Saturday, January 20, 2007
Eureka! It's the Final Ultimate Solution to the Spam Problem (FUSSP)
It comes up all the time. "We're losing this escalating battle of blocking and filtering and reporting abuse. So why don't we just change the public SMTP email system (insert technological wonder fix here) so it's less vulnerable. I'm a genius! I've invented the Final Ultimate Solution to the Spam Problem (FUSSP)!"
Technological wonder fixes include: centralized filtering plants like Postini, Sender Policy Framework, postage via (insert your pet micropayment scheme here), certify senders at some central authority, Challenge-Response systems, block by default and whitelist by default, and more.
Each of these techno-fixes has its own faults, which have been well described elswhere. But they share one common problem: if you somehow magically manage to impose (insert aforementioned techno-fix here) across the whole Internet, it's not the public SMTP email system any more. So what you are really proposing is to replace the public email system with some other system.
All revolutions have the same problem. First you smash the state. Then your replacement state is supposed to take over. But the instant the state is smashed, there's a power vacuum, and a race with no rules begins. While your replacement state is fiddling around with tedious processes like elections and confirmations and adopting a constitution, a bunch of thugs is establishing an unethical dictatorship. It's faster. First brute to the top claims the flag, no matter who he had to kill to get there. If the public email system falls, its replacement will be worse. Here's why.
In prehistoric times, before, say, 1994, the Internet was governed cooperatively, by consensus, by bodies like the Internet Engineering Task Force (IETF). New services were developed, or at least adopted, in the open. Standards were evaluated by their merits. A simple rulebook, the set of IETF Requests For Comment, said how everything would work together. SMTP email is RFCs 2821 and 2822. They sort of depend on rules of responsibility like RFC 2142 (it says your postmaster@ and abuse@ addresses are supposed to work...) among others. There was never any RFC Police, it was simply known that if your software didn't conform it wouldn't work well with other people's software, and if you had abusers on your network everybody would wall you off in their firewalls and you'd lose your connectivity, and that was enough. The public email system was developed under this system of merit-based consensus.
Creating the Internet may be the biggest project in human history done under consensus governance and functional Anarchy. Anarchy with a capital A doesn't mean chaos, it means there's so much personal responsibility that you don't need a government. Nobody in charge. No cops, none needed.
Then a bunch of marketroids took over. They emerged from pods which arrived from outer space or Wall Street or someplace, an invading army of high maintenance parasites. Moneymen. They brought with them the unethical concept of intentionally violating the RFCs to obtain some kind of competitive advantage. Microsoft (stock symbol MSFT) announced it was going to "embrace and extend the Internet!" and published a bunch of software that doesn't play well with everybody else's, on purpose, to begin to force computer users and developers to choose between universal interoperability and the way that MSFT could control.
At about the same time, a tiny handful of Internet "entrepreneurs" decided the rules that held the network together didn't apply to them, and they were going to let their customers develop email spam as a new kind of advertising medium. (Which makes as much sense as going into business sticking advertisements on other people's store windows and billboards, and garage doors, and trees...) Net99, later known as AGIS, was the first to be really public about it. They said consensus governance was "a throwback to the sixties" and the people who used it were "neckbeard geeks." They went under, but the idea caught on with the marketroids, who were still trying to figure out whether they were going to "turn the Internet into" a new kind of shopping mall or a new kind of television. Anything but a new kind of public library or college.
The days of friendly consensus were over. Netscape and MSFT introduced conflicting "extensions" to HTML, the language of Web pages. Yahoo and AOL each introduced instant messaging that didn't talk to the other guy's system. Real Networks got away with introducing a trade secret way to stream audio, killing off the far more economical and efficient and open system of multicasting, and the MBONE network that had used it for years. Any replacement "email" system will go the same way. Competing systems that don't talk to each other. At least not very well.
Will we use MSFT's micropayment scheme, or Yahoo's, or Ebay's, or Google's? Will email software have to know how to use all four? What if MSFT's system doesn't work with the other three but they ship it in Vista Service Pack 1? I can answer that: MSFT owns and controls the new "email" system.
At the same time we lost the ability to deploy new open services, we pretty much lost the ability to deploy major changes to the services already in use. You can break the system we have into pieces, but there is no way to push a significant change in how things work all the way out to the edges. Most people administering email sytems today have never heard of the IETF and wouldn't read an RFC to save their businesses. They just do whatever the salesman or the tech support voice tells them to so they can go back to their "real" job.
So it turns out we only have two choices, fight to save the system we have, or let the bad guys destroy it while the marketroids sit back and laugh.
Technological wonder fixes include: centralized filtering plants like Postini, Sender Policy Framework, postage via (insert your pet micropayment scheme here), certify senders at some central authority, Challenge-Response systems, block by default and whitelist by default, and more.
Each of these techno-fixes has its own faults, which have been well described elswhere. But they share one common problem: if you somehow magically manage to impose (insert aforementioned techno-fix here) across the whole Internet, it's not the public SMTP email system any more. So what you are really proposing is to replace the public email system with some other system.
All revolutions have the same problem. First you smash the state. Then your replacement state is supposed to take over. But the instant the state is smashed, there's a power vacuum, and a race with no rules begins. While your replacement state is fiddling around with tedious processes like elections and confirmations and adopting a constitution, a bunch of thugs is establishing an unethical dictatorship. It's faster. First brute to the top claims the flag, no matter who he had to kill to get there. If the public email system falls, its replacement will be worse. Here's why.
In prehistoric times, before, say, 1994, the Internet was governed cooperatively, by consensus, by bodies like the Internet Engineering Task Force (IETF). New services were developed, or at least adopted, in the open. Standards were evaluated by their merits. A simple rulebook, the set of IETF Requests For Comment, said how everything would work together. SMTP email is RFCs 2821 and 2822. They sort of depend on rules of responsibility like RFC 2142 (it says your postmaster@ and abuse@ addresses are supposed to work...) among others. There was never any RFC Police, it was simply known that if your software didn't conform it wouldn't work well with other people's software, and if you had abusers on your network everybody would wall you off in their firewalls and you'd lose your connectivity, and that was enough. The public email system was developed under this system of merit-based consensus.
Creating the Internet may be the biggest project in human history done under consensus governance and functional Anarchy. Anarchy with a capital A doesn't mean chaos, it means there's so much personal responsibility that you don't need a government. Nobody in charge. No cops, none needed.
Then a bunch of marketroids took over. They emerged from pods which arrived from outer space or Wall Street or someplace, an invading army of high maintenance parasites. Moneymen. They brought with them the unethical concept of intentionally violating the RFCs to obtain some kind of competitive advantage. Microsoft (stock symbol MSFT) announced it was going to "embrace and extend the Internet!" and published a bunch of software that doesn't play well with everybody else's, on purpose, to begin to force computer users and developers to choose between universal interoperability and the way that MSFT could control.
At about the same time, a tiny handful of Internet "entrepreneurs" decided the rules that held the network together didn't apply to them, and they were going to let their customers develop email spam as a new kind of advertising medium. (Which makes as much sense as going into business sticking advertisements on other people's store windows and billboards, and garage doors, and trees...) Net99, later known as AGIS, was the first to be really public about it. They said consensus governance was "a throwback to the sixties" and the people who used it were "neckbeard geeks." They went under, but the idea caught on with the marketroids, who were still trying to figure out whether they were going to "turn the Internet into" a new kind of shopping mall or a new kind of television. Anything but a new kind of public library or college.
The days of friendly consensus were over. Netscape and MSFT introduced conflicting "extensions" to HTML, the language of Web pages. Yahoo and AOL each introduced instant messaging that didn't talk to the other guy's system. Real Networks got away with introducing a trade secret way to stream audio, killing off the far more economical and efficient and open system of multicasting, and the MBONE network that had used it for years. Any replacement "email" system will go the same way. Competing systems that don't talk to each other. At least not very well.
Will we use MSFT's micropayment scheme, or Yahoo's, or Ebay's, or Google's? Will email software have to know how to use all four? What if MSFT's system doesn't work with the other three but they ship it in Vista Service Pack 1? I can answer that: MSFT owns and controls the new "email" system.
At the same time we lost the ability to deploy new open services, we pretty much lost the ability to deploy major changes to the services already in use. You can break the system we have into pieces, but there is no way to push a significant change in how things work all the way out to the edges. Most people administering email sytems today have never heard of the IETF and wouldn't read an RFC to save their businesses. They just do whatever the salesman or the tech support voice tells them to so they can go back to their "real" job.
So it turns out we only have two choices, fight to save the system we have, or let the bad guys destroy it while the marketroids sit back and laugh.
Wednesday, January 17, 2007
Phish spammer convicted under CAN-SPAM
This was on the business page in the Los Angeles Times. "An Azusa man who defrauded users of Time Warner Inc.'s America Online unit by sending e-mails requesting credit data became the first defendant found guilty by a jury under a 2003 federal law barring Internet spam." (Link.)
The so-called "CAN-SPAM Act" (aka You Can Spam Now) doesn't actually ban spam, it legalizes it. It specifies a few things spammers must do to be "legitimate." No fake headers, valid "remove" mechanism, physical contact info. Almost all spammers ignore this law, as they ignore other laws. (In 1997 the Direct Marketing Association, fronted by an utterly clueless ACLU, killed the only reasonable spam law ever written in the US Congress.)
According to the story, this was a one-man phishing operation and the guy took in about a million dollars.
Four years to the first conviction. Sentencing in June. My prediction: the criminal positions himself as a "businessman" and gets a pat on the wrist. Fine and probation, and he doesn't even give up all the ill-gotten gains. At worst he goes to one of those "gentlemen's" minimum security places for a month or two.
Well, congratulations to AOL for pushing this through. We know the FBI doesn't move on these cases unless someone does most of the work for them.
The so-called "CAN-SPAM Act" (aka You Can Spam Now) doesn't actually ban spam, it legalizes it. It specifies a few things spammers must do to be "legitimate." No fake headers, valid "remove" mechanism, physical contact info. Almost all spammers ignore this law, as they ignore other laws. (In 1997 the Direct Marketing Association, fronted by an utterly clueless ACLU, killed the only reasonable spam law ever written in the US Congress.)
According to the story, this was a one-man phishing operation and the guy took in about a million dollars.
Four years to the first conviction. Sentencing in June. My prediction: the criminal positions himself as a "businessman" and gets a pat on the wrist. Fine and probation, and he doesn't even give up all the ill-gotten gains. At worst he goes to one of those "gentlemen's" minimum security places for a month or two.
Well, congratulations to AOL for pushing this through. We know the FBI doesn't move on these cases unless someone does most of the work for them.
Wednesday, January 10, 2007
But I use an antivirus!
I got a fake Bank of America message yesterday, sent from a compromised MS-Windoze computer on Surewest DSL. Left a message on the owner's Web site and he called me.
He was pretty angry, but it wasn't at me in particular. He's trying to run email service for three hundred customers on that computer, using some commercial mail-server-in-a-box product. He'd already fielded four trouble calls on it that day, and that was a typical day. It's keeping him from running his web design business. He didn't know it was spamming. Surewest hadn't called him, of course, despite my report to their RFC2142 abuse address.
The email server wasn't coping with the spam load, and it was just "falling over." He's not using a DNSBL, but trying to filter the raw stream. Sorry, buddy, a 3 GHz P4 can't keep up with that any more. You have to block some fraction of it first.
He was absolutely sure he couldn't possibly have a spam bot or an intruder. Because he spends $hundreds/year on antivirus software (and the one he uses has a better reputation than Symantec or McAfee), checkups by Web sites, and specialized software that's supposed to monitor his outbound traffic for spam content. Evidently these measures don't work so well.
He was absolutely sure the spammers were "spoofing his IP address." That's so hard to do that even though the big spam gangs know how to do it, they don't bother. An explanation of why that's true would have gone high over his head so I didn't try.
It took a while but I got him to look in his server's outbound queue, and there were hundreds of Bank of America and Amazon phishes waiting to go out. Not all receivers are ready on the first try. He was puzzled. You're only looking at the leftovers, buddy, most of it's been sent. That was what it took to convince him something was happening on his machine that he didn't know about. The spambot was generating phish messages and letting his commercial email software queue it and send it. Phishers seem to like doing that way Exploiting a legitimate server doesn't get you blocked so much.
I explained that no antivirus can defend you from the zero day threat, that is an attack so new your antivirus doesn't detect it yet. It was the first time he'd heard of that.
We talked about possible solutions but he wasn't confident he could do any of them without disrupting his business. He'd been considering outsourcing the email operation and I think this convinced him. Spammers drove a small businessman out of the field, after nearly ruining his business and his life. Now there are fewer choices of email providers for the rest of us. Tell that to some bozo who thinks spam doesn't hurt anybody and you should "just hit delete."
He was pretty angry, but it wasn't at me in particular. He's trying to run email service for three hundred customers on that computer, using some commercial mail-server-in-a-box product. He'd already fielded four trouble calls on it that day, and that was a typical day. It's keeping him from running his web design business. He didn't know it was spamming. Surewest hadn't called him, of course, despite my report to their RFC2142 abuse address.
The email server wasn't coping with the spam load, and it was just "falling over." He's not using a DNSBL, but trying to filter the raw stream. Sorry, buddy, a 3 GHz P4 can't keep up with that any more. You have to block some fraction of it first.
He was absolutely sure he couldn't possibly have a spam bot or an intruder. Because he spends $hundreds/year on antivirus software (and the one he uses has a better reputation than Symantec or McAfee), checkups by Web sites, and specialized software that's supposed to monitor his outbound traffic for spam content. Evidently these measures don't work so well.
He was absolutely sure the spammers were "spoofing his IP address." That's so hard to do that even though the big spam gangs know how to do it, they don't bother. An explanation of why that's true would have gone high over his head so I didn't try.
It took a while but I got him to look in his server's outbound queue, and there were hundreds of Bank of America and Amazon phishes waiting to go out. Not all receivers are ready on the first try. He was puzzled. You're only looking at the leftovers, buddy, most of it's been sent. That was what it took to convince him something was happening on his machine that he didn't know about. The spambot was generating phish messages and letting his commercial email software queue it and send it. Phishers seem to like doing that way Exploiting a legitimate server doesn't get you blocked so much.
I explained that no antivirus can defend you from the zero day threat, that is an attack so new your antivirus doesn't detect it yet. It was the first time he'd heard of that.
We talked about possible solutions but he wasn't confident he could do any of them without disrupting his business. He'd been considering outsourcing the email operation and I think this convinced him. Spammers drove a small businessman out of the field, after nearly ruining his business and his life. Now there are fewer choices of email providers for the rest of us. Tell that to some bozo who thinks spam doesn't hurt anybody and you should "just hit delete."
Sunday, January 07, 2007
Google doing SMTP callbacks now?
A comment posted to my callbacks article suggests Google may have resorted to SMTP callbacks. AKA Sender Address Verification. Not only that, but their callback sender identifies itself as mx.google.com, and that name doesn't resolve in DNS. If it's true, everybody running an email server faces a choice.
- We can figure out how to configure our servers to accept the bad HELO name from Google. But we can't just give mx.google.com a pass, because then the spammers would all use that name.
- We can let Google's callbacks fail. Then Gmail users will refuse our email and they won't know why.
Wednesday, January 03, 2007
Why there is spam
Spamming is a lot like other types of industrial pollution. It happens because "legitimate" Internet companies make a calculated business decision that they can get away with tolerating it to some degree. Some tolerate a lot, others hardly any. They know there won't be any law enforcement. The main consequence of hosting spammers is some of their IP addresses will get listed in databases like the Spamhaus Block List. (There won't even be adverse publicity: the rare newspaper or trade journal story never holds the "legitimate" ISPs responsible.) Some just want to save the money an abuse desk staff would cost. Or they've laid off the technical staff that would have been able to block the outbound "port 25" route the bot-nets send through. Others are attracted to the high rates the big spammers are willing to pay. The twenty-something MBAs and uninformed, timid lawyers who influence these decisions can find plenty of justifications for tolerating spammers on their networks. Just as they can justify dumping toxic waste overseas, stinking feedlots, clearcut runoff, and any other pollution whose source is at all obscure.
In the early days of the crisis, spammers simply paid more for the same service than law-abiding customers would. It was understood the premium was a fee for the ISP to ignore some level of complaints. A few ISPs (AT&T and Paetec...) got caught putting this agreement in writing; we call that a pink contract. Pink is the color of Hormel's SPAM.
For all I know there are still pink contracts in Asia and eastern Europe, but I haven't heard a pink contract allegation against a North American ISP in years. Here in North America, the spammer simply buys much more service than he is actually going to use. He rents a whole rack in the data center to hold just one or two servers, or he orders a $5000/month T-3 connection when a $600/month T-1 or $100/month SDSL connection would easily handle the traffic he is going to generate. (He's not going to send spam through his own link, he's just going to host the target Web sites and control his bot-nets through it.) Salespeople for Internet services beyond the consumer retail level, it seems, work on commission. So the overspending by the spammer gives him an advocate inside the ISP who will fight hard to keep him connected despite the complaints, and despite the crimes he is committing which the ISP is an accessory to.
Spammers are a natural response to the ecological niche that tolerance creates. It's no more their "fault" than a dirty kitchen is the fault of the cockroaches that thrive there. The rationalization we hear from the hosting companies is almost always simple buck passing. It's always somebody else's fault, their "hands are tied," you're complaining to the wrong people, yadda yadda yadda.
In the early days of the crisis, spammers simply paid more for the same service than law-abiding customers would. It was understood the premium was a fee for the ISP to ignore some level of complaints. A few ISPs (AT&T and Paetec...) got caught putting this agreement in writing; we call that a pink contract. Pink is the color of Hormel's SPAM.
For all I know there are still pink contracts in Asia and eastern Europe, but I haven't heard a pink contract allegation against a North American ISP in years. Here in North America, the spammer simply buys much more service than he is actually going to use. He rents a whole rack in the data center to hold just one or two servers, or he orders a $5000/month T-3 connection when a $600/month T-1 or $100/month SDSL connection would easily handle the traffic he is going to generate. (He's not going to send spam through his own link, he's just going to host the target Web sites and control his bot-nets through it.) Salespeople for Internet services beyond the consumer retail level, it seems, work on commission. So the overspending by the spammer gives him an advocate inside the ISP who will fight hard to keep him connected despite the complaints, and despite the crimes he is committing which the ISP is an accessory to.
Spammers are a natural response to the ecological niche that tolerance creates. It's no more their "fault" than a dirty kitchen is the fault of the cockroaches that thrive there. The rationalization we hear from the hosting companies is almost always simple buck passing. It's always somebody else's fault, their "hands are tied," you're complaining to the wrong people, yadda yadda yadda.