Gmail has been sucking even more than usual lately. If you don't run a mail server, you might not have noticed; but Gmail has become a cesspool spewing spam onto the rest of the 'net. For the few hundred domains I host, Gmail is now beating out Yahoo, MSN, Earthlink, and AT&T as a source of spam among the companies I don't block from my servers outright. (And that's quite an accomplishment, because the aforementioned companies suck more than a little! AOL, BTW, would have been on that list until recently, and they still originate a lot of spam, but they've come a long way.)
For what it's worth, here's a comment I posted tonight to a discussion list where Gmail's suckage and our desire to block their servers has been a topic of conversation among mail server administrators of late:
Quite a few of us seem to think that Google and other "free"mail services have a responsibility to the rest of the 'net to vet their prospective users. The response to any proposed requirements, though, seems to be that the methods aren't impervious to fraud and/or will be too high a barrier for certain kinds of people. But there's no reason that multiple approaches to tying someone to a real world identity can't be used, nor does a decision about trust have to be binary. (Why are new Gmail users able to send a seemingly infinite number of emails, to anyone, on day one?) More importantly, all of these approaches could be enhanced by using reputation information already present in the network.
When Gmail was first rolled out, I was excited about it—not because I wanted to use it, but because I mistakenly thought Google was doing something new to address the spam problem that plagued other freemail services. Remember "invites"? It boggles my mind that Google stopped requiring invites and apparently never used the social network and reputation possibilities they provided!
Am I the only person who is amazed that the company built on PageRank can't figure this out?
[/internet/spam] permanent link
The time has arrived for Internet email providers to consider blocking all traffic from Microsoft and its associated services.
The hotmail.com and msn.com networks have long been among the biggest originators of spam email in the world (even well beyond the generous amount one would expect them to generate given their size). Once upon a time it was just that they handed out accounts indiscrimately, leaving the rest of the Internet to clean up after them and deleting accounts for abuse after the fact. Eventually, it became obvious that cared so little that they wouldn't even take the simplest steps to prevent future abuse, such as applying content filtering to block recurring spams that were being sent from and reported to their network on a daily basis.
Over the past year, though, it has become obvious that Microsoft, as a company, either has a policy of being completely irresponsible or is incompetent on a scale that would be hilarious if they weren't running one of the larger networks on the Internet (not to mention selling the operating system that runs on most desktops), or both!
Here's a demonstration of how Microsoft makes it impossible even to report most abuse from their network. The story is true. Only the IP and email addresses of the victims have been changed, to protect the innocent.
First, the victim (OK, the victom was me in this case) receives a spam with a subject line of "EMAIL LOTTERY WINNING NOTIFICATION !!!". According to the Received: header and mail server logs, this spam was sent to the victim's server from the IP address 65.54.249.31. A reverse lookup reveals that this IP is named "omc2-s21.bay6.hotmail.com". Of course, while actual reverse IP address forgeries are rare, they're certainly possible. But double-checking with the whois server at whois.arin.net confirms that 65.54.249.31 belongs to "Microsoft Corp", with a listed abuse address of "abuse@hotmail.com" and phone number of "+1-425-882-8080". So, the administrator of the email server (me again) sends an email to abuse@hotmail.com, which is both the address listed in whois and the address that the relevant RFC prescribes.
In response, Microsoft's server sends an automated message that claims, "Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to: abuse@hotmail.com". Well, that's true. The return address on the spam was in the msn.com domain. But, never mind that msn.com belongs to the same company, it's not relevant. The abuse came from Microsoft's network, for which abuse@hotmail.com is the correct abuse address, and anyway spammers can forge any return address they like.
What would have happened if the return address had been in the hotmail.com domain? Here it gets even funnier (or sadder, or perhaps criminal, depending on your perspective). Hotmail's email robot would then forward the email (e.g. to abuse@css.one.microsoft.com) and the email would be rejected as spam! ("Your e-mail was rejected by an anti-spam content filter on gateway." Gee, thanks.) Yes, that's right. Microsoft is even dumber than the US military. So, it's impossible to report spam properly to Microsoft, as most of the time it will be ignored one way or another before it even gets to a human. And I know what you're thinking, hey, even though you shouldn't have to, you could try abuse@microsoft.com, abuse@msn.com, postmaster@hotmail.com, or some other logical address. Sadly, they all suffer from the same lack of clue. In fact, hotmail.com, microsoft.com, and msn.com have all been listed at rfc-ignorant.org for a long time. In fact, the entry for microsoft.com shows that this situation is at least partly a deliberate act by Microsoft, as the bounce message shown includes the statement, "Please note that the e-mail address you have contacted, 'abuse@microsoft.com' will be retired on April 29, 2005." That's right. The same Internet standards that apply to everyone else on the Internet apparently don't apply to Microsoft. (But, then, anyone who has used MSIE ought to know that already.)
The mail servers I run receive hundreds, and reject thousands and thousands, of spam emails and other abuse attempts from hotmail.com every single day. I only bother even to report a fraction of the relevant spam that arrives in my personal mailbox. Even so, I'm getting tired of the vast majority of them not even getting delivered to a human (never mind how little good that might do). After scanning the spam-l discussion list and confirming that I was not alone in experiencing this problem, I decided it was time to pick up the phone.
Since Microsoft's ARIN whois listing explicitly gives a phone number for making abuse complaints, I called it. After working my way through an annoying automated prompt, I spoke to a polite operator who told me that they had no specific department to deal with this issue, and that I should contact MSN tech support at 800-386-5550. At that number, you can "enjoy" a conversation with a rather rude automated voice system that refuses to do anything until you speak the last name of your MSN account. (What do their mute customers do, I wonder? And why do I think MSN would care?) After "speaking" with this robot for a few minutes, with no success, I gave up.
What does all this mean?
Maybe next week I'll take a day off from reporting spam and spend the time calling the local Attorney General instead.
[/internet/spam] permanent link
It never ceases to amaze me that the people who want to tell me how to run my life (the US government, in all its many manifestations), and especially those who receive a large portion of my taxes to protect me and my countrymen (the US Army, US Navy, etc.), can't even secure their own mail servers or follow simple Internet standards.
My mail servers have received spam from mail servers run by the US government, including the military, so many times and for so long that I've lost track (and pretty much given up on them). Reports, by email and phone, have all gone unanswered. Amazingly, our political masters don't even think RFC 2142 applies to them. (In addition to being listed in abuse.rfc-ignorant.org, .mil is also listed in whois.rfc-ignorant.org. In for a penny, in for a pound, I guess.)
After having mail to the RFC standard abuse address bounce for the umpteenth time, I thought I'd give it one more try. I called the contact person listed at ARIN for the relevant mail server. Amazingly, she not only answered her phone, but turned out to be both helpful and intelligent. Miracles do happen! She did inform me that I could report the abuse to abuse@ the relevant subdomain.
Of course the Army should get its act together and comply with Internet standards. But, in the meantime, I sent a report to the relevant address.
It bounced.
The people running the Army's mail servers are apparently so stupid that they're using a content-based filter to filter mail sent to their own abuse address:
The following message to <ako.postmaster@us.army.mil> was undeliverable. The reason for the problem: 5.x.0 - Message bounced by administrator Final-Recipient: rfc822;ako.postmaster@us.army.mil Action: failed Status: 5.0.0 (permanent failure) Diagnostic-Code: smtp; 5.x.0 - Message bounced by administrator (delivery attempts: 0) Reporting-MTA: dns; spammta01.int.dr1.us.army.mil Received: from XXXXX.XXXXXX.XXX (XXX.XX.XXX.XX) by mxoutdr1.us.army.mil with ESMTP; 29 Jun 2005 18:09:58 +0000 X-AKO: 46338039:204.89.131.35:29 Jun 2005 18:09:58 +0000:$ACCEPTED:4.2 X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAQE35ew= Subject: [AKO Content Violation - SPAM]Fwd: Returned mail: see transcript for details X-IronPort-AV: i="3.93,242,1114992000"; d="scan'208"; a="46338039:sNHT160135857"
Feel safe? I don't.
And I know what you Navy guys are thinking. But, no, last I checked, the Navy is just as bad. And both are only a little worse than many of our largest Internet service providers.
I'm sick of it. From now on, every time I get spam from a government-run mail server, some elected representative of mine is getting a call.
Join me, won't you?
[/internet/spam] permanent link
Scum-sucking spammer Daniel Khoshnood ordered to pay Microsoft $3.95 million in damages. I wonder how it feels to be such a lowlife that folks are even rooting for Microsoft to beat you? [via Laporte]
[/internet/spam] permanent link
A humorous metafilter post presents several estimates of the percentage of Internet email traffic that spam accounts for, ranging from 50% to 90%. Of course, no one knows. First, we'd have to agree what "spam" was and what we meant by "traffic". Then we'd have to actually go look at the mail delivered to our mailboxes and figure it out.
From my personal experience as an ISP owner, though, I can say that for me and my customers (most of whom are businesses) it's a lot closer to 90% than 50%. Worse, over 99% of my mail server resources are consumed by spammers (and it's been that way for years now), since dictionary attacks, spam blocking, bounces, and the like mean that spam accounts for proportionately more resources than legitimate email.
[/internet/spam] permanent link
Edward Felten made an interesting observation: Bayesian anti-spam filters are, in essence, trained by the bad guys. Could spammers exploit this situation to poison the filters and cause certain legitimate email to be blocked ("like a Google Bomb for spam filters", as Brian Carnell put it)? Those who commented on Felten's post believe not. I agree that it would be a difficult proposition, as spammers only train the filters with bad email, not good email. Nevertheless, it's a question worth considering. Hardcore spammers appear to be a fairly small group, and collective action on their part might not be difficult to arrange. Even if this particular approach wouldn't succeed, we should ask whether there are others ways they could cooperate to wreak havoc. (As if the continuous deluge of spam weren't enough...)
[/internet/spam] permanent link
The first Conference on Email and Spam (July 30-31, 2004) looks worth attending. A shame I'm already booked for something...
[/internet/spam] permanent link
According to New Zealand's Daily Aardvark, the US Congress recently made "a dog's breakfast" of spam law. That captures my sentiments about the so-called CAN-SPAM law exactly: Cognress wants voters to think the "CAN" is something you do with meat products before putting them on the supermarket shelf; actually, it's "CAN" as in "you can spam now".
As I said recently, the problem is the lack of applicable laws, it's the near-total lack of enforcement. (The reasons I say "near" total are the FTC's recent actions against scammers and California's prosecution of spammers in their state courts, the notable exceptions to the general apathy of US governments on this issue.) This new law isn't just not what's needed; it makes things worse. Or, rather, it makes them better, if you're a spammer. Hmm... I wonder who has been lobbying your local Congresscritters and how much money they received in the process?
[/internet/spam] permanent link
If you're looking for an excuse to visit San Francisco (and who isn't?), you can plan to attend the "Spam and the Law" Conference in January 2004.
[/internet/spam] permanent link
Reuters is also reporting today that Americans support the creation of a "Do Not Spam" list similar to the "Do Not Call" lists we've been fighting tooth and nail to get implemented lately. No kidding. The problem with spam is not lack of laws, though; it's the total apathy of law enforcement to prosecute spammers using the laws on the books and the "we're too big to be accountable" attitude of big ISPs like AT&T.
[/internet/spam] permanent link
Syndicate Me via RSS!
(Instructions)
Copyright 2003-2009 Robert Szarka
Powered by Blosxom!