hiding e-mail adresses needed badly

[Terry Lambert]

Moved to -chat...

Peter Jeremy wrote:
> On 2003-Oct-16 11:29:36 -0700, Terry Lambert <tlambert2 at mindspring.com> wrote:
> >Earthlink often sucks in terms of customer service.  If they would
> >just designate a couple of common markers as "known SPAM", the
> >problem would have gone away
> 
> There's a fine line between 'blocking a couple of common markers'
> and arbitrarily blocking domains, IP addresses and all mails containing
> specific words - which some large ISPs do.  What's needed is a filter
> system that allows users to control what they receive - not one where
> the ISP gets to decide what is/isn't delivered.

The problem with a "filter system" is the CPU overhead, and the
fact that it doesn't scale nearly as well as a non-filtered system.

You are talking about more CPU's which means more initial cost, and
more overhead for rack space, power, etc..

There are several services which do this for people, but they are
not very easy to use, and they tend to work only if your email
address is reachable by a domain name, and then the mail is only
forwarded to a single address -- and that address refuses all
mail.

What I was talking about was adding 4 lines to the EXIM config on
Earthlink's inbound email servers to filter based on the body of
a message without MIME decoding, which they already do, for a
specific pattern of "Content-Type:" with ".exe" or ".scr" in it,
anchored at the start of a line.

This is a tradeoff for them between the processing for the
delivery of these messages to 20 of their subscribers at a time
vs. spending that time instead runing a precompiled regular
expresion over a line that they are examining for the purposes
of SPAM filtering anyway. 


> When W32.Swen first hit, I was getting "mailbox near quota" messages
> if I didn't empty my home mailbox for about 8 hours.

Oh yeah, that's also just so incredibly brilliant: "your mailbox
has too many messages in it, so we're going to send you a message
complaining about people sending you messages, so that you use up
more of what you close to running out of in the first place".


> I asked my ISP
> when they would be implementing something to let me control what was
> delivered into my mailbox and eventually managed to get a "we're
> looking into the problem" response.  I started running fetchmail as a
> work-around (which stops the quota DOS but does nothing to help my
> download bandwidth).  AFAIK, they still haven't done anything.

My download bandwidth is no longer a problem: I wrote a program
that could identify the messages without fully downloading them,
and delete them (as I said before: using an octet count from the
"list" command, followed by a "head" command on the messages that
met the size range criteria for the offending content).  You
should probably consider doing something like that, instead of
using "fetchmail".


> And Australia's biggest ISP (Telstra BigPond) is currently getting
> unfavourable mentions in Parliament and the media because it's e-mail
> system can't cope - users are claiming e-mails are being delayed a
> week or more, or just aren't arriving.

Of course they are.  Boradband providers are notorious for
stopping developement when they get to "it barely works", and
ignoring scalability issues until they absolutely have to deal
with them by rewriting the code.  It's one of the reasons we
modified the sendmail sources before we deployed the IBM Web
Connections NOC in Rochester, NY: we cared about scalability.


> >people forced to use Earthlink ("forced", because no matter where
> >I go, Earthlink buys up my damn ISP -- no one talks about *that*
> >monocoluture being a threat).
> 
> Mumble years ago, I heard a talk on this phenomenom.  They problem
> boils down to ISP interconnect agreements - they generally wind up
> meaning the small ISP has to pay the big ISP (or Internet wholesaler)
> whatever the big ISP asks because their customers need to exchange
> packets with IP addresses "owned" by the big ISP and the big ISP
> doesn't have as much incentive to route packets to the smaller ISP.
> This is a positive feedback loop with the bigger ISP absorbing all the
> smaller ones.

Yeah, the peering requirements were/are almost as stupid as the
ATM access fees that banks charge each other, pass onto the
customers, and, based on statistical averages, cost them equal
to what they cost other people, and then pass the fees onto the
customers and pocket them.  I fought against charging for the
peering, back when it first happened (because of UUNET thinking
they could drive all their competition out of business with the
fees).  ATM fees still piss me off, since I know for a fact that
bank ATM's save them money on tellers, and that there's a strong
statistical correlation (within a fraction of an order of
magnitude) between number of customers vs. number of ATMs a bank
has, so, on average, there's no overall differential cost to them,
and they are making money off both the fees and their ability to
hire fewer human beings.


> Optus Internet (my home ISP) state that they block incoming traffic
> to TCP/25 to prevent them being being black-listed for allowing
> people to run promiscuous SMTP relays.  This is probably at least
> partly true.

That's BS.  The issue is their delegation.  If they delegate the
address to a customer, then it's the customer who gets blocked by
the blacklists, not them.  If they are handing out IP delegations,
then they aren't an ISP any more, they're an NSP.  That's like
saying Sprint or ARIN block port 25 to avoid being blacklisted.
Blacklisting occurs at the delegation level.

To take this to the logical conclusion: I don't know of a single
blacklist that's blacklisted the entire IP address space because
the U.S. top level authority refused to blacklist Sprint because
Srint refused to blacklist some NSP because they refused to
blacklist some other NSP because they refused to blacklist some
ISP because they refused to blacklist some individual schmuck.

You blacklist an ISP when they *don't* delegate, such that there
is no way to know which of the ISP's IP addresses the schmuck
will use next.

Blacklisting works because it works against either the schmuck,
or the organization immediately above the schmuck -- by way of
either diking the schmuck himself out of the Internet, or diking
the next guy up from the schmuck out of the Internet, so that
the schmuck's peers who are hurt by it can bring pressure to
bear on the ISP.

If you can directly dike out the schmuck, then there's no need
to escalate to the next level up.


> >  A non-quotaed maildrop would fix it.
> 
> How do you stop the weenies never deleting e-mail so their mailboxes
> grow indefinitely?

You push mail down onto their machines, instead of waiting around
for them to come pick it up.

When you've queued up all you can accept, you return a *400* erro,
not a *500* error (which is what Earthlink returns: "permanent
failure: don't try again"), and the blockage propagates up the
queue chain until the original sender gets an immediate error on
an attempt to send: "The message cannot be queued for address XYZ,
try sending your message again later".


> A better solution would be a soft-quota'd maildrop.  As long as
> you get to it every few days you don't get DOS'd but if you never
> delete your mail you get bitten.  Of course, from an ISP
> perspective, there's the problem of several thousand mailboxes
> each receiving several hundred 200KB mails each day - that's an awful
> lot of maildrop disk space to have to find in a hurry.

Yes.  It's all about queue size and pool retention time.  No
matter how big/small you make the queue quota (it doesn't matter
if the mail is sitting in the queue undelivered because of the
quota, or sitting in their maildrop: it's still taking you disk
space, as an ISP, isn't it?), you have this problem.


> >Can you imagine if someone wrote one of these things to *actively*
> >target an ISP with a stupid network topology like Earthlink?
> 
> Do you know of any ISPs that do a better job of upstream filtering?

Yes, several.  I had one that did.  It got bought by a company
that left it alone that got bought by Global Crossing, that left
it mostly alone, that sold their dialup customers up for a round
of funding to support the stupid idea of building out a high
bandwidth network, even though it was after the collapse, to
Mindspring, who mostly broke things by getting rid of shell
accounts who sold it to Earthlink, who can't even stop worms
transitting their mail servers into user's maildrops, and whose
customer service is mostly off shore, technically inept, and unable
to effect changes to servers, even if they weren't separated from
the servers by an ocean and their own skill set.

AOL has a reputation of blocking most SPAM these days.

Everyone's moving from store-and-forward to store-and-wait-for-pickup
these days because it's cheaper to run a simpler infrastructure,
but the long term cost is their succeptability to denial of service
attacks, which is going to cost them customers in the long run.

I have to wonder if the $9.95/month AOL dialup is going to have
the same Anti-SPAM features as regular AOL; if so, I'll probably
become a "me too! me too!", as much self loathing as that may cause.

> >You could drive the company out of business by chasing all their
> >subscribers away by denying them the ability to receive communications
> >from almost anyone else on the Internet.  I'm really surprised these
> >idiots are unwilling to do anything about saving their business model
> >from extinction.
> 
> The problem is that it doesn't really hurt the ISP - they (typically)
> charge for downlink usage, so they're making more money by not blocking
> SPAM.  The customers have to put up with it because they know the
> competing ISPs aren't any better.

In the US, there are not metered telephone rates, unless you are
a business, or explicitly request a metered tarrif: they are all
flat rate local calls, and usage isn't metered.  Packets aren't
like water: unused packets don't build up a surplus of packets
that can be sold later, and it doesn't cost to dig a well to get
the packets in the first place, or a purification plant to purify
them.  The cost is come the same whether the wires are used or not,
and a router's chips slowly cook and motherboards become dusty and
short out not matter what.

So in the US, yes, in fact, SPAM does cost them money, and they can
not pass the cost onto their customers except as "fixed overhead"
amortized among all of them.  So they have an incentive to keep
customers, which means keeping them happy, and providing the
service they are being paid to provide.

You very easily could target any major US ISP with a worm that
DDOS'ed their user's POP3 maildrops, and caused those users to
go elsewhere for their service.

The amusing thing is that broadband doesn't help alleviate the
problem for the ISP at all: if your computer isn't on, except
when you are using it, then your maildrop has time to fill up
and you lose.  If it's on all the time, then you're a juicy
target, and you lose.  Either way, unless you can deal with
the issue of pool retention time and pool size, you lose.

SWEN.A and similar worms delete their own messages from an
infected user's mailbox, so they don't see them, and remain an
effective "carrier" for proagating them.  But...

I guess now I'm just waiting for someone to target an ISP and
put it out of business with a worm that sends a large message
to a user infected with the worm, and then pretends not to
see it (and doesn't delete it, either) when the user goes to
download mail.  If that happens once or twice, maybe we'll see
ISP's start to fix things.

> "Death of USENET predicted ... Film at 11" can probably be updated.

Probably.

-- Terry