--- Date: Tue, 21 Jan 2003 11:08:37 -0500 From: Rich Kulawiec <rskat_private> To: Declan McCullagh <declanat_private> Cc: Doug Isenberg <disenbergat_private>, bzsat_private Subject: Re: FC: Can we stop Sen. Joseph Lieberman from spamming? Oh, I'm gonna wade into this one with both feet. ;-) On Mon, Jan 20, 2003 at 09:45:12PM -0500, Declan McCullagh wrote: > You and your Politech readers may be interested in this analysis > from the Duke Law & Technology Review: "Political E-mail: Protected Speech > or Unwelcome Spam?," Posit: No such analysis is necessary: spam is NOT speech and therefore all of the debate we could have over what kind of speech it is, what protections it might or might not enjoy, etc. is irrelevant. Spam is conduct: specifically, spam is conduct consisting of a denial-of-service attack which may or may not be targeted at users, systems, networks, mailing lists, or some combination of these, sometimes in small but often in very large quantities. One of the first people to clearly articulate this was Barry Shein (who I've CC'd on this so that he might correct me if he feels I'm taking his comments out-of-context or otherwise mis-reading their intent): Denial of Service Attacks disguised as Spam http://www.cctec.com/maillists/nanog/historical/9801/msg00014.html What he said several years ago is even more true today, as examples show up on a daily basis. "Vanilla" spam (i.e. spam which does not have forged headers, does not hijack open relay or proxies, etc.) is similar to other forms of abuse which take resources that are made available for use in moderation and abuses them by excessive use. In that sense, it's closely related to abuses such as ping flood attacks, article "floods" posted to Usenet; exhaustive downloads of large FTP archives; and other activities. It doesn't make illegitimate use of resources: it makes excessive use of resources -- which it is a denial-of-service attack and should be treated as such. "Sophisticated" spam (i.e. spam which uses forged headers, asymmetric routing, hijacked relays, hijacked proxies, and so on) compounds this by making illegitimate/unauthorized use of resources that belong neither to the sender nor the putative recipients. The legitimate owners and users of those intermediate systems are secondary victims of this attack, as they are also deprived of service, often to a large degree. Three examples: 1. One of my mail servers endured a sustained attack from a spammer's system last week. That remote box, which I traced back to an IP address in Japan, made more than 11,000 unsuccessful attempts to stuff unwanted traffic into mine. (It did this overnight; when I woke up in the morning, I firewalled off the originating address.) But I still have to pay for the bandwidth that was used: that system is on a burstable circuit whose pricing structure is a flat fee plus a surcharge for additional traffic. And -- in case you're wondering -- there's not the slightest question that it was spam: the only user account on that machine is mine, and it has never emitted a single mail message, so it couldn't possibly have signed up for anything. (The server exclusively handles mailing list traffic for a number of volunteer/non-profit organizations.) 2. I blocked all traffic from the well-known spammers at azoogle.com nearly a year ago. My mail servers return the correct response codes to every SMTP connection from them, indicating that access has been permanently denied; the text message which accompanies it indicates why. However, they're still pounding away multiple times per day, every day, on every mail server I have. A small sample of abridged log entries from the last 24 hours: Jan 19 16:49:03 sendmail: arg1=transport23b.azoogle.com, arg2=66.197.140.226, reject=550 5.0.0 Jan 19 17:23:41 sendmail: arg1=transport23e.azoogle.com, arg2=66.197.140.229, reject=550 5.0.0 Jan 20 09:06:19 sendmail: arg1=transport12c.azoogle.com, arg2=66.197.140.72, reject=550 5.0.0 I have 12,814 more log entries just like that in my archives. 3. A few months ago, a spammer conducted a "dictionary" attack against a domain that I host. This means that they attempted delivery of their messages to: abcat_private abcdat_private abcdeat_private [...] a.smithat_private b.smithat_private c.smithat_private [...] asmithat_private bsmithat_private csmithat_private [...] joeat_private maryat_private jimat_private for a very large number of probable usernames. I let this one go -- because it was on a circuit with extra bandwidth and was directed against a mail server that was otherwise idle, and because I was curious to see how long it would go on. When it was done, several million individual delivery attempts had been made -- from a couple thousand different IP addresses, meaning that the spammer(s) had also abused thousands of other systems while abusing mine,-- and probably others: I doubt my system was the sole target. [ end examples ] This happens every day, all day. Spam-monitoring/tracking forums like the spam-l mailing list and Usenet newsgroup news.admin.net-abuse.email have a constant stream of reports like this. (And would have more if (a) more admins were aware of them (b) more admins were aware of what's being done to their systems/networks and (c) more admins could spare the time.) My mail servers now reject more spam than they deliver mail. This, sadly, appears to be the trend. I am compelled to spend my time and my money attempting to stave off the abuse: I will probably need to pay additional charges for more rack space in the 1-3 months in order to install a proxy SMTP host/firewall and, of course, I have to purchase the machine, configure it, pay for the bandwidth it uses, etc. And this is because -- unfortunately -- spam is NOT correctly treated as a denial-of-service attack, with all the ramifications that this implies, but is instead confused with the normal use of email for personal correspondence, ordinary mailing list traffic, order confirmations, and the thousand other legitimate uses of the SMTP protocol. So while I find free speech debates interesting (a) because I took a couple of Constitutional law courses and now occasionally make the mistake of thinking I understand something and (b) because I value free speech highly and once put my job on the line to defend it, I don't think they're in the least bit relevant here: to go back to my opening statement, spam is conduct, not speech. ---Rsk ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ Recent CNET News.com articles: http://news.search.com/search?q=declan -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 20:26:34 PST