[rescue] Spam (was: Perverse Question)

Rich Kulawiec rsk at gsp.org
Sat Jun 7 15:13:24 CDT 2003

> It's going to have to be a technological solution.  [...]

Significant -- as in tens of thousands of messages worth -- of discussion
has already taken place on just this topic.   In fact, the IETF ASRG mailing
list has been very...well, "busy" isn't strong enough, but it'll have to
do...lately.  It would appear that DNS RMX, which I'll babble about in a
minute, may be the first thing to happen.

The problem -- or rather, one of the problem, for there are many [1] --
is that getting everyone on the 'net to implement ANY solution will be
very, very difficult.

Let me illustrate by way of example: not many of you were around during
The Great Renaming which took place on Usenet in the mid-80's.  So let me
summarize for you: the idea was to take the two main Usenet hierarchives
of the day, "net" and "mod", and replace them with seven hierarchives:
comp, misc, news, rec, sci, soc, talk in such a way that any articles
which showed up in the old ones would migrate to the new, etc.

The only people who needed to do this was those running Usenet news
servers -- which at the time was a relatively small group of folks
connected via UUCP, the ARPAnet, CSnet, etc.  Most of those people were
very clueful, because they *had* to be: it just wasn't possible to run
a net-connected node or a Usenet news server if you weren't.  And this
was not so much a software change, per se, as a config file change
(with some other baggage that I'll gloss over for now).  And it was,
to a large degree, enforceable by fiat: the Usenet "backbone" was pretty
much in a position to dictate the nature and timing of the change.

Despite all of these factors in its favor, the migration did not go
entirely smoothly.  It wasn't hideous, but it did strain resources
and patience.  Some people ended up not speaking to each other.
Odd and occasionally annoying problems continued to show up for
months afterward.

Now extrapolate to today: extrapolate from "hundreds of news servers" to
"tens of millions of mail servers".  Extrapolate from "relatively small
group mostly in N. American and Europe" to "extremely large group all
over the world, many of whom don't speak English".   Extrapolate from
"relatively clueful" to "amazingly clueless" [2].  Extrapolate from
"mostly running A news, B news, and notes [3] on a handful of platforms"
to "running about a bazillion different MTAs on all kinds of platforms".
Extrapolate from "mostly a config file change" to "major code change
with operational impact".  Extrapolate from "running a non-essential
service used mostly by computer geeks" to "running an essential service
used by several hundred million people".  Extrapolate from "systems pretty
much left alone to do what they do" to "systems under a high level of
assault by spammers, malware, and crackers".

Ow.  Owwww.  OWOWOWOWOOWW.  My head hurts already.

So I think it would be much simpler to unplug the spammers (where
possible) and motivate people to unplug the spammers (where not).

"Motivate" in this case comes down to "I am going to refuse all your
mail/articles/packets/whtever until you remove your spammers", and it
works if a sufficient number of people (or a small but sufficiently
influential number of people) say this.  It's called a boycott.  The
Usenet version (UDP) has been quite effective over the years in causing
irresponsible ISPs to, ummm, pay attention.  Of course, like any boycott,
its effectiveness is proportional to the number of people participating.
But we are now starting to see that enough people are using various DNSBLs
(e.g. Spamhaus, Easynet, SPEWS) that a listing there gets the attention
of the listees and causes them to do something.

A lot of the time, the "do something" is to whine about how unfair it
is (while ignoring how unfair it is that we all have to get spammed).
Some of the time, it's legal posturing, aka a "cart00ney", which is a sure
and quick trip into tens of thousands of private, permanent blacklists.
But sometimes, it's effective action.  For example, Sprint (known as
SprintPink among antispammers due to their affinity for spam) has been
quietly removing a LOT of spammers from their network in 2003.  Are they
doing it because they discovered ethics and responsibility?  Because they
got DNSBL'd heavily?  Because of something else?  It's hard to say.
But I think the DNSBLs do have an impact, judging by the statements made
by representatives of listed ISPs.

This is already long, but let me touch on the RMX ("reverse MX") idea(s)
briefly.  There are several different proposals/ideas, so what I'm saying
is the gist, no better: for details, check the IETF ASRG mailing list
or the namedroppers mailing list or Spam-L or or or...

DNS has a record type called "MX" - Mail eXchanger.  It is used to
indicate that mail for a host/domain should be sent to particular
system(s), and it has a weighting (an integer) that indicates a
preference for which one(s).  Example:

	MX      10 mail1.example.com.
	MX      20 mail2.example.com.
	MX      30 mail3.example.com.
	MX      30 mail4.example.com.

says that mail1 is the most preferred host to received mail,
followed by mail2, followed by mail3/mail4 with equal precedence.

An MTA (Mail Transport Agent - sendmail, postfix, whatever) which wishes
to deliver mail to example.com should perform a DNS query and get this
information, then decide what host to actually connect to on port 25
to attempt to deliver mail.  (Insert discussion about what to do if
the first attempt fails, queueing, retries, etc.)

The point is that MX records tell you where INBOUND mail for a domain
should go.

They do not tell you where OUTBOUND mail will originate.  And in the
case of many domains, those are NOT the same servers.

So imagine a DNS record type called "XM", and imagine that it gets set up
for every host that emits mail.  So:

	XM      fred.example.com.
	XM      barney.example.com.

What does this get us?  Well, for one thing, the LACK of an XM for
wilma.example.com, means that the owner of example.com is making a
statement that mail will NEVER come from wilma -- so if you are on the
receiving end of a connection attempt to your port 25 from wilma, you
should should drop the connection.  Or not accept it to begin with.

This becomes immediately useful for anyone with large numbers of customer
systems on dialup/DSL/cable/whatever, because simply by omitting XM records,
anyone running an MTA that's smart enough to check for them will refuse mail
from those boxes.  (So how do all those customers send mail?  Through the
mail servers that they're SUPPOSED to use.  And what if one of them wants to
run their own mail server?  Fine, get the ISP to put in an XM record or if
you're running your own DNS, put in one for yourself.)

This would immediately cut out of a ton of spam from hijacked systems that
should NEVER be sending any mail to anybody, anywhere.  It means that
large operations with 50 mail servers and 2000 web hosts that NEVER send
mail can make sure that -- even if their web hosts turn out to have a 
security issue that allows spammers to exploit them -- that they won't
be a spam source, because they only put in XM records for the 50 mail servers.

Then we get to refinement (and arguments); how about not just specifying
that the systems emit mail, but which domains they're authorized to emit
it FOR?  And so on.  It gets gnarly at that point, and this is long enough,
but I went through this so that you'd know that yes, a LOT of people are
arguing these issues vociferously at the moment, and -- I think -- when
something happens, it is likely to happen in DNS with supporting code
in the MTAs.

And it will be a huge argument and a nasty, painful process of implementation.

Which is why I still think it's simpler to just unplug the spammers.


[1] Thank you Douglas Adams.

[2] One of my customers enquired as to why she wasn't getting proxy
vote information about various stocks she owns.  I thought perhaps my
spam-blocking had nailed it.  Nope -- but only because I don't happen to
be using the DNSBL that lists the mail server in question [correctly]
as an open relay.  That's right, quasi-confidential personal financial
info is coming out of a mail server that's clearly misconfigured.  It gets
better: the *reason* that the mail isn't showing up is that ~2 weeks
ago my instance of sendmail (while under heavy attack from spammers)
sent these folks a "your message has been delayed for 4 hours, you don't
need to do anything" notification and they of course responded by ignoring
it and unsubscribing her.

Oh, and did I mention that their mailer doesn't generate Message-ID

[3] A kind of news software developed at the U of Illinois.

More information about the rescue mailing list