Operating relay scanners violates US Federal law in some cases, and is a violation of nearly all ISP's AUP's which prohibit scanning for security vulnerabilities without proper authorization. Scanning a non-public federal computer is immediately a violation of 18 USC 1030 (a)(3), as has been done by MAPS, and perhaps others.
Relay Scanners are criminal organizations with a complete disregard and contempt for US Federal Law.
Relay scanners are the spammers. Much of the relay abuse is of a non-commercial nature. It may appear commercial on the surface, but a closer investigation reveals there is no commercial intent whatsoever. This type of abuse is performed by self-labeled anti-spammers in order to make the spam situation worse, and annoy people into banning spam. After many years, this hasn't succeeded.
Whatever you do, do not sign up for Open Relay block services. A properly configured spam filter doesn't need to use such list. See below. Also, in the US, it is illegal for ISPs to intentionally block legitimate mail. Blocking another ISP's relay servers is illegal. See 18 USC 2701(a)(2). If you are a private domain, or private company, there are no such restrictions unless you have users with whom you have an agreement that constrains you to filter only spam, for example. These services are basically protection rackets. The "service" advertises relays to abuse, and then offers the "solution" to the problem. Often, they will target a site, and spam them until the site subscribes. If you subscribe to the right service, (the one spamming you), you will get a tremendous decrease in your spam load. The wrong service (which doesn't have the same relay list) won't help much.
We've found by seeding fake relays into these systems and logging all connections and scanning activity, that they solicit abuse, though they claim this is unintentional. Only the relay scanner will scan the submitted site, and once listed, it starts getting connections from abusers.
A well configured spam filter should not be fooled by a relay, open or closed. A simple procmail script will feed all the ip addresses in the headers of the message to your favorite spam source list. A better method seems to be using context scanners such as Vipul's Razor. Context scanners are also unaffected by relay use.
Very little (almost none) of the spam is blocked by the ORBS/RSS service.
The users of ORBS/RSS are radical antispammers, who are also the principal abusers of the relay. This is all the mail blocked with an SMTP "550 service unavailable" in the last 48 hours. This is the whole log of all blocked email. I looked through it, and didn't see any of our emails getting blocked by anyone. During this time, we've had a number of unauthorized relays originating from a German ISP. (we've submitted complaints to them, they are investigating). All bounces came from aol.de and yahoo.de, which have per user configurable blocking. All were sent by the abusers to their list of annoyance addresses.
The abusers were timo.poelzer@t-online.de, fleischmann.steffen@t-online.de, and manzo@t-online.de. t-online appears to selectively use ORBS/RSS, as mail to abuse@t-online.de was not blocked. In total, these abusers used 28 different IP addresses, and sent 4748 (the number may be more like 20,000, 4 analysis jobs are still running) annoyance messages. A total of 330 were blocked, only 136 were to people other than these abusers. Only 2% are blocked by ORBS/RSS. The remaining 194 were the abusers blocking the bounces caused by their own abuse. The abusers use ORBS/RSS to protect themselves from their own abuse. ORBS/RSS basically just protects antispammer abusers.
It seems that spammers may have stopped using relays, and the only abusers now are antispammers.
ORBS, IRMSS, and MAPS RSS have decided to advertise our relay services as "Free Services to spammers". Our relay is not free.
However, this advertising has resulted in damages which we intend to recover from the spammers and the sites that incited the damages.
We have operated relay services for our customers since 1995, and until ORBS started advertising our service (after a discussion on SPAM-L about the legitimate uses of relay services) in 1999, the number of unauthorized relays has gone from none to several per week.
Yes, spammers have abused our relay, but only after rogue antispammers gave out the address. These so-called "anti-spammers" are responsible for this abuse.
They do not need to give out lists of relays to perform their stated purpose, which is allegedly to permit sysadmins to decide not to accept mail from sites that relay. To accomplish that purpose, all they need is a DNS lookup, (and deny zone transfers). For a long time, this was how MAPS operated to block spam sources. Though originally MAPS didn't block relays, only spam sources. To get the entire list of spam sources from MAPS, one needed to sign an NDA. Now MAPS has gone rogue, and is giving out lists of relays to spammers. The RSS is not covered by NDA, and anyone can get this list and start exploiting relay services.
Spammers do not have the resources to scan the net searching out relays. ORBS, IRMSS, and MAPS RSS provide this service for the spammer by giving spammers lists of relays they can use.
We use our relay services as part of our business. They are not free, except to paying customers who have pre-existing accounts. We will not terminate this business area because of extortion or attacks by either spammers or radical anti-spammers. Instead, we will pursue all legal options including civil and criminal complaints.
So far, we have succeeded in getting IRMSS shutdown. We have forced ORBS to change uplink routing, and IP addresses several times. In the past, we have thought that MAPS was a responsible agency. Unfortunately, it has decided to abandon legal and responsible anti-spam activity. Which makes it a rogue organization.
ORBS/MAPS is blocked already by a number of ISP's. They have changed IP's to avoid blocks. ORBS probing of government computers variously violates 18 USC 1030 section 2(b), 2(c), and 3; By falsely advertising sites as offering free relay services they conspire with spammers to enable spammers to violate the letter and spirit of 1030 section 4, enabling spammers to send spam in amounts less than criminal violations of section 4. This is still a fraud, which ORBS/MAPS furthers. By furthering subsequent frauds, MAPS/ORBS probing of non-goverment computers violates section 4. ORBS/MAPS are part of the fraudulent group stealing resources, the sum of which is more than $5000. In violation of 18 USC 1030 section 7, ORBS/MAPS has attempted to extort from us our relay service and associated business by threatening the advertisement of our relay to spammers and others who would damage our services and/or use our relay service without authorization unless we submit to their demands. The false advertising of our relay services as being free violates various state laws covering fraud, not to mention it infringes on trademarks, which a new federal law will hold ISP's responsible for.
We ask that you block access to or from the following addresses for all of your customer and internal connections:
access-list 104 deny ip 202.36.148.5 0.0.0.255 any
access-list 104 deny ip 202.36.147.16 0.0.0.255 any
access-list 104 deny ip 204.152.184.74 0.0.0.255 any
Or if you have routers which can't use access lists:
ip route 202.36.148.0 255.255.255.0 nul0
ip route 202.36.147.0 255.255.255.0 nul0
ip route 204.152.184.74 255.255.255.0 nul0
There are some things that we can do. It is clearly a good idea to limit the number of relay servers to those that need to relay. Originally, sendmail was configured by default to relay. This made finding a relay as easy as finding a unix machine. That is no longer the case. It is also clearly a good idea to police the operation of a necessary relay, and to make complaints about its abuse when abuse is discovered. We do this things
The original spammer was cyberpromo. They had a T1 with AGIS. After months of DOS attacks on cyberpromo and AGIS itself, AGIS disconnected cyberpromo. This "success" probably gave the antispammers the encouragement to break the law and engage in illegal activity to further their goals.
The antispammers have decided that spammers have been using relays to get around their dialup filters. While this isn't true in general (I saved all spam I got for over a year. Not very much was relayed), some spam certainly has been relayed. Relays can be used to get around some kinds of filters (such as dialup IP blocks).
Back when sendmail was configured to relay by default, it was easy for spammers to find a relay to abuse. And the spammer could get several more advantages from the relay in the old days: avoid return flame mail by concealing their (fixed) IP address and domain, as well as avoid DOS attacks on the spammer. In the old days, sendmail didn't put the client address in the message headers, so it was difficult to find out where the email originated from. because only the relay administrator had access to the sendmail logs. Years ago, there were many unnecessary relays, and spammers gained more benefits from them. People were unwilling to change the configuration of non-critical workstations from what the manufacturer provided. There was justifcation to shutting down unnecessary relays. But that justification is long gone.
But for several years now, the connecting clients address has been put in the headers of the relayed message, so the recipient can see the address of the original sender. Relay or not relay, today, the spammer account is quickly and easily found and terminated. Today, spammers don't spam from leased lines or anything that has a substantial installation fee or long lead time. Today, few systems relay by default, and relatively few unnecessary relays exist. Finding these relays is now well beyond the capacity of a college student spammer to search out themselves. Brute force searches would also be difficult to hide. ORBS only scanned a small fraction of the internet.
Yet some radicals still search out and agressively attack anyone with a relay. They are often blocked in this effort. I have begun to suspect that these radical antispammers are not antispammers at all, but spammers seeking to distribute information from a central site to the college student senders. And provide a cover for their search efforts, as well as co-opt naive antispammers into helping them.
SMTP is one of the original internet protocols, and it is not easy to modify. It has a huge worldwide installed base. Any change that makes it incompatible with previous (unauthenticated) versions will be incredibly difficult to deploy. If one deploys an incompatible change, one would not be able to communicate with those using the previous version. So the entire world has to get the capability, then everyone can exchange email with the new protocol. Blocking spam was not one of its original design goals, and so it doesn't have authentication. While there are some efforts to add authentication to the protocol, there is still the problem of deployment, which will take years, and then the problem of distributing authentication. Not only does everyone in the world need an authenticator, but other problems such as "How does one authenticate a pager?", are unsolved. These are hard problems, and may be technically or practically impossible to solve.
Even if authentication is added to sendmail, it will be likely that a large number of devices such as pagers, phones, appliances, etc will automatically "have authentication", and will be able to send spam, or rather, email from which one does not know the true originator.
A much easier, but still hard, problem is to authenticate and verify every person/entity/listserver/etc with which a single person sends email. Imagine the processing load if all email had to be authenticated/pgp verified by the email servers it passed through.
It will never be technically impossible to send spam
or stated another way
It will never be technically possible to completely suppress spam
The demands by antispammers to completely suppress spam are unrealistic.
Relays are necessary in some circumstances. Not everyone needs a relay. In fact, relatively few sites need relays that are not behind a firewall. However, if one outsources, then services that might ordinarilly be done behind a firewall need to be done with general internet connectivity. One such case is roaming consultants, and remotely located machines that send email. "Distributed Virtual Companies" Indeed, since relays are quite common behind firewalls at larger companies, and the trend is to outsource these services and use the general internet, these formerly internal relays must move outside the firewall. So the number of necessary relays will likely increase over time. Basically, what the radicals are saying is that we shouldn't do outsourcing, nor should we send consultants out to companies and have those consultants use our mailserver, nor should we service such "distributed companies". The radicals demand that we radically change the business we do, and ignore future business opportunities and new business models in order to further their (unrealistic) goal of completely suppressing spam.
When spammers send spam, their accounts can be (and are) terminated.
When spammers use relays without authorization, they can be billed for that use.
When spammers send email to services, or use relays without authorization, they can be told to stop. And stop they must. Court cases have upheld this.
Of course, these things don't completely suppress spam. Nor are they likely to. It is questionable if they even reduce it.
Cyberpromo's disconnection caused spammers to use dialups, which make it difficult to identify the spammer after the account is terminated. Thus it is hard now to demand of a spammer to stop sending email. Before cyberpromo was disconnected, there was much discussion of this on various lists concerning ISP's. I tried to reason with the radical antispammers that getting cyberpromo disconnected wouldn't accomplish anything and would just make the situation worse for everyone but spammers. Cyberpromo was a known, fixed domain and IP. If you didn't like it, you could block it. Get cyberpromo disconnected, and they'll just do something harder to block. The radicals were unconcerned. Unfortunately, I was right. Ironically, the dialup accounts were cheaper than the leased lines. Not only did the radical antispammers make things worse for people who didn't want to get spam, but they made things better for spammers as a result.
While cyberpromo did lose court cases (Cyberpromo vs. AOL) where they were sued to stop sending spam after requests to stop, the suits aren't what got them disconnected. AGIS was repeatedly DOS attacked, and AGIS finally gave in and disconnected cyberpromo to get the attacks to stop. Note also that AOL was one of the providers promising that users wouldn't get spam. I've discovered that AOL is however one of the largest sources of spam. Adding AOL to our own blocks (except for AOL MX servers) has reduced our relay abuse a great deal. It is hard to say whether these attacks were in collusion with ORBS/MAPS, but some relays did trace to what appear to be internal AOL machines.. We were also able to trace one repeat abuser back to Verio's staff. After several complaints to Verio, that person was fired (He notified me of this via email).
Legislation Some years ago, when disk space was expensive, and modems were slow, there was an opportunity to get legislation through to place certain limitations on spam, in cooperation with certain of the more legitimate email advertisers and would also limit interstate frauds, mlm, pornography and other activities. There are a number of things that are prohibited if conducted by the postal mail, but for which email and ecash could provide a loophole. I had a better idea. I tried to persuade people to get legislation that would passable, and would solve the problem.
There was a compromise solution I argued years ago that spam (like junk postal mail) annoys some more than others, and it would be a good compromise to get the spammers not to send advertisements to those who don't want them. Clearly, some people are buying products advertised through spam, so those people must not object very much. I pointed out the the US Post Office has a similar program for those who don't want junk mail. And that the direct mail industry abides by the agreement. Anyone who goes to the post office and fills out a form will never get unsolicited junk mail ever again. Instead the radicals unreasonably demanded a total ban on all commercial email. The radical antispammers shot down the compromise to hold out for a total ban.
If no one bought products, then spam would just go away on its own. After many years, it hasn't. So one (perhaps a congressman) would conclude that enough people "like" spam to justify its existance. As soon as a group of legislators begin considering the idea, the opponents to a ban will show up. Antispammers will not be allowed to physially or electronically suppress them. And compromises like the Post Office junk mail solution will be considered. As a practical matter, one must conclude that spam will not be banned entirely. A compromise must be found and agreed upon, or the situation will stay the same or possibly get worse. If it gets worse, it will reflect poorly on those who denied compromise, and made things worse.
Of course, now even the "legitimate" advertisers (those with real products and not frauds) have gone offline, and basically utilize college students to send spam from cheap disposable dialup accounts. So it would be difficult to engage any in a compromise discussion. It seems clear however that the direct mail lobby has a strong presence on capital hill, and all unilateral anti-spam measures have failed. In states where antispam measures passed, they have mostly been to prevent frauds, and do not block all commercial email.
And the situation has changed: It is no longer expensive to store or download spam. It is just an annoyance. Yet the radical antispammers still think that through terrorism (attacking relays, and anyone else who stands in their way), they can win. After years of being wrong, they are still wrong.
Mail the webmaster