AOL also goes to the trouble of checking the reverse DNS of the sending mail agent. If there is none, as is often the case with consumer broadband client systems, AOL views the address suspiciously and tolerates only moderate amounts of mail and almost no complaints, or into the blacklist it goes. (And if theres any trouble determining if theres a reverse DNS the address is just plain blacklisted. AOL isnt alone in doing this.)
Finally, the anti-spammers, including subscription services like MAPS, also know where the zombie systems are, and these lists have gotten pretty good. As a result of all of this, its harder for spammers to get their mail out of the zombied systems, and they have moved on to the next era of spam distribution: lazy ISPs mail servers.
My ISP (Speakeasy.net) is one of the smart and responsible ones, and some time ago they started requiring all use of their outbound mail servers to be authenticated. In other words, you need to use a user name and password for them.
But some ISPs just trust all outbound mail that comes from their own customers, meaning any system with an IP address in the companys range. This means that a zombie can send spam through the ISPs mail servers. And some ISPs are too busy to bother checking their own log files to see that some customers are sending millions of messages.
Which brings us back for a moment to the issue of rate limits. If ISPs dont start limiting the amount of mail their client systems can send through their servers, spammers will flock to abuse these ISPs. The only option left to responsible ISPs will be to block all mail from these ISPs. Thats when things will get nasty.
And it cant stop just with the limits; once you implement them you have the mechanism in place to make it easy to find the zombies, because you just blocked those systems from sending too much mail. Not all of them will be zombies, so you have to take a manual look at them, but almost of them will be, and then you have to block those systems completely until the customers get their act together.
Some sort of outbound rate limitation should be within the capabilities of any medium or large ISP, and many mail server vendors sell this capability. Sendmail, for example, sells Sendmail Flow Control, according to CTO Eric Allman. While designed mostly to limit traffic on the inbound side, it can be used for outbound management as well, he said.
Users will sometimes complain about being limited, but a little perspective convinces all but the real kooks: Were talking about limiting you to perhaps several hundred, or even several thousand messages outbound in a day. I think an outbound limit of 100 messages per day per user is not unreasonable, but what the heck, make it 500. Even this would be a major problem for mass-spammers and cut deeply into their capacity.
An AOL employee on a spam research list recently said that, according to a study they ran about a year ago, 99.5% of users sent 32 or fewer e-mails a day, and 95% sent fewer than 8. Now how many of you are upset that you might not be allowed to send 501 "legitimate" messages in a 24-hour period?
AOL actually does some rate-limiting of other ISPs users for them; AOL calls this their SRL (Second Received Line) technology, and what it means is that with a large ISP like Comcast they will build a list, potentially with the cooperation of the ISP, of trusted mail servers (like mail.comcast.net). Then they look at the second "Received:" line in the message header (i.e. the user) and see how much mail is coming from them. In some cases they may need to look at the third or fourth line. This gives them a whole new level of blacklisting they can do.
Some people are arguing that a wave of spammers sending through the ISPs mail servers is coming, and that it will raise holy heck when ISPs start defending themselves against each other, but Im not so worried. Its the sort of crisis that just cant last, since if youre lazy-ISP.com you cant afford to have all your e-mail blacklisted by Earthlink and AOL and other domains like that who are sick and tired of getting a billion messages from you in a day. Youre going to cave in and limit your users, and well all be better off for it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer