The Problem of Spam Relaying

Initial version, 20 October. 1997

Almost everyone who's posted to a Usenet newsgroup knows about Spam -- unsolicited bulk e-mail sent to millions of Internet users.

What many people don't know is that sending a million e-mails from a single computer is hard -- people will discover your attempt and block it long before you get a million pieces sent. So the spammers thought of a way to get their million pieces out fast -- they relay through hundreds of mailservers, each of which can get out a few thousand e-mails before being discovered.

The Internet E-mail protocols were designed for a cooperative community, and trust all Internet hosts to be reasonable. Thus, there are tens of thousands of Internet hosts which will blindly relay any e-mail they are given (until the complaints start coming in).

JLC.NET has been hit by spam relayers; and we have been forced to institute some anti-relay rules. Basically, if we're asked to send an e-mail, it must either come from a section of the 'net we trust, or it must be addressed to one of our users. We expect these rules to reject about 1,000 messages a day.

Of these 1,000 perhaps one percent will be legitimate attempts by our users to send e-mail from their work, or while traveling. If you have a fixed IP address where you work, we'll be happy to add it to our list of trusted hosts. Otherwise, we ask that you send e-mail through the SMTP server for the network you're sending from.

Of course, you could send it to your JLC account from anywhere, then forward it when you get home; or you could dial directly into JLC and send to anywhere from your dialin account. Even if you need to pay long-distance charges, they shouldn't be much more than the price of a stamp.

We are truly sorry for the inconvenience, and we hope to be able to offer JLC customers an alternate e-mail-sending program which will authenticate the sender (by username and password, for example) and allow us to send your e-mail without worring about the spam relayers.

Update, 20 October 2002

The number of messages rejected by the above rule has reduced somewhat, down to perhaps 300 per day. We have implemented POP-before-SMTP, which means that you can send from a non-JLC IP address for a short period after you check your mail.

Not surprisingly, spammers have come up with other tricks.

Although virtually all ISPs have implemented similar anti-relay rules, spammers now attempt to relay through individual computers, not only (or even primarily) through ISP mail-servers.

Consequently, we have been forced to protect against open relays which no ISP attempts to control. Our basic tool is enabling a standard feature of our mail-server software which checks the "reverse-DNS" of the IP address of every computer which attempts to send mail to us. If there is no match between reverse- and forward-DNS entries, it indicates that no ISP is paying close attention to the activities of whatever computer is using that IP address; so we return a temporary error and hope the ISP will fix the inconsistency (or that the "innocent" user will realize his/her computer is doing things s/he never asked it to).

Needless to say, not all JLC customers want to eliminate email from poorly configured email servers -- call our office (603/673-6132) if you'd like to investigate alternatives.

We return this error very roughly 50,000 times per day. (Yes, the spam problem has gotten that bad.)

We also "penalize" spam-friendly ISPs which give absolutely no useful response to reports of email abuse from their domain. This list has grown to about 200 domains, largely located in the Pacific Rim. It's harder to judge how many spams are stopped by this, but we judge it to be at least 10,000 per day, most of which would have gone to multiple mailboxes.

Recently, we have seen an explosion of viruses which turn computers of innocent users into open relays. We will very likely be forced to restrict outgoing port 25 traffic (sending email via other ISP's email servers, for example). We emphatically do not want to do this, and will avoid it for as long as possible, and will make exceptions for individal customers who understand how to take the necessary precautions.

In brief, you should configure your email application to never automatically open attachments, and never open an attachment manually just because you recognize the From address. Spammers are now routinely forging From addresses with known-valid email addresses at the same domain they spam to.

I really try to avoid political harangues, but Congress really is the opposite of progress on this issue. They keep looking at this as a problem similar to junk phone calls (by humans) where "opt-out" is a viable "solution" instead of as a problem similar to junk FAXes (by non-human auto-dialers) multiplied by a million due to the lesser cost of sending email. And they totally ignore the theft-of-services issue of using unwitting third parties to actually deliver the spam.

E-mailing your congress-critters is a total waste of time, alas. Phone calls -- enough phone calls, that is -- do have an effect. Individual letters used to have an effect, until the Anthrax scares. Nowadays, FAX pretty much has to be used instead.

Alas, I don't believe Congress could solve the problem. But SPAM needs to be classified a lot closer to junk FAXes; theft-of-services has to be punishable by fines which exceed the cost of proving the offense; and ISPs which take anti-spam measures need to be protected from nuisance lawsuits (which in several cases have caused ISPs to -- against their wishes and at serious damage to their reputations -- allow unrepentent spammers to use their services for months while the legal system argues over the meaning of each word in their Acceptable Usage Policy.

If we fixed those things, we could make a real dent in the spam originating in the United States. Alas, the spam from overseas would continue to grow; but with Congress no longer in the way, ISPs could try out new ways to deal with it...

For one example, is working on a system which would enable recipients to directly impose fines on the senders of unwanted messages (and delay email from senders that didn't promise to pay). There will be many other companies working on spam-reduction as well; and with Congress out of the way, some of them will succeed in the marketplace of ideas.

This page was last updated on 13 October. 2002

Contact JLC Support at (603) 673-6132 for more information.

[Powered by Apache] [Powered by FreeBSD]
Valid HTML 4.01 Transitional