post.office and open mail ports news

Jeff Woods ( jeff@delta.com )
Tue, 25 Feb 1997 12:21:08 -0500

Fed up with spam
By Nick Wingfield
February 25, 1997, 6:30 a.m. PT

Last Saturday, the email server of a small Internet
service provider in the southwestern United States
started to churn out email broadcasts from a lone
user to more than 45,000 email addresses.
Naturally, the ISP was curious who the "spammer"
was.

Unfortunately, the spammer employed a simple
technique for sending email from the ISP's server
without actually having an account on its system,
making the culprit difficult if not impossible to track
down. But some Internet email vendors, including
Netscape Communications and Software.com, are
now taking steps to prevent the hijacking
technique--well understood among messaging and
security experts, but still widely disregarded by
organizations that run email servers--from working
on their products.

The technique is startlingly easy to exploit, and a
potential boon for email spammers than want to
cover their tracks. Users need only to designate an
email server as the outgoing SMTP (simple mail
transport protocol) server in a standard email
client such as Eudora. Provided that the email
server is not shielded by a firewall or some other
security mechanism, the user will be able to log on
the server through any ISP such as Netcom or
CompuServe to send email to a potentially huge
list of users--all without an account or password.

For some spammers, the opportunity to hijack
someone else's mail server further distances them
from the hostile responses that almost always
follow spams. In the case of the Southwestern
ISP, the spammer, who connected to the ISP's
mail server through PSINet, entered a false return
address and name in his email client. When irate
users began to respond to the spam--a $28.95
offer to convert their handwritten signatures into a
True Type font--the messages bounced back to
the users themselves and to the email administrator
at the ISP.

"That was what was mean about the whole thing,"
said the head of operations at the ISP, who asked
not to be identified in order to avoid alerting a
competitor to his company's misfortune. "Of the
45,000 messages sent out, probably about 6,000
of them were invalid. We're up to about 14,000
messages to our postmaster."

"There are certain users that have become vigilante
anti-spammers. They'll take a 100 megabyte
attachment and return it to the sender."

Although it's impossible to tell how many email
servers on the Internet are vulnerable, it is not
difficult to locate servers that are open to
unauthorized use. A CNET reporter, for example,
was able to locate and send email from five
separate servers, including several university
servers and one belonging to the White House,
within the span of 15 minutes. Email server names
are readily available on Usenet newsgroup
postings.

Some email systems, such as the popular Sendmail
program in Unix servers, already allow
administrators to block out unauthorized use, but
more vendors are beginning to fortify their
products.

This week, Netscape introduced a beta version of
its Messaging Server 3.0, its first email server to
support Authenticated SMTP, a feature that
allows systems administrators to control who
>>>>>> sends and receives email using passwords and
>>>>>> digital certificates. And within the next two to three
>>>>>> months, Software.com will allow users of its
>>>>>> Post.office server to screen out selected domain
>>>>>> names from accessing the server, according to
>>>>>> Andrew MacFarlane, a product manager at the
>>>>>> company.

MacFarlane said that interest in finding a solution
for protecting email servers has grown rapidly,
something he attributed to the media attention paid
to spamming. "The last month is when email [about
blocking unauthorized email users] really started
coming in," he said. "It's almost on a daily basis."

In the meantime, it's unclear what legal recourse, if
any, an organization has if an outsider hijacks their
server.

"This may be one of the areas where, if you
haven't been told you can't, you can," said Ira
Machefsky, a senior industry analyst with the Giga
Information Group. "Up until now, the Internet has
been kind of a polite place to do your job. Now
you have a bunch of strangers out there."