Back in June of 2004 I argued that ISPs need to start rate-limiting use of their outbound SMTP servers. I was right, although for reasons that were a little off. But its a good example of a larger point worth making: ISPs need to be diligent in fighting spam, not just inbound but outbound as well.
Ive been looking further into AOLs claims of success in fighting spam, and I find Im believing the claims more and more. Ive been asking AOL users I know, and they agree that spam through to their inboxes has gone down dramatically over the last year or so, to 1 or 2 messages a day. How does AOL do it? Every way they can.
Lets go over a bit of history of how spammers have operated. In the beginning, they simply bought blocks of IP addresses and set up servers and spammed from them, operating like everyone else on the Internet. Then anti-spammers got the idea to blacklist the IP addresses of spammers. As imperfect as this method was (it caused much collateral damage), it impeded spammers, as did the ISPs refusals to sell them more accounts. Eventually, the spammers moved on.
The next technique was to search for open proxies on the Internet, generally e-mail servers that are left open to anyone to send mail, and to a lesser extent Perl mail forms on Web pages with no security on them. Eventually the good guys also got good at blocking these and even at blacklisting the remaining open proxies.
Then the era of the zombied machine was born: Generally through infection by Windows e-mail worms, spammers created backdoor programs on users systems so that the computers could be used to send spam. The worms have their own SMTP servers built in partly for the purpose of propagating themselves, but also for sending out spam. Spammers control large networks of these infected systems; its generally agreed that there are zombie networks with tens of thousands of systems in them.
AOL has been aggressive in trying to block mail from these zombie systems. They have implemented and tried persuading other ISPs, especially consumer broadband ISPs like Comcast that have a history of being abused by zombies, to TCP block port 25 (SMTP Mail) on consumer systems other than through their own mail servers. This is not necessarily an easy thing for an ISP to do, but there are a few ways to do it, including at the cable modem in some cases.
rDNS and other screws
AOL also goes to the trouble of checking the reverse DNS of the sending mail agent. If there is none, as is often the case with consumer broadband client systems, AOL views the address suspiciously and tolerates only moderate amounts of mail and almost no complaints, or into the blacklist it goes. (And if theres any trouble determining if theres a reverse DNS the address is just plain blacklisted. AOL isnt alone in doing this.)
Finally, the anti-spammers, including subscription services like MAPS, also know where the zombie systems are, and these lists have gotten pretty good. As a result of all of this, its harder for spammers to get their mail out of the zombied systems, and they have moved on to the next era of spam distribution: lazy ISPs mail servers.
My ISP (Speakeasy.net) is one of the smart and responsible ones, and some time ago they started requiring all use of their outbound mail servers to be authenticated. In other words, you need to use a user name and password for them.
But some ISPs just trust all outbound mail that comes from their own customers, meaning any system with an IP address in the companys range. This means that a zombie can send spam through the ISPs mail servers. And some ISPs are too busy to bother checking their own log files to see that some customers are sending millions of messages.
Which brings us back for a moment to the issue of rate limits. If ISPs dont start limiting the amount of mail their client systems can send through their servers, spammers will flock to abuse these ISPs. The only option left to responsible ISPs will be to block all mail from these ISPs. Thats when things will get nasty.
And it cant stop just with the limits; once you implement them you have the mechanism in place to make it easy to find the zombies, because you just blocked those systems from sending too much mail. Not all of them will be zombies, so you have to take a manual look at them, but almost of them will be, and then you have to block those systems completely until the customers get their act together.
Some sort of outbound rate limitation should be within the capabilities of any medium or large ISP, and many mail server vendors sell this capability. Sendmail, for example, sells Sendmail Flow Control, according to CTO Eric Allman. While designed mostly to limit traffic on the inbound side, it can be used for outbound management as well, he said.
Users will sometimes complain about being limited, but a little perspective convinces all but the real kooks: Were talking about limiting you to perhaps several hundred, or even several thousand messages outbound in a day. I think an outbound limit of 100 messages per day per user is not unreasonable, but what the heck, make it 500. Even this would be a major problem for mass-spammers and cut deeply into their capacity.
An AOL employee on a spam research list recently said that, according to a study they ran about a year ago, 99.5% of users sent 32 or fewer e-mails a day, and 95% sent fewer than 8. Now how many of you are upset that you might not be allowed to send 501 “legitimate” messages in a 24-hour period?
AOL actually does some rate-limiting of other ISPs users for them; AOL calls this their SRL (Second Received Line) technology, and what it means is that with a large ISP like Comcast they will build a list, potentially with the cooperation of the ISP, of trusted mail servers (like mail.comcast.net). Then they look at the second “Received:” line in the message header (i.e. the user) and see how much mail is coming from them. In some cases they may need to look at the third or fourth line. This gives them a whole new level of blacklisting they can do.
Some people are arguing that a wave of spammers sending through the ISPs mail servers is coming, and that it will raise holy heck when ISPs start defending themselves against each other, but Im not so worried. Its the sort of crisis that just cant last, since if youre lazy-ISP.com you cant afford to have all your e-mail blacklisted by Earthlink and AOL and other domains like that who are sick and tired of getting a billion messages from you in a day. Youre going to cave in and limit your users, and well all be better off for it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer