Stopping Spam at the Source

[UncleFred]

I read a while back (sorry, no cite) that there were a relatively few broadcasters of a remarkably high percentage of the spam that floods the internet. If this is still so, why can’t ISP’s block that spam from going out at the source?

I am not talking about Malware in general. Blocking malware can require tediously disassembling each packet/flow; that’s partly why Norton makes your computer run slower, and it would be impractical at ISPs.

Blocking email from a source ‘merely’ requires looking at the address fields of a packet; something routers to some extent do anyhow.

Spammers could probably relocate but it seems this would make their life harder and perhaps get rid of some of them.

Is their a legal ‘Freedom Of Speech’ requirement on the internet that would prevent this?

[John_DiFool]

I thought, to a certain extent, that they did.

[engineer_comp_geek]

ISPs block all kinds of stuff from e-mail spammers. If they didn’t, you wouldn’t be able to use your e-mail. You’d get so many spam messages per day that it would be difficult to sort through them all to find any legitimate messages you might receive.

Actually blocking traffic from the spam origin sites gets to be a lot more difficult. Your major spam sources come from China, Korea, and Romania, and they come from ISPs in those countries that also carry legitimate traffic. What are you going to do, block the entire country of China? Some ISPs (in many countries, including the U.S.) are very low budget operations, and don’t have enough employees on staff to respond to spam reports. The spammers quickly learn what ISPs don’t enforce spam policies and use those. When one of these ISPs does crack down on spam, they simply move to another. There are also some ISPs who intentionally don’t enforce spam policies so that they can get a lot of spammers as hosting customers. The ISPs collect their money from the spammers as customers and don’t care about much else. Clamping down on spam would not only cost them money in manpower, but would also lose them customer revenue.

Some ISPs have blacklists that block these known bad ISPs. but then their customers often complain about blacklists. Their customers want to download illegal music and watch illegal videos online and that sort of thing, and the same sites that provide those types of services also generate spam.

You also have to keep in mind that the internet is just a collection of systems all over the world, with each system having its own administrators and its own rules. You can’t just go to the Boss of the Internet and tell him that a particular spam generating ISP is to be blocked from all other sites. The internet doesn’t have that kind of centralized regulation and control. The whole point of the internet is that it is a big distributed network, and each of its individual network parts figure out what to do on their own.

Blocking spammers at their source would also end up a lot like whack-a-mole. You block a spammer, and he just pops up somewhere else with a different domain name. You can waste an awful lot of resources trying to block them all and not really accomplish much from a practical point of view.

[Amateur_Barbarian]

Nuking Korea and Russia come to mind, but that might be extreme even to control spam.

[Joey_P]

Amateur_Barbarian:

Nuking Korea and Russia come to mind, but that might be extreme even to control spam.

But what if we really don’t like spam.

[ZipperJJ]

The majority of spam that gets through our filters comes from real servers that have been compromised. So like @realcompany.com gets compromised, sends out 50mm spam emails, everything in their headers is legit with SPF records and everything (lowering their spam score), 42mm spam emails get through to the recipients, and no one at Real Company notices until it’s too late because it only took 2 hours for all the emails to go out.

We’ve gotten spam in rashes, like all the same spams from Real Company A one day, Real Company B the next day, Real Company C the next, just because we’re on the spammer’s lists and they are hopping from company to company.

It’s definitely like whack-a-mole like e_c_g said. It’s infuriating to sys admins because you can waste a lot of time and money working on it and not get very far.

[md2000]

Email Blacklist Check - IP Blacklist Check - See if your server is blacklisted

You can check an IP address, there are several organizations dedicated to identifying and listing IP addresses sending out spam. As **ZipperJJ **says, it’s like whack-a-mole. One of the common sources nowadays is infected machines - not just servers, but personal PC’s too.

The problem is that by default, there is no specific authentication for email. This is by original design. Originally, servers in the networks would come and go offline, perhaps some smaller universities would be dialling other servers or maybe a few bigger ones had a few dedicated lines from one to another. Thus a server could act as a relay, accepting Email from A for B and passing it on when B came online. At the time, nobody imagined anonymous servers sending floods of Viagra and Rolex ads.

Many years ago, certain ISP’s allowed spammers to operate, but between laws and blacklisting, that option has disappeared.

So most servers accept any incoming TCP/IP connection on port 25. Now, firewalls and filters will check any incoming connection against common blacklists, so a server might be useful for only a few hours or days before it is almost universally blocked. Large organizations’ firewalls block port 25 outbound except for their dedicated email servers, so infecting a machine behind a commercial firewall (if you can get past the antivirus) is useless. (Plus the firewall will report attempts, and the PC is usually fixed right away.)

You can’t block email from all of China, for example, because there may actually be someone who needs to get email from a contact in Hong Kong or Shanghai.

The best bet for spammers now is to infect home PC’s - less monitored, less technical oversight, more likely to visit inappropriate websites and pick up a virus. However, many larger ISP’s block port 25 outbound on their networks - the only place a home PC might send email, is to the local ISP email server where filters can be applied.

As a result, another useful target is smaller business server, with the right to send email not blocked. Again, after a day or two the rest of the world adds them to the blacklist, and some tech support person has to clean up the infection, go through the trouble of removing the balcklisting, etc.

Plus, blacklists and filters use sophisticated “smart” programs- looking for patterns. Thus you’ll see V1agra spelled with a “1” instead of an “I”, or with spaces between the letters, or using a few Cyrillic characters, to fool dictionary checks - which smarter programs can now catch. You will see email with only a picture in the body of the email blocked, because to avoid filters parsing the content, the spam sends a picture that looks like text body.

it’s an escalating arms race, or maybe whack-a-mole. Someone comes up with an idea to get past the filters, the filters are updated to cover that. Someone discovers a new way to infect machines, the anti-virus companies eventually cover that. All that this guarantees is that you need to stay up to date to stay safe(r).

[ftg]

UncleFred:

I read a while back (sorry, no cite) that there were a relatively few broadcasters of a remarkably high percentage of the spam that floods the internet.

The source is either wrong or you misread it. There are an incredible number of spam servers out there. Millions. There might be a few organizations behind a lot of it, but the number of distinct servers is huge.

One standard reason for assembling a botnet is have all the compromised machines start sending out spam. A single botnet can have hundreds of thousands of machines.

This is why most ISPs block the standard outgoing mail ports.* But not all do, especially for business sites which are just as vulnerable to malware as home users.

Another technique is to get into people’s email accounts and start sending out spam from those. We have a relative that gets her account compromised at least once a year. Of course, one of the first things the malware does is send out emails to everyone on the contact list with “special” messages to infect those machines, harvest their passwords, and continue the cycle.

You can’t block Hotmail, Yahoo!, Gmail, etc.

Plus a lot of spam is “legitimate” email. E.g., somehow an Australian newspaper got my email address lately and started sending me plugs for articles multiple times per day. I blocked them. An amazing number of companies are horrible in this way. Can you imagine the uproar if all these companies started getting blacklisted by ISPs?

• And then a while back my ISP started blocking incoming mail ports. Sheesh. What next, blocking incoming FTP and HTTP connections?

[md2000]

Exactly. There used to be a few big spammers many years ago - but legislation an blacklisting changed that, as I said.

Infected machines now send a lot of the spam, and often that’ the whole reason to infect a machine. Your home PC may be sending spam and you may not know it. Blacklisting only affects the mail port 25 on TCP/IP, so you may not know you are sending spam email until someone from your ISP calls.

Plus, with a botnet of thousands of infected machines, the controller does not have to reveal his IP to the general public, he tells the infected machines the email to send and a big list of destinations. As each one is blocked with blacklisting, switch to another one.

(BTW, many ISP’s do block incoming HTTP by the simple process of randomly changing IP addresses so you cannot rely on a consistent address. (unless you spring for the more expensive package). Since we’re pretty much out of IP4 addresses, some ISP’s may be switching huge chunks of their network to NAT, no public IP address.

[ftg]

md2000:

(BTW, many ISP’s do block incoming HTTP by the simple process of randomly changing IP addresses so you cannot rely on a consistent address. (unless you spring for the more expensive package). Since we’re pretty much out of IP4 addresses, some ISP’s may be switching huge chunks of their network to NAT, no public IP address.

Oops, misspoke, er mistyped. I mean “incoming” as in downloading something from an FTP or web site. Not like in setting up your own server. I can see blocking outgoing mail ports, but incoming? I ran my own mail server for years for incoming mail (handy for one off addresses and things). Hardly got any spam probes at all.

For FTP and HTTP, you can assign any port you want to your home server and it will work, as long as the person on the other end uses a URL/URI that includes the port number. Unfortunately, there is no such port change you can use for SMTP or POP3. The ports are hardwired everywhere.

(Yeah, the IP4 address thing is worrisome. We needed to switch over years ago.)

[UncleFred]

Drifting slightly from my own OP;

In the case of spammers who are looking for a reply, as opposed to just a broadcast ad, does it make sense to send them back a couple thousand emails just to clog up their in-boxes? This is not so much to mechanically plug their mailbox, but instead make it harder for them to sort out any ‘valid’ replies they may otherwise receive.

[ZipperJJ]

UncleFred:

Drifting slightly from my own OP;

In the case of spammers who are looking for a reply, as opposed to just a broadcast ad, does it make sense to send them back a couple thousand emails just to clog up their in-boxes? This is not so much to mechanically plug their mailbox, but instead make it harder for them to sort out any ‘valid’ replies they may otherwise receive.

Don’t do this. You’re only punishing your own ISP.