About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
Anti Spam Working Group
search  
     
Next Sectionyou are here: RIPE -> RIPE Working Groups -> Anti Spam
RIPE Navigation Ends
RIPE Meeting Minutes
RIPE Meeting Presentations
Previous Activities
RIPE NCC Navigation Ends
Next Section

Anti-spam Working Group

Minutes from RIPE 39

RIPE Meeting: 39
Working Group: Anti Spam 

 
 RIPE Anti-spam working group, 2 May 2001 Bologna
 
 A   Administrative matters
 
 A1  Scribe: Sabine Mader, RIPE NCC. Thanks to Sabine.
 A2  List of participants: 22 people attended.
 A3  Agenda agreed with the addition of A5 (see below).
 A4  Minutes: circulated and on the RIPE Web pages.
 
 A5  Other security areas
 
 RIPE Chairman Rob Blokzijl introduced this topic.
 
 Most of the working groups deal with security-related matters as
 a side-effect of what they are doing.
 Rob is concerned that RIPE does not waste effort by covering the
 same things more than once, and does not leave gaps where security
 is not properly addressed because no WG takes an overall view of
 what is being done. The few people from each member organization
 cannot attend all the WGs.
 
 One obvious possibility is to start a new Security WG. Another is
 to require all WGs (including this one) to take a wider view of
 security.
 
 *****
 ** We are asked to provide our suggestions before RIPE 40 so that
 ** that meeting can agree a way forward.
 *****
 
 
 B   Update
 
 B1  Recent list discussion:
 
 A little followup on Spamwhack (http://www.spamwhack.com/).
 Database of hashed information on spamming customers reported by
 member ISPs; can include drivers licence, credit card, telephone
 number. To use the data, member ISPs submit personal details (in
 plain text) and SpamWhack returns a score indicating how nearly
 the details match any reported spammer.
 Details of the process by which a member ISP reports a spammer
 are only available to members.
 
 B2  Developments in spam:
 
 Bigger spam runs often start on a Friday afternoon and may continue
     through much of the weekend.
 Messages more often include graphics
     (but nasty pictures still usually require a click).
 Messages often contain scripts hiding the URLs reached by clicking.
 Since late in 2000, spam has been arriving from the Asia Pacific area
     (Korea, Taiwan, China) but seems to be originated in the US
     and to advertise to US consumers (prices in dollars, US phone numbers).
 Since early in 2001, the eastern European countries (Romania, Russia)
     have also been used for relaying and origination.
 There is still much less UBE from the RIPE region than the rest of the
     world.
 UBE from some countries has political content.
 
 New concealment tricks, making it harder to identify the source of UBE:
 + Add spurious 'Received:' lines to confuse the reader.
 + Long HELO can result in a 'Received:' line that is just 2 or 3 lines
       of dots. This must be a bug in one or more products.
 + A lot more JavaScript in UBE. Typically it will disable some browser
       features to make it hard to leave the page, and will crudely encode
       the target URL.
 
 B3  Developments in Anti-spam
 
 Nearly all UBE comes from dial-up connections -- a little DSL.
 Some is delivered directly, but most passes through open relays
     -- machines that have not been set up securely.
 (There are also dedicated bulk mailing facilities with better
     connections.)
 
 Major US dial-up ISPs (mainly UUNET and PSInet) have made it a bit
     more difficult for bulk mailers to use their services.
     Blocking of port 25 from dialups is becoming normal, though there
     are still a lot of exceptions.
 This is no doubt part of the reason for the move to other countries.
 
 Some regions (eg RIPE) have relatively few open relays, but the bulk
 mailers can find plenty elsewhere in the Internet.
 
 There are still a lot of people working hard to spot patterns in
 message headers and bodies which reliably indicate UBE, so that those
 messages can be rejected by filters. This work is always a step
 behind the tricks for concealment which the bulk mailers work equally
 hard at.
 
 MAPS DCC is a new product recently into beta testing; see
     http://mail-abuse.org/vtf/dccbeta.html.
 It should allow recipients to compare the hash of an incoming
 message body with the DCC reference database, and so quickly identify
 bulk mail. Users will pay for the service.
 
 To identify and sue individuals is difficult for ISPs (in the
 personal opinion of the WG Chair); but they can do it.
 We should not give up complaining, otherwise bulk mailers see that
 their  practices work, and their ISPs can claim that bulk mailing
 causes no difficulty.
 
 There are some signs that organizations are finding excuses not to
 worry about UBE any more, but to live with it. The present
 generation of end users have never known e-mail without UBE, and
 they regard it as normal to have to filter incoming mail.
 
 We still choose not to offer advice about the use of ORBS.
 [note since the meeting -- ORBS now no longer operates]
 
 B4  Open relay products
 
 Nothing new. Most products are now shipped with initial
 configurations that implement some kind of anti-relaying.
 
 Most systems abused for relaying are old sendmails or Exchange,
 for which anti-relay configurations are readily available. Also
 seen are Lotus products, which seem harder to correct.
 
 
 C   Advice
 
 C1  opt-IN lists (work item)
 
 LINX have a document awaiting the approval of LINX members which
 describes good practice in the use of mailing lists. It should be
 possible to circulate this document before long.
 [note after the meeting: now available at
     http://www.linx.net/noncore/bcp/mailinglistBCP.html ]
 
 C2  opt-OUT lists
 
 The above good practice advises against opt-OUT mailings.
 It seems hard for some smaller companies to realise that sending out
 two thousand e-mails for commercial purposes to addresses collected
 from people who visited their website for some other purpose is an
 abuse.
 
 Again lots of new end users may regard this as normal; and we may
 need to keep people aware of the difficulties with it.
 
 C3  Reporting spam
 
 Question from the WG Chair:
     Who is reporting every piece of spam they see?
 
 + 1 attendee reports 95% of what he sees
     (20-30 e-mails per day, using a script)
     and gets about 10% response rate.
 [note -- if the person who said this could make his scripts available
 through the list it would be very helpful]
 + Some attendees have given up complaining;
 + Most end users read and delete.
 
 What happens when you report abuse:
 
 + In the worst case the abuse address doesn't work and mail bounces.
 + Some service providers do not reply. It's hard to tell which of
     them do anything about the abuse.
 + The usual initial reply is an automatic response, and from some
     service providers that's all you ever hear. It usually promises to
     investigate but not to give any feedback.
 + Some service providers include a ticket number in their reply.
     You may be able to get more information by sending another message
     that includes the ticket number.
 + Some operators send a follow-up message a few days later, stating
     that they have taken some action.
 
 Make sure to find out the right place to report to!
 Often there is a long chain that you have to go back through.
 
 Overall, the very low level of feedback makes it very hard to
 reassure our own users.
 
 End users should be encouraged to see that UBE reduces the value of
 the service they get from their own ISP, so that it becomes an issue
 between ISP and customer. If that ISP can then say to another that
 "there are 3000 complaining customers behind me" it may have some
 effect. The complaining ISP may need to escalate the handling of
 some incidents.
 
 Direct complaints by end users confirm to bulk mailers that "this is
 a valid address", and can lead to further abuse.
 
 The view was expressed that keeping the Internet free is a duty we
 all share.
 + Laws offer almost no protection for the end user of a commercial
     ISP;
 + Freedom and privacy may not be primary concerns of the management
     of a commercial ISP.
 
 
 D   Technical measures
 
 D1  Filtering
 
 No new issues.
 
 
 E   Interaction with CERTs
 
 E1  Reading mail headers (work item)
 
 The WG Chair is gathering some material.
 
 
 Y   AOB
 
 The WG Chair proposed that we increase cooperation between the RIPE
 and APNIC regions, and start by making whatever contacts are
 appropriate. The WG support this direction, and it was presented to
 the plenary who also approved. APNIC staff welcome the approach;
 Robert Winkler was present at the WG meeting.
 
 Topics to explore might include:
 + Language issues. Most software, configuration guides and UBE
     complaints are in English and it is not surprising that staff whose
     native language is not English configure their mailers incorrectly
     and do not read or respond to abuse reports.
     (This also applies to some networks in Eastern Europe.)
 + Different views of the responsibilities of an ISP or network
     operator.
 + The role of CSIRTs and the way UBE abuse is related to other forms
     of network abuse.
 
 
 Z   Next meeting agenda
 
 To be agreed on the mailing list as soon as possible.
 
 
 Actions:
 Suggestions for security work. All.
 Circulate LINX paper on mailing lists. WG Chair. [done]
 APNIC region contacts. WG Chair.
 Agenda for RIPE 40. WG Chair and then all.

Please mail comments/suggestions on:
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community