How Pervasive is ISP Outbound Email Filtering?

Erris writes "A member of the Baton Rouge LUG noticed that Cox checks the text of outgoing email and rejects mail containing key phrases. I was aware of forced inbox filtering that has caused problems and been abused by other ISPs in China and in the US. I've also read about forced use of ISP SMTP and outbound throttling, but did not know they outbound filtered as well. How prevalent and justified is this practice? Wouldn't it be better to cut off people with infected computers than to censor the internet?"

Profit comes first

[techno-vampire]

"Wouldn't it be better to cut off people with infected computers than to censor the internet?"

If they did that, it would lower their income and cut into their profits. Filtering outbound email costs less, at least in the short run and that's all the typical MBA is interested in. Their idea is to move to a new company before the long-term damage they've caused becomes evident. (I'm not just wanking, here; I asked an MBA about it once and that's what he told me.)

inline virus filtering

[sgt scrub]

They could do inline virus filtering easier, cheaper, and still not be intrusive. IMHO they are being rude when they could be helpful.

Amen

[davidwr]

ISPs should ask you what services you really need when you sign up for a new account:
"I'm a normal user, let me have what normal users get"
"I'm a power user, please turn on ___, ____, and ___"
"I'm a power user and I really really really know what I'm asking for, please turn on everything."

Then let them change it at any time, either permanently or, if they only need it for awhile, for an hour, a day, or a week.

Once you do that you can hold customers responsible for things like letting bots run loose spamming the planet over an available outgoing port 25.

Re:Not Comcast

[Bender Unit 22]

I'd say that every ISP should do that, that is, if you could get it unblocked if you requested it or via some online account management.
99% of all people wouldn't need it anyway(except the bots on their machines) and the ones who do, would know how to open it. Of course it is a not the ideal way to solve the problem, but it's all we got for now.

Re:Looking further...

[rob1980]

Yes, I'm guessing they set the filter up so you can't email somebody a link to http://my_homebox_ip_number:8081/ [myhomeboxipnumber] and have it be a spoofed Paypal signin page or something like that.

Re:Looking further...

[mabinogi]

That's got nothing to do with it though.

Whether or not you're running a home server, sending an email containing a URL certainly shouldn't breach the ToS. They're not going to filter emails referring to a breaching server, they'd contact you about the server or terminate your service.

Re:Text of posting (TFA)

[Spazmania]

It's a mixed metaphor:

I couldn't care less = I don't care

merged with

I could give a damn = I could care but I don't

and became

I could care less.

Comcast sucks too.

[mlwmohawk]

In the Boston area, comcast fuckers are blocking port 25. So, even though people have legitimate uses for the internet connection they pay for, these companies are taking it on themselves to block standard connection protocols.

First its port 25, because of spam. Then it will be P2P because of copyright. Then it will be ssh because of terrorism. Then it will be, inspired from the new york story yesterday, filtering web content to prevent false alarms.

Fuckers. Bury your head america.

When people talk about fascist Germany, they focus on the extermination of jews and the holocaust, and while those were horrific acts, they are not what the Nazi party was about. They were the result of the acts of fanatical and arguably insane men who had gained power in the Nazi party, not the Nazi party, per se'

The Nazi party was about power and the exercise of it. It was about bringing pressure on the citizens from all aspects of society to conform to it. It used social structures and industries and laws to bring people under control. It is EXACTLY what is happening in america today. Its all the little things slowly picking away at the big things, until the big things crumble. Freedom of speech? Nope, now we have "free speech zones," where no one will hear you. I could go on, but the /. crowd already knows.

Just like the Reichstag fire in 1933, the world trade center in 2001 gave the neocons the ability to enact limits on freedom. After that, industries which were once regulated in order to protect the citizens are now deregulated and destroying citizens who do not conform, RIAA, MPIAA, walmart, etc.

ISP censorship is just one more piece of it. The internet is becoming the primary conduit of communication and fascist america must have its citizens controlled, just lake Nazi Germany needed its citizens controlled.

All this isn't a conspiracy theory either. No conspiracy theory need exist. Our government (of the people, by the people, bla bla) is supposed to protect us. If it stops protecting us from big companies, those companies will naturally do the work for their own gain.

Now everyone in the USA is afraid. Some of terrorists, some of losing heath care, some of losing their job, their house, what ever. Fear, as the nazi's will tell you is a powerful tool to harness.

Welcome to neocon amaerica where companies sue their customers because they can. Companies dictate what you can do with your property, because they can, and if you do anything about it or protest, you can lose your job which means your house and health care.

Sorry for the rant, but I can't be the only one who sees this whole thing in this way

Re:Where, exactly, is the story?

[Niten]

A more accurate title for this story would be: "User in violation of Cox TOS upset over Cox efforts to enforce TOS."

The problem is that the TOS are bogus, and there's absolutely nothing the customer can do about it. It's not as though we have a half dozen other cable subscribers to choose from and to keep each other honest; aside from the phone company, Cox is the only game in town for many folks. The theoretical benefits and corrective effects of free-market competition do not operate in such an environment.

Seriously, "servers of any type [...] server like functionality"? Congratulations, you've just described anything that accepts an incoming TCP or UDP connection. If I cannot at least SSH and VPN into my home network from abroad, my so-called Internet connection loses 50% of its utility.

I'd love to see somebody with the resources to do so stand up to these guys and sue them for false advertising. If you perform unwanted filtering on the incoming and outgoing access of your users, you're no longer selling a full Internet connection. The most troubling part is that Cox isn't even the worst offender in this regard, not by a long shot.

Servers?

[gillbates]

Or server-like functionality?

So, what exactly, defines a server? When you think about it, there's just traffic between two points. From a semantic perspective, posting to /. could be seen as "serving" text to a remote computer...

But, I think this kind of highlights the apparent Cox conceptual model of the internet:

• Businesses create the news, opinions, and "interactive" content. The subscriber consumes the content business creates. Subscribers do not participate in opinion, create content, or otherwise create outbound traffic, with the exception of:
• Email.
• Games, filesharing, IM, and the like are all under the radar - they are "server-like" applications when it comes to dealing with the subscriber, so they can arbitrarily be denied service without breaking the TOS.
• Web servers, SSH, terminal services, VPNs, etc... are business class services, for which a commercial account is required.

The optimist in me hopes I'm wrong on some of the above points, but the pessimist knows to suspect the worst.

Re:Not Comcast

[cheater512]

Blocking every port under 1024 and having a touch tone phone interface to unblock them would be ideal.
That way there is no way for a bot to automate it (ok maybe if they still have a analog modem but unlikely) and its pretty easy to unblock yourself while keeping the ISP's workload low.

That would cut out a lot of the net's problems overnight and make it extremely difficult to bypass.

Re:Profit comes first

[SeaFox]

If they did that, it would lower their income and cut into their profits.

That's assuming they actually close the customer's account or credit for the time out. Some ISPs do not, since the issue is generally a virus or other malware on the customer's PC (in other words, not the ISP's fault).

But you response overall is still correct. If they keep mucking around with the email, they still save money because eventually the customer gets sick of it and gets a Yahoo account instead. Now Comcast is still getting the same $40/month, but without having to provide mail services.

Re:Kudos to Cox Communications

[rmerry72]

So it would be better for Cox to allow any old botnetted-computer to spew spam?

No. Kill the connection of those computers. Don't block and filter my computer because Joe Idiot has malware. Cut him off and make it his responsiblity to clean his property. If I had a spiking phone that was causing disruption to the telephone network they'd disconnect my phone not start filtering your phone conversations. If my car was a defect I wouldn't be allowed to drive.

If your mail situation is that important, buy a business-class account.

Come on, are you telling me sending an email is an add on to the basic funtionality of the internet, and optional extra? "Oh, you want "clean" water? Well I suggest you upgrade to our business service. Our residential water pipes only deliver untreated effluent."

You forgot about the US government

[soren100]

However, filtering also raises the "you are now liable for what they say to an extent" issue that the whole Safe Harbor thing was suppose to fix for ISPs and could definately cost a huge pile more than just cutting access and losing customers.

People have raised that idea as wel about AT&Ts plan to filter their network for copyrighted material.

The answer I have to that is "9/11 Changed Everything".

Seriously -- when the US government asked the telcos to commit surveillance crimes against the US citizens, only Qwest refused. Usually, breaking the law is a bad thing, but the US government was offering lots of money to the telcos, and presumably the promise not to prosecute. So the only company that got in trouble was the one following the law. And somehow the Qwest CEO that refused the deal ended up in jail. Meanwhile Dick Cheney is desperately trying to get immunity for the cooperating telcos for their crimes. See how that works?

So on the surface of things scanning and filtering our email might seem to be a bad busines move. But if the same US Government that got illegal telephone surveillance of US Citizens is also going for illegal surveillance of our emails, email filtering starts to make much more business sense.

It used to be that the idea of the US government secretly finding out what was in your emails was in the tin-foil hat realm. But the illegal surveillance of telephone calls would have been as well, along with secretly torturing people in secret overseas prisons. As well as "constitution-free" zones such as Gitmo that are paid for by US taxpayer dollars.

So if you have a government that scans your telephone calls, email, and web-surfing habits, you get very close to a goal of "total information awareness", which was one of the government's programs that was renamed and shuffled around after the public got very upset.

Re:Not Comcast

[Matt Perry]

Moral of the story: Stop using windows...

I'd say the moral is don't let people to connect devices to your network without your approval and possible oversight. It's not Windows' fault that your brother connected his infected machine to your network.

What about corporate responsibility

[dedmeet]

In this day and age, with most busy mailservers fending off about 60% of their load as Mass Spam storms, it is almost negligent to allow all of your customers unlimited access to smtp to any destination. Yes, there will always be outcry about 'censorship' and 'big brother'. It's a shame it's not the same crowd that shouts about the torrent of Spam and viruses that comes from high bandwidth, unaware mom & dad users (and us techies too - I can't remember the last Open Relay I saw configured by a mom & dad!) incidentally, scanning for and removing http://ip.ip.ip.ip/ [ip.ip.ip] links from Email is a pretty good way of detecting and blocking the outbound phishing attempts that each year result in millions of dollars being drained from the bank accounts of the uninitiated. Censorship is designed to prevent a particular content, subject or message from being propgated. I'm pretty sure you can re-write an Email in such a way as it does not get blocked. I'm pretty sure that if you want to run an SMTP server, you can get permission. if however, you happen to be a virus, you're hopefully s**t out of luck.

Re:Not Comcast

[Sorthum]

It's not you being a grown-up, it's your idiot neighbors who click everything under the sun without regard to security. I think the solution is to block by default, and have a mechanism to open it up, as other posters have stated.

Re:Not Comcast

[Sorthum]

That's not incompetence, that's by design. The RFC for 587 submission states that it requires the use of SMTP-AUTH, rendering it useless for most forms of spam-spewing malware; an incompetent ISP will filter it, not open it.

Re:What about corporate responsibility

[gujo-odori]

Bravo! I work in the email security industry, and I completely agree with you. Not only is filtering the outbound mail stream a matter of good Internet citizenship (and something a number of our ISP customers do), it's also practical. For any business, filtering the outbound can help keep your SMTP hosts off of blacklists. In the case of businesses with confidential information that could be stolen (which is almost all of them), it can also be a practical measure to boost IT security.

You're spot-on about censorship, too. Preventing the sending of outbound spam by zombies is not censorship for the simple reason that it is not mail that the owners of those computers want to send; it is mail that is being sent without their permission via theft of their resources and service. As for people who are deliberately spamming, one could argue that it's censorship, but the ToS of pretty much any ISP forbid spamming. People who want to be allowed to spam should not sign up with ISPs that forbid it; if they do so anyway and the ISP enforces its ToS through measures including outbound spam filtering and suspending or terminating the spammer's account, that's tough.

If only the EFF could get on the right side of the spam issue. They do so much good work in so many areas, but tend to wrongly take the side of spammers, somehow viewing it as censorship. That is wrong: there's no freedom of speech in spamming. People can say anything they want by taking out a billboard, or hosting a website, or running a blog. That's freedom of speech, and I support it, even if I think the message is a load of crap. The freedom to present a message should not be dependent on the content of the message (with reasonable exceptions, like the classic "Shouting 'fire!' in a crowed theater" example). Spamming is like going to the store, stealing a can of spray paint, then kicking down my front door and spray painting your message on my living room wall. That's not freedom of speech; it's theft, vandalism, and breaking and entering. So is spamming.

Re:Not Comcast

[element-o.p.]

But by the time you detect the spew, how many sites have already blacklisted your server?

Not possible to secure Windows.

[whoever57]

That may be true, but we aren't talking about the distant past. Windows may still have security issues but that doesn't mean that a person can make it reasonably secure:

I don't think that Windows (XP at least) can be made secure today. Yes, people can use it securely, but I don't think it is possible to make it inherently secure. I saw a recent exmple of a machine that got infected while it was configured with a major anti-virus (fully updated) and Windows was set to auto-update. Yes, I suspect that using Firefox, or just not going to those sites would have avoided the problem, but that says nothing about whether the machine is secure or not.

There was a recent article that showed that the performance of anti-virus s/w has got worse over the past year or two. People who think that Windows can be secured are in denial! The basic problem is that it is difficult to run as a limited user. Quickbooks requires administrator rights, I recently came across video capture and editing s/w that requires admin rights (despite Studio running on the same machine perfectly well for limited users). I am sure there are other programs. Yes, I know about "run as", but my claim is that it is difficult.

Re:Not Comcast

[rmerry72]

It's not you being a grown-up, it's your idiot neighbors who click everything under the sun without regard to security. I think the solution is to block by default, and have a mechanism to open it up, as other posters have stated.

Oooh, yeah let's regulate it. What would be the mechanism to open it up?

• Licences? Pass an exam every two years to prove your qualified to operate your computer?
• Or a blue slip for your computer? Only registered computers can connect?
• How about turning the Net into consumption only, like your TV. That's safe. Maybe restrict it to qualified software engineers?
• Age restriction? Only adults can connect (even dumb ones)?

We had that a while back. It was called ARPANet. Progress is a circle and we improve by going backwards.

How about this: If you are an idiot who clicks on everything GET OFF THE DAMN TRAIN! A leave it for us grown ups.

There is a mechanism already - its called money. Pay more, get more. Nothing to do with security or idiot neighbours, purely about making more profit. Like everything these days.

Re:Text of posting (TFA)

[ScrewMaster]

Except that it's a very unlikely thing to say sarcastically.

Except that you're just wrong. The phrase "I could care less" is usually only about a notch above saying "fuck you, and the horse you rode in on." As the GP said, it's a colloquial expression and unless you've been exposed to it in the proper context you probably just won't get it. Attempting to analyze such expressions in any language using the kind of logic you were trying to apply is a fruitless exercise. Like a lot of other things in American English ... you just have to know. If you don't, just accept it because that's what the rest of us do. It's not the literal meaning of the phrase that matters.

Re:Not Comcast

[gr8scot]

The problem with an ISP using SMTP-auth for connections outside their network is that SMTP-auth is only as secure as the least secure password used in your customer base.

You're right about the least secure password in the user base defining the easiest route for a spambot, but then I think you went too easy on the ISPs, or admins at ISPs.

Given that people are generally lazy and prioritize convenience over security, that means odds are that any decent sized ISP *will* have at least one (and probably very many more) weak passwords, and *that* means that the ISP's mail server *will* be an open relay as soon as the spammers figure it out.

OK, accepting, for sake of discussion, that "people are generally lazy and prioritize convenience over security," how do you blame the customer instead of the network administrator, whose job it is to ensure the operation -- which by definition includes the security -- of that network? I consider the necessity of "strong" passwords obvious, and common knowledge among anybody who has any business at all in a server room, and never the responsibility of Joe Sixpack. It's not "lazy" to come home after work, and do something other than the job of my ISP's network administrator. Tools for generating strong passwords are easy to find and not particularly hard to write, either, if the CEO doesn't like the color scheme or something. It's also easy, on the server, to check that customers are creating passwords equal to or greater than a certain length, containing alphanumeric, both upper- & lower-case letters, and more, with simple regular expressions. There's no excuse for being in charge of an ISP's network and not knowing everything in this paragraph, or being sure you have somebody on staff who does.

Re:Not possible to secure Windows.

[pentalive]

The only inherently secure computer is one without a network capabilities.

or untrained users that refuse to use virus protection, spy ware detectors and love to click
on any bright shiny item they come across.

One place had a check printing computer - completely disconnected from the network just a computer and a laser printer... It got virused..?? I had to un-virus it. Someone wanted the latest technology in screensavers, employed a floppy disk.