[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Technical mail setup question

On Fri, Jun 04, 1999 at 04:02:53PM -0400, Brian Cox wrote:
> > no, there is no authentication for SMTP.
> Which I suppose is part of the problem vis-a-vis unwanted spam.


as someone else pointed out, there are proposed extensions to SMTP
which provide authentication features....but hardly anyone uses them.
i suspect that they wont make much difference until everyone uses
them...unauthenticated smtp will still have to be supported to provide
backwards compatibility.

i haven't actually read any of the proposals, so i don't know the
details of how they work yet. i will have to do so...one of these days.

> > > Even if there is authentication involved, this won't stop spammers
> > > from using throw-away ISP accounts.  If they're able to hop from
> > > one account to the next on an ISP to send spam directly from their
> > > box to a recipient (presumably because the ISP is nuking the
> > > previous account each time people complain),
> >
> > this is why DUL RBLs are necessary.
> How exactly do the DUL RBLs work?  Do they just ban classes of dialup
> IP addresses,

they don't actually ban anything. they're just a lookup list which can
be used to find out if an IP address is a dialup or not. how this is
used is *entirely* up to the person using it.

for each incoming smtp connection, the MTA does a DNS lookup very
similar to a .in-addr.arpa reverse lookup. if that lookup returns any
true result, then the MTA knows it is from a dialup IP.

that information can then be used to reject the connection - e.g. return
a "550 connection refused, see http://maps.vix.com/dul/"; error code.

alternatively, it's possible for an MTA to just flag the incoming
message...perhaps by adding an "X-Possible-Spam: dialup ip address"
header. i don't know of any that do this, but it is certainly possible.

> or do they also ban ISPs who open relay 

this job is performed by other RBLs, like the main MAPS RBL (which
lists known spamhaus IP addresses and known unrepentant open relays) or
the ORBS RBL (which lists open relays...no excuses accepted or quarter

the MAPS RBL is the original, and gives people plenty of time to fix
their mail configuration problems before adding them to the RBL. it's
really difficult to get listed in the MAPS RBL, you have to try so
hard that even the most generous-minded person would conclude that you
are either a spammer or a clueless menace who shouldn't be running any
internet services.

ORBS came later and is much more aggressive. it's very easy to get
listed in the ORBS RBL - if you are an open relay, they list you
immediately and send you an email telling you what you can do about it
if you want to get off the list. if you are an ISP which relays for a
known open-relay they give you 3 days to either help your customer fix
their problem or prevent them from relaying through you.

later still, someone came up with the idea of listing dialup IP
addresses in an RBL, and the orca DUL RBL was born. this proved to be a
good idea and was eventually adopted into the MAPS project and became

MAPS == Mail Abuse Prevention System, http://maps.vix.com/
ORBS == Open Relay Behaviour-modification System, http://www.orbs.org/

RBL == Realtime Blackhole List
DUL == Dial Up List (a specific type of RBL)

> or use dumb verification methods?

i don't think there's any way of detecting this.

> What you did not answer, though I don't remember if I asked it
> straight out or implied it, is given that an ISP does all of the
> "right" things (i.e., only relaying mail from their own IP addresses
> or known users via POP authentication), how is that going to prevent
> the spread of spam?

RBLs don't prevent all spam - i don't think anything can prevent ALL
spam. they just prevent some, and make it harder to spam. anti-spam
techniques are far from perfect but is better than nothing.

using a combination of MAPS RBL, MAPS DUL, header checks (for common
things like "To: friend@public.com"), I have reduced my incoming spam
from a deluge to a tiny trickle.

as the spam problem changed from being a minor nuisance to a serious
problem i was getting 15 or more spams per day in my own personal
mailbox - and this was over 3 years ago! it would be many times worse
today if i didn't use any anti-spam filters. these days, by using the
available anti-spam tools (and by writing my own stuff) i get between
one and three spams per week. this result is a LOT better than nothing.

that's only one example from my own mailbox on my own home system. other
users on my home network didn't get as much spam as i did (maybe 5/day
each on average)...but even with less than 50 user accounts, it still
adds up to a lot of spam every day. if i wasn't working for an ISP here
in Australia, that spam would be costing me between 20 and 35 cents per

at work, where my main mail server caters for many thousands of users,
the amount of spam coming in would be a serious problem (and would cost
between 13 and 19 cents per megabyte) if i didn't block most of it...i
used to get many complaints per day from users asking me to do something
about the spam. now i get one spam complaint every few weeks.

i also get maybe one complaint every few months from someone who had
legitimate mail bounced - this tells me i either need to tweak my
filters a little more, or inform the complainant what the problem is and
how they can solve it.

you can't just set up anti-spam filters and ignore them. you have to
monitor your mail logs constantly and make sure that they are doing
their job WITHOUT causing more trouble than they are worth

it's a balancing act. i think i've got the balance just about right.

> A spammer sending point-to-point spam from a dialup IP straight to a
> target or relayed spam through his ISPs mail relay is still spam.

true. but if they do that then they are demonstrably violating their
ISP's acceptable use policies. their ISP can also limit the damage by
either restricting the number of CC/BCC recipients per message to a
reasonable number (say 20 or 50) or by running programs which monitor
their log files and alert the operators to potential spam.

another advantage is that it forces responsibility back on to the
ISP.  Many ISPs like to say "it's not our problem, we just sold them an
account".  By preventing spammers from direct delivery and forcing them
to use their ISP's mail server it BECOMES the ISP's problem.  If they
want to avoid being listed in MAPS RBL or similar anti-spam lists then
they have to at least show willingness to do something about it.

this leaves the spammers caught between a rock and a hard place. they
either try to deliver directly (and get automatically rejected by many
of their victims) or they use their ISPs mail relay (and get their
account nuked for network abuse).

the more people who use a DUL, the more effective it is in the long run.

> I fail to see how rejecting mail from all dial-up IP accounts is going
> to prevent a determined spammer when a legitimate mail relay can be
> (w/o the ISP's knowing) used by said spammer.

as noted above, it's a solution with two main benefits, an immediate
gain and a long-term gain.

the first benefit is that anyone using the DUL is immediately protected
against trespass spam from dialup IP addresses.

the second, long term, benefit is that it discourages spammers from
doing it and makes them (and their ISP) more accountable for their
actions. the more who use it, the more effective this is.

> > "authentication" (i.e. allowing relay based on) From address is just
> > plain stupid.  From addresses can be faked with trivial effort...in
> > fact, no effort at all is required.
> Agreed, although it wouldn't surprise me if some ISPs do this kind of
> "authentication."

many do.  they ought to be shot :)

> I'd like to thank you for the reasoned reply.  Based upon your other
> messages in this thread I had come to the conclusion that you were an
> irrational loon incapable of spouting anything but rhetoric.  I'm glad
> to see that I wasn't wholly correct in that assessment.

gee. thank you for your praise. i'll treasure it always. 


i have been involved with anti-spam activities for several years now.
i know most of the pros and cons of various techniques. my attitude
to spam blocking would probably be regarded as loony and extreme by
a few (e.g. spammers and sympathisers), reasonable and moderate by
most and as completely inadequate and weak by some (e.g. extremists
such as ORBS)....i am quite willing to accept anti-spam solutions
which may cause inconvenience (e.g. DUL or rejecting mail with "To:
friend@public.com") but unwilling to use techniques which cause
widespread denial-of-service (e.g. ORBS or even rejecting mail with
"$$$" in the Subject line).

> Still, it does trouble me that the mentality of "lets ban all mail
> from dynamic ISP accounts" argument seems eerily similar to the
> anti-crypto arguments made by certain governments.  

there is no "lets ban all mail from dynamic ISP accounts" argument.  The
argument is far less broad than that. try "s/all/direct/" - i.e. dialup
users have numerous options to avoid the DUL RBL, including relaying
their mail through their ISP's mail server or using a uucp-over-tcp

in any case, there is no "ban". there is a list (the DUL) which makes it
easy for those who *choose* to reject mail from dialups.

i don't see any parallel between people choosing to use the DUL and a
government trying to ban crypto.

> Saying "a criminal might use crypto, so lets ban crypto!" implying
> that crypto has no legitimate use sounds to me an awful lot like
> saying that sending mail from dynamic IPs has no legitimate use
> because spammer also happen to make use of it.  Perhaps I'm reading
> more into this than I should, though.

i think you are (reading more into it...).  it doesn't prevent anyone from
sending any mail.  it just changes the way they have to do it IF they want
to communicate with people who use a DUL.


craig sanders

Reply to: