Discussion:
Isn't spam a ISP issue?
(too old to reply)
Kurt M
2013-03-17 16:55:49 UTC
Permalink
Last couple of days traffic is amazing. A group declared dead, with so much
traffic.

Anyway, not been active since 2004,no longer managing mail servers, the
comments awoke an old question, why is spam the receiver's issue? It should
be the sending ISP's issue. Yes, some spammers has their own MTAs' sending out
on their own, but of those spams ending up in my spambox, most still seem to
be ISP accounts.

Someone talked about e-stamps; though generally not functional, there is a
sideline of it. If we can get a couple of additions to the SMTP rfcs'. A
standard block of mailing out more than X mails within an hour, anyone wanting
to use a mail list simply has to pay their ISP money to get a escrow key to
the bulk sender interface.

1. The senders get more public, easier to find, either through the ISP
agreement or his own MTA's IP showing up.
2. The cost increases for bulk mailers, and that will stop a lot, the more you
send the costlier.
3. ISP not following rules, allowing bulk mailers outside agreement, they get
blocked, as some suggested.
4. If readily identifiable, spammers can be hit with legal actions or civil
class action suits
5. No change in clients, no more lists to check, same SMTP protocol for 99% of
us.

Drawback, the "legit" bulk sending need to be hard to fake.

Curb spam in the sending end, not the receiving (should be possible also with
spam-SMS), as previous suggested, hit them with increasing cost, but not with
e-stams, but communications fees. Spammers will never be curbed with
technology, only by fees, legal or civil actions.

Just a short reflection of what I read here last hour.
Cheers/Kurt M
Otto TheBusDriver
2013-03-17 18:04:57 UTC
Permalink
Post by Kurt M
Someone talked about e-stamps; though generally not functional, there is a
sideline of it. If we can get a couple of additions to the SMTP rfcs'. A
standard block of mailing out more than X mails within an hour, anyone wanting
to use a mail list simply has to pay their ISP money to get a escrow key to
the bulk sender interface.
Sounds like a couple services we all knew in the not so distant past
Goodmail/BondedSender (original incarnation). See how good that
worked, even with paying customers...
Post by Kurt M
1. The senders get more public, easier to find, either through the ISP
agreement or his own MTA's IP showing up.
2. The cost increases for bulk mailers, and that will stop a lot, the more you
send the costlier.
3. ISP not following rules, allowing bulk mailers outside agreement, they get
blocked, as some suggested.
4. If readily identifiable, spammers can be hit with legal actions or civil
class action suits
5. No change in clients, no more lists to check, same SMTP protocol for 99% of
us.
You are assuming that legitimate bulk mail is the biggest issue here
and not the various examples of; user accounts with stolen credentials
(ex: Ongoing Y! issues), the recent uptick in spam from compromised
web hosts, bots, malware, ISPs that don't/wont enforce AUPs, ISPs that
don't know any better (emerging markets).
--
~
Otto
Kurt M
2013-03-18 08:03:46 UTC
Permalink
.....
Post by Otto TheBusDriver
Post by Kurt M
to use a mail list simply has to pay their ISP money to get a escrow key to
the bulk sender interface.
Sounds like a couple services we all knew in the not so distant past
Goodmail/BondedSender (original incarnation). See how good that
worked, even with paying customers...
Hmm, missed those. Pity. Wast not thinking from the service perspective, but
in the smtp blocking mass mails, with an option (not per see for commercial
purposes, we do have a lot of legit mail lists, like this).
Post by Otto TheBusDriver
Post by Kurt M
1. The senders get more public, easier to find, either through the ISP
agreement or his own MTA's IP showing up.
2. The cost increases for bulk mailers, and that will stop a lot, the more
.......
Post by Otto TheBusDriver
You are assuming that legitimate bulk mail is the biggest issue here
and not the various examples of; user accounts with stolen credentials
(ex: Ongoing Y! issues), the recent uptick in spam from compromised
web hosts, bots, malware, ISPs that don't/wont enforce AUPs, ISPs that
don't know any better (emerging markets).
Not at all, they are maybe 1-2%, but as I said, what I still can see, using an
ISP mailer seems still to be the most common way to spam, not setting up your
own MTA.

It was a try to think out of the box, changeing something with big impact,
affecting just few.

If any account is limited to, say 100 addresses in a mail, they need to put in
more time sending out, not getting the outflow they wish. If integrated in the
SMTP rfc, it doesnt matter if malware using an innocent, stolen accounts or
what ever. If a limit in the smtp stack to number of addresses, someone will
see misuse faster, for instant notifying a person, that his/her PC tries to
mail more than allowed.

MTA:s not supporting is an issue, but if your the ISP receiving such a scheme
can work also here, getting 200-300 mails from the same IP, is an idication of
spam, the same rule applying.

If forcing the spammers to put in more work for the same income, if to high,
well, they leave for greener pasture.
Laura Atkins
2013-03-18 15:37:24 UTC
Permalink
Post by Kurt M
If any account is limited to, say 100 addresses in a mail, they need to put in
more time sending out, not getting the outflow they wish. If integrated in the
SMTP rfc, it doesnt matter if malware using an innocent, stolen accounts or
what ever. If a limit in the smtp stack to number of addresses, someone will
see misuse faster, for instant notifying a person, that his/her PC tries to
mail more than allowed.
Botnetted machines are already sending out 5 - 10 emails to single addresses and then stopping and moving on to the next botted machine or compromised mail account.

This method of control has already been defeated.

laura
--
Laura Atkins ***@carrotcafe.com

"If you do not choose to lead, you will forever be led by others.
Find what scares you and do it. And you *can* make a difference,
if you choose to do so." JMS
Chris Lewis
2013-03-18 15:45:52 UTC
Permalink
Post by Kurt M
Post by Otto TheBusDriver
You are assuming that legitimate bulk mail is the biggest issue here
and not the various examples of; user accounts with stolen credentials
(ex: Ongoing Y! issues), the recent uptick in spam from compromised
web hosts, bots, malware, ISPs that don't/wont enforce AUPs, ISPs that
don't know any better (emerging markets).
Not at all, they are maybe 1-2%, but as I said, what I still can see, using an
ISP mailer seems still to be the most common way to spam, not setting up your
own MTA.
Er no. At present approximately 50% of all spam comes from compromised
*ix web servers using direct-to-MX PHP and perl SMTP spamming tools.

Most of the rest is direct-to-MX Windows trojans (festi, kelihos,
cutwail et. al.).

Using an ISP MTA for spam hasn't been common for the a decade or so.
Steve Atkins
2013-03-18 15:51:55 UTC
Permalink
Post by Chris Lewis
Post by Kurt M
Post by Otto TheBusDriver
You are assuming that legitimate bulk mail is the biggest issue here
and not the various examples of; user accounts with stolen credentials
(ex: Ongoing Y! issues), the recent uptick in spam from compromised
web hosts, bots, malware, ISPs that don't/wont enforce AUPs, ISPs that
don't know any better (emerging markets).
Not at all, they are maybe 1-2%, but as I said, what I still can see, using an
ISP mailer seems still to be the most common way to spam, not setting up your
own MTA.
Er no. At present approximately 50% of all spam comes from compromised
*ix web servers using direct-to-MX PHP and perl SMTP spamming tools.
Most of the rest is direct-to-MX Windows trojans (festi, kelihos,
cutwail et. al.).
Using an ISP MTA for spam hasn't been common for the a decade or so.
And yet, I still get a lot of spam from ISP smarthosts, and it's often the
trickiest to filter (or otherwise deal with, as the ISPs involved don't care
and wholesale blocking of their outbounds is problematic).

Just because it's not a big fraction of the volume doesn't mean it's not
a sizable fraction of the problem.

Cheers,
Steve
Chris Lewis
2013-03-18 18:32:42 UTC
Permalink
Post by Steve Atkins
Post by Chris Lewis
Using an ISP MTA for spam hasn't been common for the a decade or so.
And yet, I still get a lot of spam from ISP smarthosts, and it's often the
trickiest to filter (or otherwise deal with, as the ISPs involved don't care
and wholesale blocking of their outbounds is problematic).
I wouldn't exactly say they don't care, it's just damn difficult to
solve. But we're working on it ;-)

Somewhere around 5% to perhaps 30% of all spam is compromised account
spamming through MTAs. This seems to overlap with my previous numbers,
but remember that a given attack can be more than one thing.

Part of that is sendsafe - sendsafe infections should be relatively
simple to at least limit the damage. Each compromised account sends a
_lot_.

What's worse is that cutwail (windows bot) has learned how to spoof
auth, as has at least one of the *ix web server compromises. The latter
of which is particularly "good" at limiting the amount of spam sent per
compromised account even though individual IPs are sometimes observed to
send more than 1M spams/day, so rate-limiting by-user doesn't help.
Post by Steve Atkins
Just because it's not a big fraction of the volume doesn't mean it's not
a sizable fraction of the problem.
True enough.

Continue reading on narkive:
Loading...