On Sat, 2003-12-27 at 14:34, Jay Moore wrote: > What's regretful about this behavior is not that the Internet gives them the > freedom to deliver their scummy payloads - the regretful thing is that they > are either desparate or unprincipled enough to abuse this freedom.
Yes, so why punish those that abide by the laws (well, thanks to Congress most spammers are now "lawful", but let's just use California and Virginia's laws for the sake of argument)? <snip a bunch of been there, done that> > Receiving this much spam has given me an opportunity to study it in perhaps > greater detail than some. A couple of things I have noticed: > 1) much spam now includes inocuous text inserted for the sole purpose of > confusing Bayesian filters > 2) most spam comes from dynamically-assigned ip addresses. > There are a ton of other characteristics, many of which make quite useful filtering criteria. Don't make the mistake of thinking you only have blocking dynamic IPs to rely on. > But I still think > it's a "good thing", and from 100 miles up it looks like a pretty reasonable > tradeoff to require all hosts using dynamic IP addresses to send their email > through a relay. Only if affordable static IPs are available, and in a different netblock (however must RBLs don't use /24s any way, they use /16s, or "everything that they own"). > I believe Mr. Micakovic's ISP deserves a gold-plated "atta' boy" for > imposing this requirement. I hope that they disclosed this restriction to > Mr. Micakovic before he signed up, but in any case their policy will reduce > the amount of spam on the Internet. Not necessarily. Most non-"lawful" spam these days comes from compromised boxes. Many times they have dynamic IPs, many times they don't. It just depends who was careless and what software/OS is vulnerable. > > My own ISP - BelchSouth (close enough) does not filter outbound connections > to tcp port 25, and consequently has developed a reputation as a "spam > sponsor". Interestingly enough, I used to work for them. "BelchSouth" seems fitting. > BelchSouth offers access services with both fixed and dynamic > address assignments; of course they charge substantially more for fixed > addresses. Since I wanted to run my own servers, I pay the big bucks for the > fixed addresses. To my dismay, I've learned that due to BelchSouth's refusal > to cooperate in the fight against spam, and their piss-poor reputation as an > ISP, the static ip addresses they have assigned to me are listed on some > dnsbls. That's the ISPs fault, not some inherint quality of dynamic IP addresses. They have that reputation for good reason (and it's not because of their IP assignment policies). > The result (talk about irony) is that I can't send mail to my mail > host from any of my other fixed-ip-address hosts because they are on one of > the dnsbls I use to protect my mail server from spam! Which is exactly why this method of attempting to fight spam should be abandon. It's causing massive "collateral damage". > > I hope I've made my point without drifting too far off into ideology. > > Best Rgds, > Jay Moore Point taken, but I very much disagree with it. I think a single false positive is worse than at least 10 spam. Blocking whole IP blocks is gauranteed to block quite a few open source and community mailing lists, among other things. As I've already stated, I think that forcing all mail through central relays is a massive invasion of privacy. What if, for example, I wanted to take an unpopular (but legal) view on some issue? Suppose I was communicating with some well-known figure who wanted to remain anonymous. If I use TLS to send from my private server, to their private server, that is not trivial to compromise (and indeed may be impossible for all but a few with massive resources and the right network access). However, if my ISP forces me to send that mail through their relay, I might be able to use TLS from my server to my ISP, but once it's writen to disk or in memory on the ISP's server, it's "in the clear" for anyone at the ISP to view (ISPs can, and do do this, I know from working at several of them). The real problem with spam is that a) aparently Federal politicians would rather collect big lobbying money than pass laws against it (although several US states, and many foreign countries have inacted very tough laws against it) and b) much of the spam sent today comes from boxes that have been compromised by software and OS exploits. Now we come full circle, here is where an Operating System like OpenBSD is leading the way in correctness and code auditing, as well as strong defensive measures to protect against exploits in applications. PF is also a very easy to deploy and powerful packet filtering tool that can be used to cheaply and easily protect networks, including the home PCs that are the source of many "spambots". If more people would adopt OpenBSD for their Internetworked computers, there would be less of a problem with spam (less vulnerabilities to exploit for spambots). At the heart of the matter, spam is a security issue and should be treated as such. Microsoft-style band-aid quick-fixes are not going to solve it: A concerted push for secure coding and implementation, along with due diligence by users and admins alike will go most of the way towards solving the problem. The rest is left to the US Federal politians to fix the train wreck known as CAN-SPAM (should be "Yes, you Can Spam"). And in fairness, there are some really good ISPs out there if you look hard enough. Speakeasy.net is outstanding (static IPs, will change your IN PTR records, no port filtering, friendly to a diverse set of OSs, etc), and I've also heard very good things about Sonic.net. The problem is they aren't as accessible to the unfriendly giants like AOL, Earthlink, BellSouth.net, Comcast, etc. Oh by the way, I happen to work for an e-mail security company that is heavily involved with anti-spam projects, just in case you think I'm pontificating with no experience in the matter. -- Brian Keefer, CISSP Senior Field Engineer, Professional Services CipherTrust Inc, www.CipherTrust.com
