I will say this about AOHell, I had had an email account with them since 96 and in that time I have had 4-5 spam make it into my regular email. That is in over 10 years of it being my primary email address.
Now with AOHell 9.0, I have a special ‘spam’ folder and I get 3-4 / week that show up there if I want to look at them. Mostly they are from sales cites where I agreed to accept email.
My point? What or how does AOHell filter out all the spam and why does not Gmail, or any of the others?
I use AOHell for my ‘on the road dial-up connection ISP’ when I can’t get broadband and where I go, that is a lot of the time. ) I am on satellite out here at 40th & Plum as there will never be any DSL or Cable strung here.
So there is a way to stop it, but why do not all the bigger ISP’s do so? Why not the big email providers? $$$$?? Well, if we the consumer demanded it, would not they comply?
I have 9 email addresses but I only use 2 under normal circumstances.
AOHell does not let any through and Gmail requires only 2 ‘clicks’ to dump all the spam, one to see it and one to dump it. I can live with that.
But demanding CPU time would decrease the number of mails that could be sent from any single machine, so even if the spammer is using infected bot CPUs, the rate at which he can spam will still be cut down. Moreover, when Aunt Edna’s computer is permanently bogged down by a maxed out CPU load doing checksums for emails, she’s more likely to ask you why her computer isn’t working right, and hence it’s more likely that the computer will be properly secured and removed from the spammer’s control.
A bit off-topic, but I wanted to mention that I use Spamgourmet religiously for pretty much anything that I have to register for online, as I am a paranoid fanatic about keeping my email inbox spam-free (three years and counting, and partially I’m sure due to my having deliberately chosen a combination of letters and numbers as my user alias that spambots are unlikely to randomly hit on). You are correct that registering at the vast majority of “legit” sites will not result in spam. However, Harris Polls did sell my address to spammers. I got two or three spam emails of the “buy university diplomas now!” variety on my Harris Polls address before going in and shutting it down. There are also legit sites such as Ticketmaster on which it is apparently impossible to turn off the “helpful” newsletters that they send out periodically, which to my mind is not really that different from an actual spammer.
I don’t make that distinction either, and a fair number of “business relationship” things like this either don’t possess an opt-out, or make it too hard to find. Practically anything I buy online is from a vendor I’ve never used before because I’m fanatic about using the pricegrabber type sites and getting the cheapest price from any vendor that seems anyplace close to legit. Another reason I like using a credit card with virtual numbers. With that and a temporary (or often changed) address, I can get closer to having no more trail than if I walked into a brick-and-mortar store with cash. Not to mention registration-requiring websites I might want to check out, that won’t let me in without a working email address to respond to.
I do know that I never got a particularly spammy email (like a 419 or pump and dump) to any of my temp addresses. I did occasionally get companies, like Ticketmaster, that wouldn’t really unsubscribe me, but those, like “old” spam, are easy enough to can. Just tell Gmail that a few are spam, or blacklist the address, and it goes away.
I should point out that I also use BugMeNot and mailinator to bypass most website registrations, so the only companies I give real email addresses to are the ones I’m purchasing something from. Since I consider my credit card number more sensitive information than my email address, that might also reduce the number of shady sites that have my address.
What is it with modern society that makes so many people want to wave the banner of legislation at everything they don’t like? When did grown adults get so addicted to the notion that they have a right never to be annoyed by anything, and that the purpose of government is to make sure they never are?
We don’t need any more legislation, restrictions or costs, thank you kindly.
I get spam too, so you know what I do? I delete it without opening it. Total effort: virtually nil. Total time per day: never more than a few seconds. Total annoyance: negligible.
If spam annoys you, find your own way to deal with it. But don’t start shoving more legislation down my throat, and costing me more money (which all legislation does). You don’t like spam; I don’t like spam; nobody likes spam. But don’t tell me the solution to your petty annoyance is to legislate and restrict and charge <I>everybody</I> just to keep <I>you</I> from being annoyed.
I get junk mail on paper in my mailbox every day, too. Been that way for as far back as I can remember. So you know what I do with the junk mail? I throw it away. I don’t start clamoring for some bureaucratic “solution” that will only be a bigger pain in my ass, cost me money, and not really solve the problem.
I don’t like TV commercials, either. So you know what I do? I don’t watch 'em. Rather than going off and starting a Movement to promote my Big Cause, I ignore the stupid things.
Life is filled with little petty annoyances, things we don’t like and things we could do without. Crying for Big Daddy Government to step in and make them go away is childish and foolhardy, and invariably costly. Anybody who wants to find a grand Final Solution to spam is welcome to do so: just don’t screw the rest of us in the process. There are already far more horseshit laws floating around than we need, thanks.
While legislation may not be the answer, your situation is not the one that people are complaining about. I get 100 to 150 spam emails a day, sometimes as much 300 to 350. It takes me probably 5 to 10 minutes or so per day to deal with the ones my spam program doesn’t catch. It’s fairly quick for me to scan the mailbox and see which ones are spam and which aren’t.
But I’m responsible for email for three companies, with a total of about 100 users. Each one of them gets spam as well, although most not at the level I do. I have to deal with their calls when the spam gets heavy. I have to deal with the problems when a virus gets through. I have to keep the spam filter software up to date.
So I spend a hour or two a week dealing with the fall out. So it winds up costing my customers and me a few hundred dollars per year.
Now imagine you have a 1,000 or 10,000 users. The costs in lost time, software, bandwidth, and management can easily be thousands per year.
The first simple place to start is for all ISPs to block outgoing SMTP connections that do not come from their own internal mail servers. Customers running their own mail servers (like me) can use an external mail routing service (which costs money per email) that does not use port 25, or relay through the ISPs mailserver by arrangement. People that need access to mail servers outside their ISP can use VPNs or custom authenticated ports.
This stops botnet broadcasters dead. ISPs should also blackhole all clients that attempt to send SMTP traffic until the customer has cleaned up and secured their PC.
This would hugely reduce the amount of spam email, by killing most of the senders dead.
If the Backbone providers insisted that their clients (ISPs) had appropriate edge rules, then the whole botnet problem would go away.
What happens in the large-scale spam filters, like the one my ISP uses? Does the filter just throw away the spam? Maybe the filtering programs could be modified to kill the spammers somehow.
Are you saying that an ISP, such as Roadrunner in my case, should block my connection to my SMTP server at my own domain’s server? I wouldn’t be too happy about that.
The whole idea about paying a small amount seems reasonable to me, but paying would require authentication of the source address, and if we put in place a mail system to authenticate the source address, doesn’t that by itself pretty much address the bulk of the spam problem?
Yep, that is what I am saying. 99% of all ISP customers only need SMTP between them and the ISP mail system. If they are generating any SMTP traffic to the outside, it is because they have been compromised and co-opted into a spam-generating botnet. Once all those PCs have been shut out of the equation, the spammers must use real mail servers, which cost money and bandwidth, and can be identified and blocked by a number of means.
If you want your ISP connected PC to use SMTP to talk directly to a mail server, use a non-standard port for client communications (1025, maybe, with SMTP auth turned on) on your server and avoid the block. Or use a VPN - much safer.
In '93 I was involved in setting up an Internet mail server. Just after we got it going, I heard about “Open Mail Relays.” We asked our supplier to give us a rule that stopped mail from outside our network from being sent back out. They asked us why we wanted to do that :smack: We closed the open relay, and few open relay mail servers cause problems now - they have been fixed or blocked. Almost all spam is generated by PCs connected via ISPs sending to external mail servers using SMTP. It should be stopped.
Si, at this point, I’d like to understand SMTP a little more. When my PC sends a message, it contacts a mail server (not my ISP’s) on port 25 using the SMTP protocol. Does that server then contact the destination person’s mail server, on port 25, using SMTP? I’m wondering what good it would do to use a non-standard port number for outgoing SMTP, and I think this might be the answer.
So the idea is that mail servers are set up to get their mail from other computers on port 25. The way most spam is sent nowadays, and end-user’s PC contacts that destination server directly on port 25, instead of going through the local ISP’s mail system. And in doing that, it spoofs the return address. So by blocking outgoing connections on port 25, an ISP would stop this. It would still allow me to use my own domain’s server, as long as I had set that up to listen on a different port. Is this right so far? I can see that this would work.
And this makes me wonder - if Aunt Edna’s computer has been hijacked and is sending mail directly to end-destination computers on port 25, doesn’t that destination computer have to know her IP address (not spoofed), so that they can communicate during the SMTP session? And in that case, isn’t there already a huge set of data in existence that knows the IP addresses of computers that are generating the spam? Seems like an automated system to comb through this data and finger which computers are generating spam would work, then the local ISP could contact its subscriber to make them aware of the issue.
The sending computer can use any port it wants, and can be any IP address. The receiving computer receives data on port 25 (SMTP). It can then do all sorts of validations at that point.
si_blakely’s point is if ISP’s prevented their users from making a connection to port 25 on a remote machine, then these comprimised spam-spewing computers would be blocked. I tend to agree, the vast majority of computers do not run their own mail server and do not need to directly establish a SMTP connection to port 25, they just send the mail to their ISP’s mail server and the ISP’s mail server takes care of delivery. The exceptions could easily be handled, and if every ISP would do this then the spam problem would be much much less.
Your PC uses a random port (as control-z says) but it targets the well-known port 25 on the mail server. The mail server then does the same to pass it to a destination.
yep - your mail server will also need to listen on port 25 for incoming messages from other mail servers (with no authentication) but it can use a variety of tricks to ensure that it is talking to a more trusted system - checking for a valid DNS, or using a Realtime blocklist lookup.
That is true in a sense - but every mail server in the world would need to collect and process this information, then look-up the ip addresses to find the ISP to report the client to. Far easier for the ISP to do it themselves at their edge firewall and process their own information on their own customers. They will spend money and time trying to restrict bittorrent and peer-to-peer traffic, but they could just as easily kill spam botnets and prevent many remote hack attacks.
They can also prevent spoofed ip packets from leaving their own networks (and id the culprit) and stop some DDOS-style packets as well.
Their inaction on this issue contributes to the appalling state of the internet.
Just because a computer algorithm says a message is spam, that doesn’t mean it is. The definition of spam will even vary from person to person. For example, if you order something from Amazon.com that’s actually shipped from Toys R Us, should Toys R Us put you on their mailing list?
My particular ISP’s spam filters were eating good messages so I asked them to turn off spam filtering for me, which they did. Of course now I get 75 messages a day of spam.
Anyway, I’m sure the policies vary, but I’d imagine they throw the spam away after a certain amount of time. As far as I know my local ISP throws away the messages classified as spam immediately.
Spam will no longer be necessary once every penis and breast has been enlarged to its fullest capacity, and we each have a lifetime supply of Viagra, Cialis, and Xanax in our closets. If you haven’t begun stockpiling, the spammers have already won.
So in order to route an email out of the ISP, it would have to proxy through the ISP’s mailserver? If I want to send an email through my email service of choice, I have to proxy it through my ISP’s mailserver? Every (internet bound) email that IBM employees send would go through their ISP’s mailserver?
And if that is not what you mean, do you mean that all off-ramp routers would filter SMTP traffic using a list of known mailserver IP addresses?
Neither of these options are scalable or realistic.
They also violate the spirit of the internet protocols, that once you get on the network, you are free to communicate with any other endpoint using any protocol to implement any service. This ideal is what makes the internet scalable, reliable, and fault-tolerant.
No, that’s not what he’s saying. The ISP (Roadrunner in my example) would simply block outgoing external connections with a remote port of 25 from its subscriber’s computers. I could still use an external SMTP server for my outgoing mail, I would just have to set up that server to listen on a port other than 25. Seems to me that this would cause some issues, and perhaps it could even be waived per-user, but making this the default would eliminate a huge amount of spam.
I don’t think that’s it, either. If my PC tries to establish a connection to anyone outside the ISP’s intranet with remote port 25, that packet is simply dropped. No requirement that the ISP know who the valid mail servers are. Of course, the ISP has its own mail servers for its users, and that server is allowed outgoing port 25 connections, but most spam comes from Aunt Edna’s PC directly connecting to a final-destination mailbox. When she wants to send a message herself, her email program normally sends it to the ISP’s server first. More advanced users can simply connect to their mail servers on a different port number.