seen any mail clients that support POP for outgoing mail. Given the problem with spam and forged headers, I can't believe that no one has seized upon this idea.
Anyway, if the response is positive enough, I may be motivated to crack open some open-source mail client add support for outbound POP...
Re:wow (Score:4, Insightful)
Re:wow (Score:2)
He even published his email address, so you can check it yourself if you like, but you scum don't bother to check facts, you just subscribe to the blacklists and pretend your penis is larger because you can block someone's email. Fuck you and all like you. Vigilanties suck, and the day will come when you will pay for your actions, because the government will eventually be forced to send in a Marshall to clean up Dodge, and thanks to you fools the internet will be under Marshall Law. But at least you wankers will be shut down, so it won't be all bad.
Re:wow (Score:4, Insightful)
So what if you have to forge the FROM. It's not like spammers don't do that anyway.
Re:wow (Score:2)
Re:wow (Score:3, Informative)
(Nb. I've never been blackholed, so I don't know what the notification really say. It could just be that this guy is illiterate)
Re:wow (Score:3, Insightful)
This lawyer is both stupid and stubborn which IMHO is the worst kind of lawyer.
As an FYI, most rejections refer you to web pages on the RBL which explain things. None of the web pages I have EVER seen has said anything about "you nasty friend of spammers". Instead, they generally inform you that you are running an open proxy or relay and point you to information on how to fix it, however they rely on YOU (or your administrator) to know what mail server you are running. The web page has NO way of knowing which mail server you are running based on your browser / browsers IP address. Note that SOME rejection messages can refer you to a CGI script that looks up the offending mail server info, but not all MTAs support the ability to customize error messages in the fashion needed for this functionality.
Re:wow (Score:4, Insightful)
His saying his server is not an open relay doesnt make it so. If some random person on the Internet can make his server send a message to some other random person on the Internet, then his server is insecure. Yes, spammers *DO* forge sender addresses in order to abuse these servers.
Spam, and the security and policies necesarry to try and get control of it, are by nature a very technical field. More and more people who are just upset that they cant mail, and thing the blacklists are responsible, and who arent willing to take the time to understand whats really going on, and starting to get off on their soapboxes like this. THEY ARE WRONG.
Re:wow (Score:2, Interesting)
Re:wow (Score:2)
He maintains that no one should be lying in order to relay using his server, and I agree. Sure, locking it down is a good technological way to prevent abuse. But, maybe this guy would rather see a law against forged headers. Anyway, as far as he's concerned, his server IS locked down, assuming no one fasifies his identity to get into it. Similarly, if he restricted relaying based on IP address, his server would then be "secure" assuming nobody breaks into his house or sneaks onto his wireless network, etc.
Being a lawyer, I think this guy's real goal is to get some kind of law passed or legal precident set. Without that, a technological solution has little power behind it if it's bypassed.
Re:wow (Score:2)
I meant to say "I think that this guy, being a lawyer..."
Re:Shocking comments (Score:2)
Kintanon
Re:Despite being an idiot,this guy might have a po (Score:2)
You're speaking of SPEWS. And the whole point is that because spammers move around to evade blocking, the front line of defense is the ISPs. Blocking just the spammer alone is a futile effort. Getting spammers disconnected doesn't work at too many of the larger ISPs because they would rather take spammer money than keep non-customers happy. So of course the logical way to go is to block ISPs. And SPEWS doesn't immediately block a whole ISP (unless they are so small they have less than a class C network or something). They raise the pressure gradually so the ISP gets the message before too many customers are impacted.
The only way these ISPs are going to respond to dealing with spammers is when they are forced to decide between the revenues of spammers vs. the revenues of non-spammers. Absent that force, they just keep spammers online and the internet suffers. With that force, most will eventually see the financial issue and make the decision (and yes, some have decided to go with spammers and have gotten 100% blocked ... and rightly so).
As long as you stay with an ISP that supports spammers, then you are, every time you make a payment to them, saying "It's OK for you to keep spammers online because I'll keep paying you even though it causes me grief". If it's so costly to change ISPs for you, then maybe you should have done due diligence in the first place to discover what their real intentions are with regard to spam.
I already ignore spammers. They have not gone away. That idea is stupid because there will always be some small percentage that don't ignore them, and it only takes that small percentage for them to get more money out of spamming than they put in. Then while they spam, they force us to do deal with all the junk. Even if you just count the 3 seconds it takes to delete each piece of spam at a typical low end wage of an office worker, spam costs over a billion dollars a year (at its current rate) just in lost worker productivity in the USA. Now that Europe has caught up and edged past the USA on internet users, I'm sure the figure is nearly as high there, and will soon be higher. And this doesn't count the time it takes for staff to manage the situation and clean it up.
What's a little guy to do? For starters, try convincing your ISP to stop supporting spammers. But if you say to them "because it costs me so much money to move to another ISP, I will stay with you no matter what you do", then why would they give up the revenue from the spammers just for you? Maybe what you should do is figure out why and how you got yourself into a mess where you can't change to another ISP?
Re:The trouble with blocklists... (Score:2)
I make it known to my customers that inbound mail is subject to spam filtering. I even make available to them a list of all the spam (what server it came from, and what MAIL FROM had in the SMTP) attempts that got blocked. If they discover something they want is getting blocked, I can whitelist it. And I have done so already in a couple of cases. Being small, I can do this myself. Eventually I'll have to automate this so I can grow. The plan is to give each user a choice which blacklists to use, and give them their own private blacklist and whitelist, and the ability to automatically allow inbound mail from anyone they send outbound mail to. Is that reasonable enough for you?