by Rik Farrow
No one needs to be told that spam is a problem. Spam, that is, unsolicited commercial email, has become another business opportunity, not just for the spammers, but for the companies that sell anti-spam solutions.
Wouldn't it be nice to just put an end to spam? Efforts so far have failed, and not surprisingly. The spammers use the net to share new techniques to protect their abuse of the Internet, and fight a constant battle to preserve their business model--delivering advertising at almost no cost to themselves. A spam relay, usually some home user's broadband connected Windows system with some "special" software installed by some hacker, sells for $1/day at current blackmarket prices.
But there is a solution that would put a big dent in spammers'
capabilities to spew email. Since spammers use systems on broadband
networks to deliver email, blocking systems that have
not registered as email servers would prevent the use of relays,
and most spam would not reach your mailbox. While you can
prevent your own system from being
used as a spam relay, the real solution lies in the hands of ISPs.
On the face of it, blocking spam would seem to be a trivial exercise. You simply configure your mail server or mail browser so that it ignores email from known spammers. While the list of spammer addresses would change often, as new spammers start up or existing spammers get new IP addresses, the software could dynamically download new addresses to block. This approach is called blackholing, and while it does have its adherents, it also comes with some problems.
One problem with blackholing has to do with the way most spammers operate. Rather than use their own mail server, and have their spam blocked, most spammers use other people's mail servers to spew their advertisements. In the past, mail servers came configured to act as open relays, meaning anyone could connect to that server and have it relay email, including spam. You might wonder about the reason for doing this, but used as a default configuration, it meant the mail server required little or no configuration.
For spammers, this was a windfall, because it provides two things. One, someone else's mail server would do the heavy lifting. All the spammer had to do was run software that connected to the open relay, send a hello message, a spoofed sender name, a list of receipients, and finally, the actual email message. The open relay would then have to connect to the mail server for each of the receipients and deliver the mail, perhaps resulting in thousands of connections--while the spammer made only one.
The second great benefit for the spammer is that the spam now appears to be coming from an IP address that is not associated to the spammer in any way, shape, or form. The victim, the open relay, will soon wind up on a blackhole list. The victim will also be inundated with bounced emails, as spammers' lists contain many out-of-date or non-existent email addresses. If the spoofed sender address actually exists, that user's mailbox may also become full of bounce messages reflecting all the bad email addresses used by the spammer.
Spammers can find open relays by scanning for port 25, then attempting to send an email. If the attempt fails, the mail server has been configured so that it will not relay mail for just anyone. If the attempt succeeds, the spammer will soon (within a day) be using the open relay to send out spam.
Over time, businesses and other organizations have learned that being an open relay is a really bad idea. You cannot simply block access to port 25 on your mail server, as this also prevents the server from receiving legitimate emails. But servers can be configured so that they will only relay email for people within the organization, business, or an ISPs network. All major mail servers now come with relaying disabled by default.
Deprived of open relays, the ever effective spammers looked for new victims, and found them, on broadband networks. Broadband network subscribers are typically home users and small businesses. With hundreds of thousands, perhaps millions, of potential targets, some open relays can still be found. And even when they don't exist, a new relay can be created with a little help.
Spammers have used viruses to install mail relays on home and small business systems connected to broadband networks. Any new PC has plenty of processing power for handling the delivery of spam, and the broadband network provides connectivity that is more than sufficient for the spammers' purposes.
With some help from Brian Martin, one of the founders of Attrition.org, I collected tens of thousand spam emails, and filtered out the header information that contains the IP address of the mail relay that connected either to my email server or to attrition.org. These IP addresses were converted into domain names, allowing me to sort them and count the domains acting appearing as the relays for most spam.
Attrition.org has filters in place that block access to most Asian broadband providers, an early and wellknown source of mail relays. What's left are primarily US broadband providers, with comcast.net and attbi.com (now the same company) being the source of 15% of all spam received, with rr.com coming in second with over 5%. The list of top relay domains in my sample reads like a list of broadband providers.
Before you run off and start inserting filters that block all incoming email from broadband networks, things are just not that simple. You will be receiving some legitimate emails from the millions of people who use broadband connections. And these emails will generally come from the mail relays for these networks, identifyable by using DNS to discover the MX (mail relay) records for these domains. A lot of broadband companies have mail relays set up for each region, and a single broadband company will not only have many relays, but also many netblocks, ranges of IP addresses. So blocking all broadband while permitting legitimate email is not a simple thing to do.
A much better solution would be for broadband ISPs to block outbound SMTP connections except from registered servers mail servers-- their customers who have their own MX records, and have an agreement with the ISP that allows them to deliver email. One Australian ISP (see Resources) has already instituted this policy, and we can expect that many more, who wish to avoid being not only a source of spam, but also a victim of spammers who are abusing their networks for relaying.
If broadband ISPs, ideally all ISPs, only permitted outgoing email from registered servers, not only would spam die away, but viruses like SoBig and MyDoom would also not spread as quickly, as they too rely on sending email from victim systems that are not email servers. But until more ISPs decide to manage their networks better, blocking spam, and many viruses, the best you can do is use spam blocking products and tools.
I examined more spam, using an improved algorithm, and found similar results: www.spirit.com/Resources/spam.html
An article complaining about how AOL's blocking of email relays has "hurt home users" and resulted in a court order: http://www.internetnews.com/IAR/article.php/3069241
Australian broadband provider (Optus) blocks outgoing port 25 except
by request:
http://www.australianit.com.au/articles/0,7204,8524834%5E16123%5E%5Enbv%5E,00.html
Some anti-spam filtering solutions, other than blocking IP addresses: http://www.australianit.com.au/articles/0,7204,8524834%5E16123%5E%5Enbv%5E,00.html
Blackhole lists offer include innocent parties in collateral damage: http://www.broadbandreports.com/shownews/37511