Re: Getting open smtp servers fixed
- Date: Fri, 11 Sep 1998 09:18:25 -0400 (EDT)
Fixing SMTP servers is very important. But we should not forget that
spammers do not actually need to abuse an SMTP relay. They can simply run
an SMTP process from their PC, even if that PC only has a dialup
connection. The process goes as such:
1) Buy a list of e-mail address from some shabby source.
2) get an SMTP mailing software that runs directly from your PC.
3) obtain a dial-up subscription from some unsuspecting ISP.
4) Fire the software. For each recipient in the list, it will find the MX
record, set up an SMTP session, send the message. The SMTP "From"
field
will be set to some temporary address -- e.g. doing "gethostbyaddress"
on the address assigned by the dialup server. For an SMTP server,
the message will be entirely legit.
5) Because the message is legit, it can be traced back to the IP address,
time of sending, etc. Given good accounting, the ISP will identify the
actual spammer (with poor accounting, it may identify someone else.)
The spammer will receive a complaint.
6) Receive a complaint from the ISP. Play stupid, cancel the subscription.
Note that the spammer can set up several dialup connections, or at least
several sessions, spreading the spam from several addresses. The reason
UUNET may be prominent in the spammer list is that they are a major
provider of dial-up connections, very often through third parties such as
earthlink. There is very little they can do to stop that -- they actually
follow on complaints and get accounts cancelled. In some highly
publicized cases, a glimpse in the accounting, or a poor timing report in
the complaint, caused them to cancel the wrong account.
What are the defenses?
a) Make spam illegal, so that the penalty is a little bit higher than a
cancelled subsription. But we have to be careful with what we wish
for -- someone's free speech will very much look like someone else's
spam.
b) use "artificial intelligence" software to detect spam before it reaches
the user's mailbox.
Solution (b) is probably the most promising. There are a set of well
known filters that can be used, such as:
1) If the "Received" sequence does not make sense (did not follow MX
records) the message is suspicious.
2) if the message comes from a mailing list (which can be detected by
looking at the RFC-822 and SMTP From fields, and also by the Received
sequence), the user should have explicitly subscribed to the list.
3) if the message comes from an "unusual" sender (someone from which the
user has not received mail before), check for key words such as "free sex"
or "easy money" in the subject line and in the message body.
Don't we have someone here that could write a sendmail extension that
would do exactly that?
--
Christian Huitema
