You've Got Spam: AOL Blocks 1/2 Trillion Spam

yohaas writes "Yahoo! News is reporting that AOL blocked more than 500 billion spam messages for its users in 2003. That comes to 40 messages a day per user. The company regularly blocks 75-80% of all incoming mail as spam! The article also lists the top 10 spam phrases for the year, including such come-ons as: 'Viagra online', 'Online pharmacy', 'Get out of debt' and 'Get bigger'."

Imagine.

[__aavhli5779]

It's been suggested in nanae [admin.net-abuse.email] that as a brutal display of the efficacy of spam-fighting and, most importantly, blocklisting, major ISPs all simultaenously turn off their spam defenses for a day to show users just how much UCE spew is clogging the internet every day.

Of course, the idea is repeatedly turned down for its utter lack of pragmatism.

But damn, 500 billion spams, and that's only to AOL.

Just imagine.

The instant clogging of mail-servers around the world and subsequent technological disruption might actually get the general computer-using public to take more of an interest in the fact that around 200 gangs of people are effectively raping and pillaging the Internet right under their eyes.

But then again, what can one do when faced with the Tragedy of the Commons?

Yep, the number doesn't surprise me either

[millisa]

I just took a gander at my logs on my postfix-amavisd-spamassassin front ends for one of my smaller ISP's and after doing the math, it's blocking ~36 spam/user/day on average (with spamassassin only blocking at score 9+). It doesn't surprise me that AOL is getting somewhere around ~40spam/user/day as it is more widely visible and the userbase as a whole is generally a lot more likely to do things that would encourage spammers . . .

Re:It would be WAY too easy . . .

[bjarvis354]

Except for the fact that the Post Office probably makes a few hundred million off the postage from AOL...And AOL probably gets a kickback from the Spammers who get through...hmmm.

My own score

[PD]

In 2003 Spamprobe blocked just over 12000 on my personal domain, which is low compared to many others.

Hmmm

[Christoff84]

Of that half trillion emails, I wonder how many of them originated inside aol itself.

All those 1000 hour free CDs being put to use in the wrong hands...

Only Spam?

[Spacejock]

iiNet is one of the largest ISPs in Australia (third or fourth now, I think). I got an advisory yesterday saying AOL and RR had both blocked all inbound mail from iinet as 'spam' They can crow about 500 billion mails all they like, but if a lot of it involves turning off mail from whole slabs of legitimate users, then it's not much of a service. The other thing is, if spammers are using trojans to create spam relays, then it's a bit hard to blame a particular ISP if a bunch of their users have been infected with this stuff. iiNet has a policy of advising users when they appear to be infected, they're cluey people too, they run everything on Debian as far as I can tell, and they have local mirrors for many Linux distros etc. I guess what I'm saying is that if you're going to block an ISP's mail you'd start with clueless behemoths who don't give a damn. Anyway, they appear to have a work-around in place, but RR is still blocking. Simon

How do you people get so much spam?

[GhostGuy]

"That comes to 40 messages a day per user" Wow, anyone who gets 40 spam emails a day must not be very smart. Or their friends must not be very smart and put peoples names on those "Tell your freinds" things (You know, you see a short clip or something and it has like 10 slots underneath for friends e-mail address') If anybody gets a lot of spam, it is usually their fault. I get on average 2 spam emails per day (The most i have gotten in a long time is about 5), and i dont even use any sort of spam blocker/filter. For those of you who get mass spam, here is a hint. For things where you have to enter your e-mail address (Aside from shopping from legit sites or other highly legitimate things), but you dont have any use for mail from them, enter the address of a secondary account you set up for that purpose. That way, if there is confirmation required, you can sign on your secondary account, do any verification required, and never have to read any other spam you may get from that company and/or any companies that may buy your address from the original company.

Re:including a gajillion non-spam

[Alan Hicks]

When they started blocking "unknown relays" they dropped a pile of legitimate email

Legitimate e-mail shouldn't be coming through an unknown relay. Really, your e-mail server should be setup with a proper reverse lookup. There is absolutely nothing wrong with denying mail from unknown e-mail servers (e-mail servers that don't reverse look-up to the correct name). many people and ISPs do this specifically to get rid of SPAM, as anyone running a real mail server should be spending the time to setup his e-mail server correctly.

Re:They also block real mail

[Jah-Wren Ryel]

Although funny, it is also true. AOL has been randomly blocking entire ISPs - my hosting service's outgoing SMTP server was arbitrarily blocked by AOL for a total of about a month back around October. My hosting service had absolutely no violations of any kind, and after 2-3 weeks of bitcing and voice-mail-hell, AOL did finally respond, agree that they were not big-bad-purveyors-of-donkey-dick and unblocked them... Only to reblock them again in about 10 days, at which point my hosting service had to start all over again with them. It seems like the second time was the charm since I just sent email to an AOL user today and it didn't bounce (maybe AOL is now silently eating email instead of bouncing, that sure wouldn't make my life easier).

Anyway, from what I read on the net my hosting provider's experience with AOL's blocking of incoming SMTP connections is not out of the ordinary, many, maybe hundreds, of "little guys" have had the same experience. Makes me want to know the false positive rate for their spam blocking -- I'm willing to bet that AOL themselves don't even know the answer to that one.

Stopping spam.

[DarkHelmet]

Note: I did some thinking earlier on spam, and I figured I would post this the next time slashdot does a story on spam... You can find a link to this at:

http://sillygoth.com/journal/21669 [sillygoth.com]

This is my writing... I just want some feedback on it from the slashdot crowd.

Okay...

One of the things that I've been tired of recently is dealing with lots and lots of spam in my inbox. I've become even more tired of hearing about how there's a lack of solutions for dealing with it. It's one of the things that slashdot has been endlessly parading about.

To me, the primarily problem with spam is that emails are too easily spoofable. Solve this, and spam will become *much* more managable.

So, what technology is there right now that deals with certifying legitimacy?

Digital Certificates!

When you go to a site that's protected with https, the owners of the site usually have to get a certificate from a trusted source (Verisign, Thawte, etc) signifying that the site is legitimate (so that you don't end up giving credit card information to someone fronting for that company).

You actually *can* get a digital certificate for your email, but it costs money. Plus, to make something like that mandatory, each user would have to set up a certificate individually. Evil.

Why not move authentication to the domain itself? When accounts are setup on a user's machine, create an RSA public / private key per account. Simple enough.

When a user sends an email, force this user to relay the email through the mail server rather than directly from his/her computer. Force the user to authenticate their email / password to send the message. Some servers already force this, I believe.

When the user authenticates him/herself, encode a confirmation id using some elements of the email (first xx characters of message, subject, date, etc) using the RSA private key and attach it to the message.

Here's what should change with the receiving server... When a mail server receives the message, the mail server should initiate a separate connection that looks up the domain's MX server, and communicates with it.

This MX server should then provide the RSA public key for the account listed. The public key will then be used to decrypt the stamp that the MX server included with the message. If the stamp is legitimate, deliver the message to the inbox.

If a stamp is not legitimate, or there's no stamp, simply don't deliver the message. Simple enough.

This method has its series of strengths:

There would be absolutely no point in spammers taking over people's machines with viruses in order to send email if email must be sent through a qualified mail server. It's possible that worms could be written to auto-send messages through these relays, but at least then the mail server could detect it and shut the person out.

If mail sent is authenticated from a domain, people would then have the option to blacklist domains that aren't responsible for keeping tabs on its users.

Mail *will* come from where it says it's coming from. If not from the exact user on the domain, it'll come from that particular machine.

Of course, there are possible weaknesses to this strategy too.

If the mail server is hacked, hackers would be able to still send mail from it using the private key. Fortunately, they would only be able to send from email addresses listed under domains they own.

Spam software like SpamCop / Spamassassin / etc would be able to keep tabs on servers that exhibit hacked behavior, and temporarily blacklist these servers until resolved.

This doesn't necessarily stop users with legitimate email addresses from sending spam. Someone with a legitimate email address can still be spammed.

But at least when you block their email address or domain, it'll be a real email address, and a real domain name.

This method is not 100% in eliminating spam. But it's a damn good start.

Re:How to stop SPAM at the source

[KrispyKringle]

There arenumerous problems in this system that others have pointed out (and face it, this wasn't your idea). For one, even if there's no central authority, how would I get my mailserver approved? I run my own, for my own domain, which handles e-mail for just me. A number of people do the same thing. So now I have to apply and hope AOL deems me worthy of attention (even though ignoring me wouldn't likely affect anything at all, since I know probably nobody who uses AOL, and even if I did, I'm just one guy)?

Whitelisting makes sense--trusting certain mailservers more and not bothering with intense heuristics on mail coming from them. But blacklisting anyone you don't know makes none. The Internet is too vast to really implement something like this without huge costs and huge losses; I think solutions like this likely do far more to Balkanize the Internet than to protect it.

The solution mentioned in a previous Slashdot article a few days ago of making SMTP servers run a small computation per e-mail makes much more sense. This allows you to impose restrictions on non-whitelisted servers without completly ignoring them, either.

But when you talk about the anonymity preferred by the spammers, you ignore the fact that they are, in fact, selling a product. Forget the spammers. Track down their clients, the ones paying for the ads. Problem solved.

Re:Short of going to war with China

[Anonymous Coward]

It's not that regulation is non-existant, it's just that for $20USD you can get the cops to look the other way while you beat an old lady to death. Gvt corruption at it's finest.

(no, i'm not just flinging sterotypes, i lived in china for a year.)

Just run through a spell check

[LostCluster]

It seems like the latest attack on Bayes-based filters is to throw misspellings and random characters into the message. I'm surprised the major Bayes tools haven't linked to a standard spell-checker and consider really bad spelling a sign of spam...

Re:It would be WAY too easy . . .

[Afrosheen]

You know, I was in the local Post Office here in Dallas a week ago, and those damn AOL cd's were in a box there. Waiting for innocent victims. I'm thinking, ok, the Postal Service is supposed to be a government agency right? All that money we spend for stamps and shipping goes to the branch of gov't that deals with mailing right? So why the hell do they get to advertise in a public company for FREE? I grabbed the whole box and marched it to the nearest trash can. People clapped.

Imagine

[KalvinB]

if you couldn't send anonymous snail mail.

Or anonymous e-mail. That's where this "signed" e-mail crap is going.

Imagine every message you send being tracible right back to you.

But hey, what's the trashing of rights in the name of convienience.

If you can send e-mails without being traced, so can spammers.

If spammers can't send e-mails without being traced, neither can you.

"Spammers are most afraid of being tracked and identified. "

Yeah, and nobody has a legitimate reason to not want to be traced.

I spent all of 2 hours modifying RinetD to do proper logging in between senders and my mail server. I spent another 3 hours writting a simple program to parse that log pulling out who a message is from, who it's going to, the subject line and what links it contains and the domains of those links.

Any entry "to" entry that isn't one of my e-mail addresses is deleted. The remaining are then examined for spam domains by looking at the froms and subject lines and the domains themselves.

A short list:

If expression both matches "*imgehost.com*" Delete ""
If expression both matches "*mydailyoffer.com*" Delete ""
If expression both matches "*topofferz.net*" Delete ""
If expression both matches "*adweawen.biz*" Delete ""
If expression both matches "*divineprice.com*" Delete ""
If expression both matches "*stamps.com*" Delete ""

And poof, no more ads from those companies and nobody's right to privacy is infringed. If they happen to have multiple domains for the same campaign I'll catch them as they come.

I will not support a means to subvert my right to privacy over some stupid ads.

How much are your rights worth to you? Not much apparently.

Terrorists blow up buildings and we get the patriot act. "terrorists" flood inboxes and you demand tracable e-mail.

Get bent.

Ben

Re:You've got spam??!?

[Samari711]

I'm a student at Notre Dame and work for the IT people and get to go clean compromised machines. generally any machine spewing spam gets picked up by university sniffers relatively quickly and their machine is disconnected before much harm could be done. also anything reported as spamming would be disconnected as well. they keep mac address records and such so that finding the computers is more or less easy. of course a lot of the stuff the IT people do is ass backwards at times and i'm sure at an engineering school like purdue they tend to do things a bit more sensically, so the chances of spam originating from a university with any sense at all is extremely small.

oh no, spam! screw privacy!

[KalvinB]

"You actually *can* get a digital certificate for your email, but it costs money"

Yeah, you can get those in your BIOS and media files and anywhere else. "Trusted Computing" EVIL. "Trusted E-Mail" GOOD.

What is wrong with you people?

You know what I do to block spam?

I filter out links contained in e-mails and block the COMPANIES.

I don't care how forged the header is. If the e-mail contains a link to spam domain it doesn't get through.

Nobody's right to privacy is infringed and it's 100% effective and 100% accurate. Nobody is going to be sending a legtimate e-mail with a link to and/or an image from www.topofferz.com or with an affiliate link to click-com

I'm not going to regurgitate the whole system I use here, you can find it talked about in older posts of mine and it will be posted on my site this weekend along with all the source code for the programs I use to automate some of the process.

I can't believe how quick and eager people are to burry their rights over nothing more than ADVERTISMENTS.

Ben

Re:You've got spam??!?

[Anonymous Coward]

There is some scumbag who has been spamming AOL using my domain name as a return address. I'm guessing my domain is just used for a small fraction of the spam going to AOL from this operation. I can tell you I'm getting tired of all the bounces from AOL! I only wish there was some way to stop the abuse of my domain name.

Re:You've got spam??!?

[InfiniteWisdom]

How do you infer that? They block half a trillion messages. How many of those are legitimate e-mail? I have a great idea.... just send all your mail to /dev/null. You'll block 100% of spam. Might have the ocassional false-positive, though.

I run my own mail server, not blocked

[KalvinB]

My ISP blocks outgoing port 25 activity but not incomming so my sig points to a catch all on my home connection for analyzing spam. Recieving on port 25 is no different than getting mail any other way. The ISP only cares about one way communication.

To get around the port 25 block I run my mail server on an alternate port for myself and then use RinetD on port 25 which fowards to the mail server. My e-mail going out is none of my ISP's business. The server that actually sends the mail is hosted by another ISP. Which doesn't break any clauses since I'm not running a server on my home system.

I've had people using AOL signup for subscriptions since I started back when I was running out of house. But then I had a business connection.

Residential connections tend to have clauses about not being allowed to run servers. My home ISP doens't block port 80 but I'm still not allowed to run an HTTP server.

If AOL is blocking residential accounts that are allowed to run mail servers then you have a case. However, if you're violating your TOS then too bad. Get a business connection like you're supposed to.

Blocking non static IPs is a good thing. If you're seriously trying to run a mail server then you need a static IP. So pay for it.

Ben

Re:Outbound

[Anonymous Coward]

Yeah.. figure 200 billion of those spam probably came from Yahoo! and Hotmail and another 200 billion from AOL itself. That only leaves 100 billion from the rest of the world. *yawn*

Time to grow up

[iamacat]

It used to be that systems on the Internet started out pretty open. If some students figured out how to get in, but kept their practical jokes clean and fun, nobody cared much. If people got out of line, things generally got patched. Like adding salt to UNIX passwords so that people don't just encrypt the whole dictionary and look for matches. Worked pretty well given CPU speeds and hackers' skills at the time it was introduced.

Whatever happened now? SMTP started out pretty open. Obviously things got out of control. So, fix it already. A group of ISPs can gang up and require all SMTP users to sign up with their username/password, which is already supported by all e-mail clients. Limit each user to 1000 e-mails a day (allowing for rather large mailing lists, but still 1000 times too low to make spam attractive for the subscription price). Then only accept e-mail from cooperating hosts over SSL pipes with a correct certificate. Prepend BORK: to the subject lines from other domains so that users can filter them to another mailbox.

If yahoo participates, I can always ask people to sign up for a free account if they really want to reach me. Smaller ISPs will jump on the chance to de-bork their e-mails and make customers happier. Once enough of them do, bigger ISPs will have an incentive as well. Problem solved!

Re:You've got spam??!?

[dvdeug]

All spam blocks, except for a couple uber-expensive systems, will make false positives.

Yes, but the ratio of false positives to false negatives is tunable.

You know enough about spam blocks to know that there are shitloads of keywords they're looking for

It has little to do with keywords. The things that catch most people is broad block lists.

Re:You've got spam??!?

[mrd_yaddayadda]

Our mail server has somehow erroneously been blacklisted and so we have added about 100 emails of that "Spam" to that half a trillion. I'm sure we're not alone.

The blacklists aren't infallible and get messed up and tend to be very slow to respond to errors or worse just don't bother (or even worse demand money to be removed in one noteable case).

What the article should say is that AOL blocked half a trillion emails, god knows how many of them were legit emails or how many really were spam...

Re:I hate aol's blocking!

[Grimster]

Every now and then we'll wake up to find one or more of our servers blocked by aol, you can test it quickly by telnetting to port 25 on one of their MX's and it'll tell you right away if you're blocked.

Call, stay on hold 45 minutes, and you get "white listed" for 30 days and they ask you to setup a special email to send you spam complaints to if that IP becomes a problem again in the future. Sounds good right? I mean we host nearly 13,000 web sites for over 6000 customers, we DO get some spam sent through us once in a while (open formmail.php is the worst) and we handle it the second it's noticed.

HOWEVER we have YET to recieve ONE, and I mean that as in a SINGLE complaint from AOL for ANY of our ips. Yet 7 times now we've been blocked. Luckily it hasn't happened in a few weeks.

Do you know how annoying it is when 13,000 web sites become unable to talk to aol? Jesus christ.

Here's the funny part, often times it's only 1 or 2 of the (best I can tell) 4 main MX servers blocking us, so much for keeping those in sync.

I applaud them for trying to curb the incoming spam but goddamnit make it POSSIBLE to work with and if you block someone TELL THEM WHY and maybe a little warning please! If I'm notified of a problem I'll GLADLY nuke the spammers ass, or if it's just an open script, we can help the customer secure it, but if we're not informed what can we do? At least spamcop sends us emails with headers of the spam so we can take care of it.

So I gotta wonder how many of that half trillion is REALLY spam and how much is erroneous blocking.

Weird definition of SPAM

[An dochasac]

I'm still trying to figure out what they aren't blocking. They block emails from mac.com even though a valid name, address and credit card number are required for a .mac email account, but they don't block free services like fastmail.fm or mailhaven.com.

If they really want to get a handle on spam, fwd:fwd:fwd Urban folklore... they should really block *@aol.com.

Re:You've got spam??!?

[abirdman]

The same thing started happening to me in the last couple months. My provider checked, and they're not hijacking the use of the mail server, they're just forging headers so it appears the mail is coming from my domain (They all pretend to be from some username@mydomain.com). There isn't any obvious solution. I've gotten about a hundred "bounces" in three months. I don't think this is the criteria AOL uses to block an email server, otherwise I assume I would stop getting the bounce messages. I can and do send emails to people on AOL.

I hate having my domain name associated with V*I*A*G*R*A (the bounced messages are almost all online medication related, though with forged headers, I assume they're all just scams to get people to send their credit card numbers), but I doubt anyone receiving those messages pays much attention to the originating mail domain, even a forged one. I hate to say it, but I think email is broken beyond repair, and someone needs to create a replacement system.

Re: Blocking outbound e-mail

[WuphonsReach]

Unfortunately, ISPs are loathe to do that because there are customers who connect to mail servers other then the ISP.

What might work, but would require resources would be to setup some sort of profile system which only allows selective port 25 filtering. (This will be an expensive idea, with some invasion of privacy.)

For every customer, start a list of the SMTP servers that they contact, and only allow them to contact up to 10 different SMTP servers. If a customer hits their limit due to trojan'd machine or virus-infection, the damage will be (somewhat) limited. Customers should be able to reset their list once every 24 hours, but they can only reset 3 times before a CS rep has to do it.

Not a pretty solution, but a possible next step.

But is it all "spam"?

[Zocalo]

No, I don't mean false positives inflating the figures, I mean how many of those were not actually spam, but the delivery status notifications *caused* by spam? AoL, Hotmail, Yahoo, etc. are some of the most frequently Joe-Jobbed and spoofed addresses I see in my spam folder. That means any bad email addresses will generate a DSN failure unless this has been disabled by the remote mail admin (which is contra to the SMTP spec). If AoL blocks these too (and why not) then the figures will be inflated , perhaps significantly.

Still, it's a nice attention grabbing figure to help raise public awareness of the issue, and I have zero issues with that.

Hi, We're AOL and we blacklist first...

[christianT]

...and ask questions later
I wonder if these statistics include all the valid email messages that have been blocked by AOL's over zelous blacklisting of servers. I work for one ISP who's mail servers have been getting blacklisted on and off for the past 2 weeks and have a friend that does web hosting and his mail servers got blacklisted. Neither were put on AOL's black list because of spam comming from the servers