A Day with an ISP Spam Investigator

scumbucket writes "Network World Fusion has an interesting article about an abuse investigator for ISP Earthlink and his job of tracking down spammers. It's nice to see that major ISP's are making an effort to shut spammers down and kick them off of their networks."

A yawner

[SYFer]

Not that interesting really. No specifics, not much technique. He calls offenders, cancels accounts, etc. Phishing is another department. He doesn't take action on pedophiles and refers them to cops.

Where's the beef?

Re:A yawner

"Where's the beef?"

You do realize that there are articles on Slashdot that are not merely complaints or fanboying, do you?

If not, RTFA and see an example for yourself and ask people to mod you down in shame.

Re:A yawner

[Antique+Geekmeister]

Read it again. He "takes orders from the FBI", etc., regarding child pornography, he doesn't contact them.

What the article describes is entirely re-active. In no way is it pro-active: pro-active costs money, and keeps the spammers from signing up in the first place to send the spam. This is typical Earthlink, whose focus is on making the weekly progress reports their departments favor as taught by the "WISE" management techniques so favored by their Scientology educated president and his top staff.

It's not evil, but given their history of blowing off complaints for months or even years until faced with real consequences such as a Usenet Death Penalty where all posts from Earthlink would be actively cancelled, it's not topnotch.

Re:A yawner

[Saeed+al-Sahaf]

Scientologist Reed Slatkin is not Earthlink's Prez anymore. Hasn't been for a long time.

Re:A yawner

[Antique+Geekmeister]

Reed Slatkin, for those who don't know, never was their president. Sky Dayton, an active and fairly sizable Scientology contributor, is and has been the president since their start.

Reed was one of their founders and got arrested for running a pyramid scheme. Given the financing misbehaviors of many start-up ISP's, it's not real surprising that one of their early managers also ran pyramid schemes, but that seems to be extremely common for the upper level Scientology members. They had a bunch of their upper staff in Europe also busted for running pyramid schemes involving those miracle "laundry balls", the ones that supposedly wash your laundry without soap but where you're actually just using the soap stuck to the walls of the washing machine from previous washes, and the "laundry ball" has nothing to do with it.

Re:A yawner

[Erik+Hollensbe]

Having worked on a program that was sending (legitimate, opt-in with the ability to cancel - I'm serious! :)) bulk mail, earthlink, yahoo, AOL and hotmail are not only proactive, but super-anal.

Failing to honor any SMTP code (and sometimes then some more, as the case was with AOL) as intended will get you a temporary ban. I can't remember if it's 2 or 3 strikes, but after that your only recourse generally is a call to their headquarters.

I too am familiar with the UDP escapades - but what I am describing was a year ago (we had a bug (serious!) which was not properly honoring 550's which caused us to learn about their policies), and I doubt it's gotten any more lenient.

Just some food for thought.

Re:A yawner

[Mashiki]

Something to think on, perhaps it is a yawner for us. We've been hunting spammers for years, either on our own networks, against our own machines, or simply as fun for friends. You did missed some points in the article which was pointed out by other people in following posts.

Most of what was said is really good for the non-geeks in our midst. You know as well as I do that nearly everyone hates spam, hates those who commit fraud, etc. This is showing that someone behind the scenes is doing work on the network to make sure that these people are stopped.

We know it, but not everyone else does. Now I'm not sure about you, but I know of plenty of people who could do with reading this article...even if it's a yawner to you, me, and the majority of the slashdot crowd, it will be nice and heartening to them.

Re:A yawner

[Antique+Geekmeister]

What you describe is merely re-active, not pro-active. Pro-active would be joining the ISP's using SPF, refusing to sell "pink" contracts to spammers which contractually permit them to send unsolicited bulk advertising, etc. What you describe is over-"re"acting, where doubtful is dirty and any question of proprietary behavior is dealt with harshly. It's understandable: spammers lie so much and pretend so much that their behavior is all "opt-in" that it colors our responses to companies and mailing lists like yours that are, in fact, opt-in and doing everything right.

Re:A yawner

[aztracker1]

I miss mindspring.. :(

Self interest

[ZenBased]

Well they dont do it because they wont to help the world. But spam means extra bandwidth, so extra cost. And maybe customers blame the ISP, so that might mean less customers. So it is the ISP's best interest to do something about spam.

Re:Self interest

[Spad]

Do their motives matter if they result in fewer spammers?

Dumb business attracts dumb users

[YetAnotherName]

FTFA: One notorious spammer, whom EarthLink helped put behind bars, repeatedly used the names of sports such as baseball and football as his password.

Spammers are stupider than I realized.

Re:Dumb business attracts dumb users

[Zorilla]

Never underestimate rule #3 of spam.

How to solve the Spam problem

[SimianOverlord]

This si interesting, but you have to say this guy is fighting a losing battle. You have to fight Spam at its source. Look at the Spamhaus statistics: it might sound trollish, but spam is evidently an American problem, which must be combated in America. The Spamhaus stats prove it. 90% of the spam you see is from 200 individuals, of whom 96% are Americans, operating out of america.

Clean up your act guys. When you're costing the world this much money, it just isn't funny anymore.

Re:How to solve the Spam problem

[SillyWilly]

If it wasn't for America we wouldn't have Microsoft or Windows, but we still might have Linux...

I think you'll find Europe does have spam legislation.

The people comatting spam are nearly all American? Says who?

Re:How to solve the Spam problem

Netcraft confirms it: America is dead!

Re:How to solve the Spam problem

[SillyWilly]

"not whimpering soccer players'

American Football - British rugby (but with pads so the ickle Americans don't get hurt. Everyone say awwwwww)

Re:How to solve the Spam problem

Why what have you done for us since the dark ages? I'm amazed that Americans don't understand why the whole world hates them.

Re:How to solve the Spam problem

LOL - If it weren't for us you'd be speaking German right now. In fact, I think I speak for the rest of America when I say that we wish you were. Screw you.

Re:How to solve the Spam problem

[jwcorder]

I assume you are also going to say that the fact that McDonald's is in other countries is because of us fat, lazy Americans eating Big Macs.

Spam is not a country problem. It is a global problem. Just like viruses or worms, of which I would say that 50% of their creators are OUTSIDE of the US, but you don't hear anyone harping on how the only way to cure those problems are to make tougher laws in the EU.

The most probable reason for most of the Spam coming out of the US is that 1)PCs are dirt cheap here. 2)Network connections are readily available all over the place. 3)This is the land of opportunity and get rich quick schemes.

Blend these together and you get people who want to make fast money, who own lots of computers or space on computers, and who have tons of access to fast internet connections = Spamming opportunities.

Spam is not only an American problem just like the Ozone, deforestation, Global warming, and the AIDS epidemic aren't just our problems........but somehow everyone is first in line to expect us to fix it.

Re:How to solve the Spam problem

everyone seems so concerned with that.

have you ever considered the possibility, that we just dont give a fuck what you think? what does your opinion matter. it doesnt matter in any way shape or form.

oh no, some random country that means NOTHING to me, hates us. BIG FUCKING DEAL

Re:How to solve the Spam problem

The grandparent was merely pointing out that > 85% of spam supposedly originates from a few hundred hardcore American spammers. That's a -very- non-trivial percentage.
Your explanations of why don't hold water, given that most spam isn't sent by random people, but by a few groups. The random get-rich-quick people who try it don't contribute very noticibly. PCs and network connections are at least equally available in many other countries; broadband is actually more common outside of the US.

"Spam is not only an American problem just like the Ozone, deforestation, Global warming, and the AIDS epidemic aren't just our problems........but somehow everyone is first in line to expect us to fix it." ... Right. Not.
American administrations promise billions to help fight that stuff, then never pay; American drug companies tried for years to block 3rd-world nations from making cheap generic AIDS drugs. Europe, for instance, has much stronger environmental controls than America does; America, conversely, now has fairly huge tax breaks for companies owning SUVs. America is a major industrial nation, and one which consumes a lot; any discussion of the ozone and global warming on an international scale is silly if it ignores America.
Regardless of what you think of Kyoto [which the US refused to ratify], other nations -are- working on environmental standards. Under Bush, the US keeps lowering them. North America is basically the only place with big forests left; therefore, it falls to the US and Canada to preserve them.

One has to acknowledge that America is a vital factor in all the problems you mentioned, like it or not. No one is expecting you to "fix it!"; however, under the isolationism of Bush, you are basically declaring international treaties to be worthless. If America doesn't help with the larger problems in the world, and by that blocks action from being actually useful on a more than local level, what is everyone else supposed to do?

Note: I've used "you" with American; however, I'm also an American.

Re:How to solve the Spam problem

[j.bellone]

Agreed. Help Europe several times, they spit back in our face. How about the next time Germany decides to attempt to take over Europe, we don't help. Then we'll watch your ass beg.

Re:How to solve the Spam problem

[jwcorder]

North America is basically the only place with big forests left

Where exactly do you get this notion? You must not include either of the rainforests as "big forests". I would also say that most of the "big forests" are more likely in the northern portion of N. America mostly in Canada.

I by no means say we are innocent. I also think Bush is an idiot, but we cannot accept the brunt of blame for a spam filled mailbox. I also never said anything concerning how we as a country have less or more broadband than the rest of the world. I said a fast internet connection was readily available.

The fact remains that the system as a whole is broken. Saying it's America's fault isn't justified. Even if we did enforce spam laws and run all 200 spammers out of business, they would only move to a country with laws that aren't as strict. But I suppose it would still be our fault we didn't burn them and kill their relatives to keep them from reproducing.

My point before, which you obviously missed while hugging a tree or eating a granola bar, is that if this country sank into the middle of hell tomorrow Spam would still exist. The Earth would continue to get hotter, and we would all still need SPF 500 in 50 years. Blaming the evil isolationists won't get anyone anywhere except the spammers more steps ahead of the law.

Re:How to solve the Spam problem

[MarsDefenseMinister]

The analogy completely fails. SPAM is a canned meat product, mostly pork. A Big Mac is a frozen meat product, mostly beef. See? The analogy is terrible.

Re:How to solve the Spam problem

[Rew190]

I understand what you're saying, but no matter what sort of factors are concerned, it IS true that the majority of spam is coming out of country, and I do believe that America should be the country to clean it up.

everyone is first in line to expect us to fix it.

Don't you think we should, if the problem is coming from us?

Re:How to solve the Spam problem

Well perhaps if you'd paid attention to other people's opinions you wouldn't have had 9/11,

"Like, oh my god, they've knocked down two buildings. Why would they do such a thing?"

Re:How to solve the Spam problem

Yeah... That's right... err.. or not. In reality you joined the war so late it made no real difference.

Re:How to solve the Spam problem

[mOdQuArK!]

I'm sorry, just because you might've saved me from bullies a couple of times, doesn't mean I'm going to help you mug someone else. Only a neocon (compassionate conservatism my ass) would believe that loyalty is more important than morality.

Re:How to solve the Spam problem

[kbahey]

I agree it is an American problem. Most of the statistics says so.

For those who say it comes from outside the US, like China or Korea, please thing about it for a moment: What are they advertizing?

Even if the messages are coming from overseas IP Addresses, the content advertizes US-centric products, for example, cheap mortgage will not help somebody in France, or Egypt or India, even if they wanted to. Yet, they have to pay to get SPAM because unlike North America, their slow dialup connections are metered by the minute.

The same goes for cheap prescription drugs, or free laptop offers, and most of the SPAM going around these days.

So it is a US centric problem, since Spammers are targeting that market. The rest of the world suffers as collateral damage or something ....

Re:How to solve the Spam problem

[Rew190]

Recently, I'm sure that reason rhymes with "George W Bush..."

Can't blame ya guys at all on that one.

Re:How to solve the Spam problem

Uh... when we got there we started at Normandy and worked our way to Berlin.

It's not exactly like Europe had it in the bag.

I also don't believe, however, that America was the big saviour hero that most Americans think it was in WW2.

Re:How to solve the Spam problem

The people who knocked down our buildings were fucking insane, my friend. You are most likely correct in saying that if we had a foreign policy that didn't involve sticking our noses in everyone's business we'd probably be better off, but watering down an event like 9/11 like that is not going to help anyone take your point seriously.

Deterrence?

[CdBee]

"While sending spam is not against the law in most cases, it does violate EarthLink's use policy; not only can Rush terminate the account of a spammer, but he can also charge a $200 cleanup fee."
"Serial spammers who have been kicked off the EarthLink network once will often jump back on, creating as many as four or five fraudulent accounts per day using stolen credit cards

So - Earhtlink are fining victims of stolen credit cards, in other words!. Possibly a more long-lasting approach would be to geo-locate the connection and targt it with one of these

Re:Deterrence?

[CdBee]

(Replying to myself for convenience)
Why can't Earthlink ban certain MAC addresses from its network? Surely the way to stop a repeat offender re-registering is to use MAC addresses (which are each unique to the unit) to ban his computer or router.

Sure, a technically minded user can change a MAC address but its a delay, and not always easy. Spammers aren't the brightest bunch.. hell, most of 'em can't even spell viagra! :-p

Re:Deterrence?

[NoMoreNicksLeft]

Don't ban them, honeypot them. If you ban them, they know they have to be sneakier. Instead, allow them to stay on, and fake acknowledgements to all their spamming. To them, it will look as if spamming has dried up... the response rate was close to 0% anyway.

Re:Deterrence?

[CdBee]

That might entail the ISP having to break their own terms of service with regard to email traffic, or prevent "infected but unaware" users (spam relays) getting technical help.. but it's a very interesting idea nonetheless.
So is your Sig, actually, I've bookmarked it to read at length later)

Re:Deterrence?

[AndroidCat]

Spammers aren't the brightest bunch.

Some of the bigger ones do pay for technically competent people. The tricks like asymetrical routing are quite clever. (Sending huge amounts of mail from a small ADSL line where the ISP has blocked outgoing port 25. :)

Of course, those spammers don't play the musical registration game. They get a pink "bullet-proof" contract with UUNET/Worldcom/MCI.

Re:Deterrence?

[Antique+Geekmeister]

Banning MAC addresses is not that useful. First, it costs a lot of extra effort in building up a monitoring tool suite and switch configurations to ban them, unless they happen to be already using forced DHCP. Second, a lot of Earthlink clients use actual Points of Presence (POPs) that are on other companies' networks. Third, almost any modern network card will let you code in a different MAC address to deal with exactly that kind of situation where you switch machines and there's some MAC-based permission. Fourth, a new network card these days only costs about $20 if you can't find a dozen of them in your parts bin from old repaired or replaced computers. Fifth, a lot of folks use "internet firewall" boxes that provide an arbitrary front end DHCP/MAC address configuration so you can swap it for your desktop in talking to your ISP. Overall, it's not usually worth the effort to filter on a MAC address basis.

Re:Deterrence?

[here4fun]

Why can't Earthlink ban certain MAC addresses from its network?

I like this idea, but since most people know how to mask thier MAC address, it probably won't work. But if there was some secure way, based off the MAC that could not be masked, I would be in favor of that. Maybe a program that is needed to connect with the ISP before they let you use their network. It could check the MAC address of the nic card and other hardware, make a unique ID of that user, and use that ID for access to the network. I know one ISP where I live that does something like this, when people first sign up, but the reason they did it was people were getting on their network without paying.

Let me be the first to say..

[big+tex]

This is a great man.

Just like the USPO

[Orien]

This is a dumb statement:

It's nice to see that major ISP's are making an effort to shut spammers down and kick them off of their networks.

That's just like having an article about someone at the Patent office who investigates prior art for tech patents and saying "at least the patent office is making an effort". What good does it do if it is still completely and tragically uneffective?

Re:Just like the USPO

[RonnyJ]

What good does it do if it is still completely and tragically uneffective?

How do you know that it's completely uneffective? Spam might be bad now, but without ISPs shutting spammers down, it could be even worse.

Abuse

[Michael+Hunt]

What's needed is every ISP having a consistently responsive abuse department. From what i've seen, everbody except the largest tier-1 ISPs do, with most of them having a substantive presence on abuse and anti-spam lists, and responsive to complaints.

It's the major .us tier-1 ISPs and most of .cn/.kr that are seriously culpable these days; from what I've seen working in the anti-spam arena these last six months, uu.net/MCI and their peers don't give a shit because, well, nobody's going to refuse to peer with them if they host spammers. Same thing in .cn/.kr, their broadband industries net the larger .us providers large $ over the longer term, and it's not in their best interests to be overly proactive.

Which is a shame; KISA (.kr equivalent of the FCC/ACA/etc) have got a great early-warning system set up, which shows transit traffic between .kr ASs in real time; we were given a demo at AusCERT 2004. The fact that they won't use this more proactively is depressing.

About 40% of my current spam corpus is from korea, the other 60% is about 30/30/40% china, uu.net, and comcast/verizon open proxies.

Re:Abuse

[quelrods]

I think you have your %'s off a tad. I've consistantly seen stats that put spam of US origin at 70% or higher!

Re:Abuse

[Daniel+Dvorkin]

Um, I note that the grandparent poster's home page is at a .au address -- I have no trouble believing that 70%+ (some figures put it at 90%+) of spam worldwide is American in origin, but that Pacific Rim users see a lower percentage of spam originating in America and a higher percentage from other PR locations.

Re:Abuse

[Michael+Hunt]

I'll reiterate at this point that I was talking about the spam that I receive (at my .au address, which wasn't explicitly mentioned.)

Additionally, whilst the US is sitting around 70%, the majority of US sourced spam is sent through bogus proxies, many of which are in .kr.

Re:Abuse

[Antique+Geekmeister]

Many are in .kr, true. But both the sender and the target audience for most of those spams is in fact the US, because the senders have the bandwidth to do the sending and because the suckers in the US have more money to pay for the primarily fraudulent or porn spam that makes up so much of it

Those evil young males

[CliffEmAll]

Often suspected spammers are clueless of the network abuse they're committing. Maybe a virus took over a customer's PC and secretly started blasting spam, or perhaps a computer-addicted teenager holed up in his bedroom is sending out bulk e-mail, unbeknown to his parents. "I usually ask if there's a young male in the house," Rush says.

Yes, the typical spammer is a slashdot-reading geek who lives with his parents. ... Reminds me of a thing I read earlier warning parents about signs of their child engaging in dangerous hacking, such as use of Linux or requests for better hardware.

Just what a geek needs, another reason for parents to be suspicious of his computer usage. Help! I'm a computer addicted teenager who can't stop sending spam, and this is really a cry for help!

Re:Those evil young males

[AndroidCat]

"Help! I'm a computer addicted teenager who can't stop sending spam, and this is really a cry for help!"

"I guess it's a good thing I didn't tell them about the dirty pr0n!" - Monty Python

Re:Those evil young males

[PhotoBoy]

You mean this?

Spamming as a job.

[kg_o.O]

I wonder.. how much does an average spammer earn doing his "job"? Can one make a living by sending spam and not doing any other work? Anyone knows, for example, how much does a spammer get for sending one, say, 1000 emails?

Re:Spamming as a job.

[AndroidCat]

You could always send your resume out in a virus and see what offers you get. That seems to be the new thing. :)

Re:Spamming as a job.

[Spad]

Not very much.

But even assuming they only made 50c per 1000 emails, when you're sending out 10+ million emails per day that's still $5,000+ per day or $1,825,000+ a year. Even at 1c per 1000 mails they still make $36,500+ per year.

Re:Spamming as a job.

[OnePound]

Well, if they gratuated from SU: http://www.j-walk.com/other/spamu/alumni.htm

Re:Spamming as a job.

[Antique+Geekmeister]

There's a big difference between "average" and "typical". A few professional spammers make a real business out of it, but they make a real business by selling the spam services, but by selling the spammed products. Spammers are mostly like pyramid scheme or Ponzi scheme victims: the promise of money gets them to invest their time and effort, and only the few people at the top of the business actually make any real money.

Very sensible

[SillyWilly]

"He only reads the content of an e-mail in extreme cases, he says."

I've always found it safest to avoid reading email, unless I'm feeling really daring...

White Hat or Censorship?

[iamatlas]

As this article from Satire Wire shows, spam can be a work of art or literature.

Re:White Hat or Censorship?

[AndroidCat]

No, spam can be turned into a work of art or literature. But then, so can any other kind of turd.

Oh, and it's not censorship. He's not a government or publisher. The spammer can find other places to publish his work other than my mailbox. (Just like wannabe painters can't exhibit in my living room.)

Re:White Hat or Censorship?

[iamatlas]

(Just like wannabe painters can't exhibit in my living room.)

Oh, real nice for you to tell me that now! I was all packed and ready to go.

And how did I get modded insightful? The site I linked to is SatireWire. I'm beginning to thing that some people don't RTFA I link to!

Re:White Hat or Censorship?

[AndroidCat]

I'm beginning to thing that some people don't RTFA I link to!

You must be new here. :P

Re:Self interest (What is the Cost?)

[G4from128k]

Well they don't do it because they wont to help the world. But spam means extra bandwidth, so extra cost.

I've heard many a system admin complain about the "cost of spam" to their networks, but have not seen a quantification of that cost. Given that spams are so small (the ones that I get average 4kB/spam), the storage costs of saving every spam (at 1$/GB) are about only 4 micro$/spam and the transfer costs (at $3/GB of transfer to pick a Google figure) are only 12 micro$/spam. Even CPU time is cheap. If a $2000 server CPU can handle only 10 messages per second (an underestimate?) then the cost in CPU time is only about 6 micro$/spam. In total, a million spams would cost an ISP maybe $20 or $30 which is far less that the burdened labor cost of one hour of a technician's time.

What am I missing here? Can any admins tell me the true dollar cost per spam? The only other reason, that I can think of, is that Earthlink fights spam to avoid blacklisting because blacklisting would drive up support costs when a million customers call at ask why their emails aren't getting through.

But at which cost?

[c0p0n]

They seem to monitor their user's passwords...

(Page 2)...One notorious spammer, whom EarthLink helped put behind bars, repeatedly used the names of sports such as baseball and football as his password...

I thought that passwords SHOULD not be easily unencrypted... or do they monitor them before encryption?

Re:But at which cost?

[the+unbeliever]

When I worked there, we had access to all user's passwords (how else could we tell a user what their password was if/when they forgot it?)

The only passwords we did not have access to were employee accounts, who we *could* have access to, they'd just be notified instantly.

Re:But at which cost?

[c0p0n]

really? and had access to the user's email and read them?

I work as sysadmin. I have access to the user's email and so but I would NEVER read them, even on extreme cases. Such thing is a crime, here in Spain, and you could go to prison. Only a judge could order something like that. I thought that it was the same elsewhere...

Re:But at which cost?

[the+unbeliever]

We could, but we didn't, unless we had user's explicit permission.

Granted, this was over four years ago. I'm not sure their policies remain the same.

Re:But at which cost?

[c0p0n]

well, here it's no policy. You cannot read any email not mailed to you, period. Even if the user says you to do so, it's still illegal.

Re:But at which cost?

[magefile]

No need, just reset it. More secure, then users who use the same password on multiple sites (insecure, but it happens) don't need to worry if they've forgotten which password goes with example.com.

decent post..

[sinner0423]

Well, with these kind of statistics, he'll be gainfully employed for years to come.

While he believes his job is important, Rush doesn't take the role of Internet cop too seriously. But he admits with a chuckle that his favorite computer game at the moment is called City of Heroes.

I'd sit back all day and play CoH, and tell my boss "Sure, I killed off 800 spammers today. But 30,000 more popped up. Guess I'll be seeing you monday."

I need me one of those gigs. Anyone offering?

Re:Self interest (What is the Cost?)

And how many spam messages pass trough a serious isp's network? I think you'd be surprised...

Part of the cost is also due to filtering and to the extra admin costs for implementing enough capacity to hold the extra spam..

Interesting article...

[Saint+Aardvark]

...though it would be interesting to know the volume that comes out of willful spammers (as opposed to zombie pcs) operating from throwaway ISP accounts, as opposed to people with pink contracts and truckloads of bandwidth.

Incidentally, this bit:

...a judge...complained that a man with a criminal record who landed in his courtroom was sending malicious e-mail. The harasser was complaining to the judge about such minutia as the fringe on the American flag hanging in his courtroom.

was interesting to me. This sounds like the oft-repeated assertion that a US flag with a fringe in a courtroom means that you're under Admiralty law, not the law of the United States, and that anyone who appears before that court has lost most of their rights. Of course, They don't want you to know this...or that England still owns the US, or that there is a subtle yet vitally important difference between the United States and the United States of America that means you are 0wn3d by the government...

I tell you, there are worlds upon worlds of free entertainment out there on the Internet.

Re:Interesting article...

[Animats]

There's a real admirality law problem, and it revolves around civil forfeiture, which some law enforcement agencies interpret as a license to steal. Forfeiture law derives from admiralty law, and was intended to apply to ships, which, for historical reasons, are considered legal entities of a kind. Under Reagan, forfeiture proceedings were expanded to the "War on Drugs", and a whole multibillion forfeiture industry was created. It's not limited to drugs any more. Forfeiture now crops up in many non-drug cases.

The ACLU and the Cato Institute are both fighting this. When you find both of those organizations on the same side, you know something bad is going on.

But the flag fringe issue is bogus.

Re:Interesting article...

[radish]

Wow...some people really read a lot into the US/UK tax treart :-) Still I learned some history (like the fact that George III was briefly also king of France)...but really...do people believe this junk?

Re:Interesting article...

[Saint+Aardvark]

Forfeiture -- absolutely. I've read a little bit about that, and good gog a'mighty, there's some really scary stuff going on down there.br.

Re:Interesting article...

[Saint+Aardvark]

Better believe they believe it. This bit of American politics absolutely fascinates me, so I've managed to learn a bit about it. Some links:

• Militia of Montana (MOM) -- one of the better known Militia/Patriot groups
• Genesis Communications -- Internet radio station that carries a lot of very paranoid people. Sometimes they've got a point, sometimes they're off the deep end (IMHO)
• Alex Jones -- Gotta check him out. Listen to his show, and watch for the Darth Vader theme. Highly amusing; he sponsored a showing of They Live! a while back as an introduction to how They rule the world
• David Icke -- British. Shape-shifting lizards rule the world and are performing rape and blood sacrifice behind closed doors. Absolutely incredible.
• Texe Marrs -- Texas fundamentalist preacher (who, it just so happens, I interviewed a few years back) who believes that Satan pretty much owns the IRS, the UN, and every other government around

That's enough to get you started...if you're not gibbering on the floor when you finish reading, you'll be fine. :-)

Re:Interesting article...

[radish]

Ahh yes David Icke - our own personal little nutjob. He used to be a fairly respected sports guy on TV and stuff, then he lost it. It's always funny when there's an election and he runs for parliment.

Re:Self interest (What is the Cost?)

[Detritus]

You are neglecting the admin time and cost of keeping the server running. Monitoring it for problems, keeping the software up-to-date, making configuration changes, keeping it backed up, documenting the configuration so that disaster recovery is relatively painless and quick.

Re:Self interest (What is the Cost?)

[afd8856]

Most viruses go over 40 kb and can go to about 200 kb (that's what I get). Most annoying are the mailer daemon failures that i get for viruses that i did not (or anybody else from my domain) send.

Re:Self interest (What is the Cost?)

[4nd3r5]

im no sysadmin or anything.

but if its 30 $ per day, its 10k per year.

further more you have to spend time and energy you have to spend sorting the mail. this is, ive heard, quite expensive in CPU time.

The best filters catch 99.9% of spam and only make 1 mistake in a thousand. ( i don't even think that they are that good).

1000 emplyoees gets 5 mails aday for a year thats 1.8 million mails, thats 1800 mails per year that goes down the drain. im not sure what that costs, but some of the are prolly quite expensive.

This is not absolute facts nor close, but my point is that the price of spam is more than the price of reciving spam.

Re:Self interest (What is the Cost?)

[Tim+C]

All of which has to be performed whether the machine is handling spam or not, unless you're laying on extra hardware to take the extra load caused by the spam...

Re:First Post!

Presumably you have a Gmail account,
and do not object to Google's policies

But many of us will not send mail to gmail.com ...

Problem 1: Gmail is nearly immortal

Google offers 1 gig of storage, which is many times the storage offered by Yahoo or Hotmail, or other Internet service providers that we know about. The powerful searching encourages account holders to never delete anything. It takes three clicks to put a message into the trash, and more effort to delete this message. It's much easier to "archive" the message, or just leave it in the inbox and let the powerful searching keep track of it. Google admits that even deleted messages will remain on their system, and may also be accessible internally at Google, for an indefinite period of time.

Google has been spinning their original position in press interviews, and with an informal page described as "a few words about privacy and Gmail." When we see fresh material from Google, we check the modification date at the bottom of the terms-of-use page and privacy page for Gmail. If these dates are still April 6 and April 8, we know that nothing has changed. Google can modify these pages too, any way they want and whenever they want, unilaterally. But at least these two pages carry slightly more legal weight than other pages, because Google should attempt to notify users of significant changes in these formal policies.

A new California law, the Online Privacy Protection Act, went into effect on July 1, 2004. Google changed their main privacy policy that same day because the previous version sidestepped important issues and might have been illegal. For the first time in Google's history, the language in their new policy makes it clear that they will be pooling all the information they collect on you from all of their various services. Moreover, they may keep this information indefinitely, and give this information to whomever they wish. All that's required is for Google to "have a good faith belief that access, preservation or disclosure of such information is reasonably necessary to protect the rights, property or safety of Google, its users or the public." Google, you may recall, already believes that as a corporation they are utterly incapable of bad faith. Their corporate motto is "Don't be evil," and they even made sure that the Securities and Exchange Commission got this message in Google's IPO filing.

Google's policies are essentially no different than the policies of Microsoft, Yahoo, Alexa and Amazon. However, these others have been spelling out their nasty policies in detail for years now. By way of contrast, we've had email from indignant Google fans who defended Google by using the old privacy language -- but while doing so they arrived at exactly the wrong interpretation of Google's actual position! Now those emails will stop, because Google's position is clear at last. It's amazing how a vague privacy policy, a minimalist browser interface, and an unconventional corporate culture have convinced so many that Google is different on issues that matter.

After 180 days in the U.S., email messages lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record. This means that a subpoena instead of a warrant is all that's needed to force Google to produce a copy. Other countries may even lack this basic protection, and Google's databases are distributed all over the world. Since the Patriot Act was passed, it's unclear whether this ECPA protection is worth much anymore in the U.S., or whether it even applies to email that originates from non-citizens in other countries.

Google's relationships with government officials in all of the dozens of countries where they operate are a mystery, because Google never makes any statements about this. But here's a clue: Google uses the term "governmental request" three times on their terms-of-use page and once on their privacy page. Google's language means that al

Re:Self interest (What is the Cost?)

[GolfBoy]

The 'cost of spam' is not the cost of spam filters, extra storage, etc. The cost of spam is the cost to the end user of having to figure out which mail is real and which is spam.

Let's assume it takes a user only 1 second to determine if a piece of mail is spam, and deal with it, and let's assume the average user's time is worth $20 per hour. A million spams then cost the users:

$5555 = 1 second * 1 million / 3600 seconds in an hour * $20

You're right, the ISPs scared of being blacklisted. But they also view (correctly) keeping spam volume down as part of the service they sell. I know I have given up on some ISPs because of spam volume.

Re:Self interest (What is the Cost?)

[Saint+Aardvark]

Okay, here's a quantification of that cost.

I used to work at a small ISP -- lets say 5000 customers. We were getting lots of complaints about spam, so we decided to put in better spam filtering. That required a bigger server. Then the mail server went down for half an hour because of the volume of incoming spam, and there was a suddenly a big rush on getting the new server up and running.

The server was the cheap part: let's say $2000 (all figures Canadian) for the box, rackmount, hard drives, yadda blah. Thank God for Free software, because FreeBSD and SpamAssassin saved our asses. It took me, conservatively, three full days to set up and get it more or less right; I was doing a lot of learning on the job, and the regular sysadmin was away.

Now, don't forget that we were down for half an hour. This was from roughly 9am to 9:30am on that day, so that's a busy fucking time for us. There were tons of calls and only three people to handle them; fortunately, I was pressed into service trying to fix things, and wasn't on the phones. We probably lost a couple customers then, but most people were pretty understanding, especially when they were told it was fuckwad spammers who were causing the problem.

Complaints were a huge deal, both before and after the filtering was put in place; I was dealing with most of them, because I was doing abuse duties, and it wasn't fun. Complaints before the new server was installed went, "Why am I getting all this spam? Why can't you stop it?" Complaints afterward went, "Why am I still getting all this spam? Why isn't your filtering working? What do you mean, I have to set up my mail program to do more work?" (We set the threshold rather high, thinking that customers could use filtering in their mail client to set their own tolerance level. Ha! It is to laugh. Ever tried filtering on random headers in Outlook Express 5.0?)

Plus, there was maintenance of the server and software; upgrades were never fun; false positives happened and were dealt with; and now, my sources tell me, they've graduated to buying dual-fucking-xeon processors in order to handle spam filtering. Fuck me!

But hey, we were after a dollar cost, and I did get sidetracked. We already said $2k for the server. Three days of my time, $400 (deal!). Half an hour when everything in the company came to a halt because no one could send mail or do anything but answer the phones: $500, and that's probably very conservative. Two customers' worth of lost revenue for a year: say another $500. Spam complaints before took, oh, probably a good five solid days of my time: $650. Afterward was probably the same, so another $650. I know of at least one customer we lost afterward when the spam filtering wasn't the magic bullet I kept trying to tell them didn't exist, so $250. Bandwidth for all the spam we were accepting but kept from reaching the customers: let's say $50, for a nice round total of $5000.

Now this is very, very rough back-of-the-envelope calculations for a small dialup ISP I no longer work at; the managers there could probably tell you more about lost good will and so on. More importantly, it doesn't tell you about ongoing costs; that's just a snapshot from when I worked there. But that was $5000 spent by an ISP that was going down the tubes (true story), just to keep up (barely) with a denial-of-service attack that was slowly grinding us into the floor. I can't even imagine what it's like for AOL or Hotmail. Nor will we ever know what that time and effort and money might have done if it wasn't being spent on spam.

Goddamn fuckwad spammers piss me off.

Spam spam spam.

[Uplore]

We've heard it all before. Spam fills out inboxes day after day. Its is manageable if you have a 2 meg inbox, but take pity on those with boxes around the 1 gig mark. Of course I'm talking about GMail. Ps. I will trade karma for this link.

Noooo, Don't click Me!

Re:Self interest (What is the Cost?)

[6ULDV8]

Upwards of 80% of our network traffic is mail. Of that, 70 - 80% of that is inbound spam, trojans and viruses. If we could eliminate them entirely from outside our network, we wouldn't require so much bandwidth and bandwidth is a major portion of our fixed operating costs. Office space is cheap compared to bandwidth.

Its not just the total number of received messages that affect cost. Delivery rate causes problems with network availability. Because of distributed attacks and mail bombs, we have to be able to scale well above our average consumption or risk losing connectivity. I don't mind losing a single service nearly as much as I mind losing a network.

You want a dollar figure? It depends on the incident. No two spams are exactly the same. Your figure of $1 per GB is misleading because it assumes that the traffic is distributed over a entire billing cycle. What happens if that 1GB is delivered over a period of 1 minute? Ever seen a clogged pipe?

We spend most of our time building the next generation of services to combat misuse of our resources so that our clients can get that occasional letter from Grandma.

WTF? Stolen credit cards?

[khasim]

Okay, shouldn't Earthlink have the phone number in their records?

So, Earthlink finds a spammer using a stolen credit card. Wouldn't they send the phone number and the credit card info to the FBI? Wouldn't the FBI trace that phone number to a physical location and arrest the spammer for fraud?

Re:WTF? Stolen credit cards?

[WebCrapper]

Actually, 2 years ago - when I was there, the accounts where inact'd for fraud as soon as something was found out of the ordinary. They typically tried to mail the address to try to get money back, but normally couldn't get a response (wonder why...). Reporting the crime was put onto the original owner of the credit card - which is how we typically found out about the fraud. Other times, when a user was connecting from several different POP's at a time (like 20 or so), the account was flagged and someone would look at it. If the logs showed all sorts of access, and such - we nailed the account.

Users that found fraudulent charges where told to contact their credit card company to report it - since we couldn't do it on their behalf. If its big enough, we took snapshots of the account in our DB, grep the logs for the ANI info (sometimes we couldn't get this), lookup generic usage logs and package it all up and send it to the CC company. Sometimes we did this on court orders too.

Also, tracing is a thing of the past. Technically speaking - law enforcement knows where the other phone is from right when it rings since the phone company puts that information right in front of the ring notification. This was technically created for the 911 system in the US, but has proved useful in other situations. The consumer version - caller ID has to wait to figure out if the customer has blocked the information from public use - thus the info not showing up until the second ring. If you really wanted to test this you could use the code for Caller ID block and call 911 - they'll still tell you who you are and your location. But I wouldn't try it because they'll send a nice policeman over to explain the proper uses of the system and he may even be nice enough to fine you.

Re:WTF? Stolen credit cards?

[Antique+Geekmeister]

Not without a subpoena from law enforcement. As soon as they start calling law enforcement themselves, they lose "Common Carrier" status, which helps protect them from being responsible for other content they've failed to block. Also, following such a case all the way through the courts can be extremely expensive, especially when the Direct Marketing Association steps up to advise the court or help fund the spammer's defense. It's usually just not worth the legal expense to an ISP that could use the same $100,000 following up even a small court case to buy a whole rack full of new servers for spam handling.

Job security? :)

[khasim]

"What good does it do if it is still completely and tragically uneffective?"

Gotta agree with you there. Particularly at an ISP.

If you KNOW your actions are ineffective, wouldn't you re-evaluate your approach and look for more effective actions?

Say ...... like limiting outbound email traffic on all new accounts. New accounts that hit your ceiling will be flagged for you to investigate, yet you will still be limiting the spam they can send and being a nice ISP.

From the article: "Yet canceling a spammer's account doesn't always solve the the problem. Serial spammers who have been kicked off the EarthLink network once will often jump back on, creating as many as four or five fraudulent accounts per day using stolen credit cards."

So if you limit new accounts to 1 email every 10 seconds (that's some fast typing), and put a ceiling of 200 emails a day, you'd quickly be able to spot the spammers. Yet those "four or five fraudulent accounts per day" would only be sending 1,000 spam messages a day.

Re:Job security? :)

[Schmucky+The+Cat]

Major spammers don't send from the ISPs mail server. Implementing throttling won't affect them a bit.

Their not really serious

[slashname3]

The ISP's are not really serious about fighting spam. It does not cost them that much and they are probalby making money due to spam. So the only incentive they have to do anything about it is when the level of spaming gets to the point they are about to be blacklisted then they take action.

If they were really serious about curbing spam they would implement greylisting and greet_pause features in their MTAs. Both of these would block 99% of the spam being sent. The remaining spammers would then be much easier to track down since they would have to be running full blown MTAs which could then be blocked.

So why don't they do this? Because it does not make them any money and would cost them a little money to implement and maintain such features.

Ultimately the only way to eliminate spam is to make is unprofitable to the spammer. One option that I have never seen discussed is to track down the idiots that actually buy from spam and take their machines away and sterilize them so they don't reproduce.

Re:Their not really serious

[PurpleFloyd]

How do you think that spam doesn't cost ISPs money? If you think about the numbers for a moment, it's obvious that spam chews up lots and lots of bandwidth and server resources. For example: take a small local ISP, with 5000 customers. On average, each user gets 20 spams/day, with each spam being about 10k each. This works out to 1 gigabyte of spam every day, with fairly conservative numbers. Of course, large ISPs will be hit harder, and could easily see tens or hundreds of gigabytes of spam per day. Bandwidth isn't cheap, and spammers use every bit they can get their hands on.

Of course, an ISP might make some money from "pink contracts," which are contracts, sold at a high price, that exempt the spammer from the normal terms of service and ensure immunity from customer complaints. However, it's only a small minority of ISPs that would even consider doing business with a spammer in this way; most ISPs, even aside from ethical concerns, couldn't afford to have mail from their servers or IPs filtered out. It's only ISPs that cater exclusively to spammers and massive providers like uu.net (that no one in their right mind would filter) that can afford to work with spammers.

As for your solutions, both involve some loss that may preclude its implementation by ISPs. Greylisting assumes that a legit mailserver will always resend a failed message, which may result in said message disappearing into the ether; implementing a greet_pause means that legitimate users sending large volumes of mail are inconvenienced and does little to hinder spammers, who can simply CC/BCC several people in each message. There's no perfect, one-shot solution to spam. You can basically choose two of three ideal features for a filter: fast, accurate, and effective.

Re:Their not really serious

[slashname3]

I did not say that spam does not cost ISPs money, I said that it does not cost them that much.

First lets look at the "bandwidth" cost. ISPs have purchased up front the bandwidth they are providing to their customers. The ISPs are going to be paying for this bandwidth regardless of how much spam is sent over it. It is in effect a cost of doing business. ISPs would not reduce their available bandwidth tomorrow if some how spam went away. And if the ISPs really saw this as costing them money you can bet they would find effective ways to block spam so they could reduce costs. Obviously ISPs don't see spam as costing them that much so they don't do anything about it.

Of course the other option is that the ISPs are making money off the spammers. If that is the case then they don't want to do anything to interrupt that revenue stream. It is either one way or the other.

A proper MTA WILL resend messages. That has been a staple of message servers since almost the beginning of email. If a MTA does not resend the message then it is not operating correctly or per RFC. And if greylisting was widely implemented by all ISPs you can bet that any non-compliant MTAs would quickly be upgraded to bring them into compliance. The greet-pause process simply delays the completion of handshake between MTAs for a very short period of time. I think such a delay for large volume senders of email would have little impact. A little inconvience to block spam is what is going to have to happen. And I don't understand your statement about spammers using CC/BCC for serveral people to get past greet-pause. Most spammers do not use compliant MTA programs. They simply run down a list and send email out without even waiting for the reply from the receiving MTA. Greet-pause works because the spammer does not even look at the reply messages of the MTA they are sending to. They dump and run as many messages as they can. By inserting a delay in the hand shake a non-compliant MTA will send responses to messages that have not been sent yet. The receiving MTA looks at this and drops the connection since it is recieving data from the sender in an incorrect sequence. This is similar to the way greylisting works. A real MTA WILL resend a message when given a 451 error. A bogus MTA typically won't since the spammer is more interested in dumping and pumping as many messages as possible and won't take the time or resources needed to queue and resend messages that failed the first time.

Greylisting and greet-pause are just two tool of many that should be implemented. A layered defense is what is needed. Spamassassin with bayes and surbl do an exellent job of tagging spam that gets through greylisting and greet-pause. Actively tracking spammers back to the source and blocking those sites as well as tracking down the vendor that is advertising via spam. Impose heavy fines on such vendors directly and the spammers will loose their customers. Ultimately that is the way to get rid of spam. Take away the money and there is no reason to send millions of messages that most people don't want.

Of course I still think we need to take away the computers of people that buy via spam messages and steralize them to keep them from reproducing.

Which I had to do.

[khasim]

Running GroupWise at work. I had to dedicate a machine to running Guinevere and SpamAssassin and McAfee anti-virus.

And I have to make sure it is patched.

And I had to adjust the email server's threads (default set to either 2 or 4) for handling incoming email (increased to 50).

And tuning of SpamAssassin.

Re:Self interest (What is the Cost?)

[budgenator]

Typical, one person asks for cost, meaning marginal cost (how much more does one email cost) and the answer given is average cost (total expenses divided by the total number). If a networks trafic is 1 million an hour, and they spend $1K to process it the each message has an average cost of .001, assume that the trafic is 80% spam and that is then eliminated then the costs become .005 per message because the overhead expenses don't change much because they still need the capacity to meet peak demands.

Re:Welcome to the Global Economy.

[Elbow+Macaroni]

They don't make any money, give me a break. Basing a business on just advertising is pretty difficult. I've seem some articles about spammers who claim to make a bunch of money and meanwhile they live in a trailerpark somewhere. Spammers just make money off the idiots who hire them to send out spam. They are just con artists.

memory lane

[enilnomi]

Fun article for me. 25 years ago or so, I was the original "cable cop" in Michigan, USA (the job title was "system auditor"). This was before it was illegal to "steal" cable services, and the overall thrust of my work was to build a case for legislators.

About 50% of my time was indoors, pulling street-by-street printouts off our Tandem system and cleaning up/verifying account info by going back to original install paperwork. The rest of my time was spent climbing poles, verifying hookups and disconnecting the "non-subscribers." After a year of that, we had enough info to deliver numbers to the statehouse: 4% of all cable viewers weren't paying us for the service. That was enough for the legislators, and cable theft became a mid-range misdemeanor.

So then I started going after the midnight installers offering people "free HBO forever" at the low low price of $100 (or whatever). That was kinda fun...serveral times I was just hours behind these guys, removing service drops while the resident stood by watching, moaning eulogies for their recently departed 100 bucks.

I'm surprised that more ISPs don't have employees like the guy in TFA (or perhaps I'm surprised that we don't hear more about them)...losses due to spam are real, no? [In the case of cable, the "losses" were 99% paper; there was no extra drain on bandwidth, no guarentee these folks would have been paying us otherwise, and no real loss on the converters they were using (our collections folks did just fine charging 4X the cost for unreturned equipment). The only true "loss" was in tech-time, for the rare hookup that caused interference on a distribution line or radiated enough signal to breach FCC rules.]

Is the reason for this apparent lack of interest on the part of ISPs similar to that of the credit card companies during the early online days? Rather than appear inept at providing decent system integrity (easily spoofed card numbers, pitiful account verification, etc.), fraud and abuse were handled quietly, with costs taken off the bottom line. Or is the apparent less-than-vigorous investigation of spammers just part of the "?" step in the profit! formula...where bandwidth lost = cost of investigatory personnel, so screw the inconvenience to customers?

Re:memory lane

Most small to medium ISPs don't have the role of the abusedesk, instead it is handled by overworked sysadmins or helpdesk staff, these businesses don't see the need for spending a wage or two to fight abuses (i am talking about spam, phishing, network scanners, etc.) since, like pointed out in another comment, most of the associated costs como from overtime wich the don't pay anyway, or maybe they see it but decide they can't afford it. I agree that SPAM consts real money to ISPs in terms of extra sizing of servers, increased complexity of systems (it is easier to run postfix than postfix + spamassassin + amavis, although I agree it is not than hard) and employee overtime (more complains to the helpdesk, abuse complains to investigate, SMTP servers struggling with the extra load, which lead to technical problems), but again, except for the extra HW and bandwidth, about 80% of the cost (rough estimate) goes on labour.
A european sysadmin.

Re:Self interest (What is the Cost?)

[Sandman1971]

Working as a sysadmin for a national ISP, I can tell you the cost of spam is not in the storage. Doubling the amount of MTAs that you have to handle spam is a big cost. Purchasing Ironports to cut down on spam is a bog cost. Buying all the associated software and licenses (cluster software, SAN storage licenses, anti-spam licenses, etc...) is a big cost. Adding backup solutions for these new servers is an additional cost. And paying the sysadmins to administer those systems is a big cost. When the ISP receives hundreds of millions of emails daily, and 70% of it is spam, the associated needed infrastructure is nothing but a huge cost. Your numbers are also way off. 20-30$ for a million spam? Hell, it costs the helpdesk about 10$ per call, for when customers are complaining that their mail is slow, or they can't send mail cuz the MTAs are peaked. And that's just from the helpdesk perspective. Not to mention running an abuse team, which is nothing but a cost.

Passwords?

[jnguy]

Rush mentions that in one case he realized that the suspect was using a sports password scheme, does that mean that these people working at the ISPs can view our passwords? I happen to use maybe a set of 6 different passwords, but if someone can get one of them, they can access many things that are password protected for me. Its unreasonable to have a different password for every net logon you have, but I always thought that passwords were hashed so that even the system admin in most cases can't read them.

Re:Passwords?

I work for an ISP, and we keep a seperate database with passwords in the office(i.e. not on our servers). the passwords are indeed hashed on our servers. people simply forget their passwords too much. bear in mind that we do not allow users to change their own password.

Re:Passwords?

[evslin]

Earthlink's accounting database (Midas) allows all the agents a clear view of account passwords. Unless the QA guidelines have changed since I worked there, the password is acceptable as confirmation that the person calling in is actually the account holder and is allowed to make changes or obtain information about the account in question. And I believe that's the main reason why. There's also secret words and the last four digits of credit card information, but there were plenty of times where the person I talked to wouldn't have that information for one reason or another. (Set the secret word 2 years ago, wife has the credit card, etc.)

Re:Passwords?

[Antique+Geekmeister]

At Earthlink, absolutely. Earthlink's commitment to user security is absolutely non-existent. It's easier for them to manage with un-encrypted passwords: it's much faster and cheaper in tech time to tell someone their old password on the phone, or give it to the nice FBI man who asks for it, than to have to deal with encrypted passwords and reset passwords for people and send them the *new* password safely. Earthlink will take ease of management over genuine security any day: that kind of behavior is built into the WISE management guidelines they follow, although after all the complaints about the Scientology management techniques they don't call them WISE anymore. If you think I'm kidding, look into the background of Sky Dayton and their original CTO, who jumped out of a building on L. Ron Hubbard's birthday when he went back to college.

Re:Passwords?

[jnguy]

Is it clearly stated when you sign up for an earthlink account that your password will be in clearview of earthlink agents? I think its quite a security risk, especially if people aren't aware of the fact that anyone with access to Midas can view it. Thanks for the reply.

Re:Passwords?

Owwwww.
No, it is -not- unreasonable to have a different password for every login.
People can and do mine your passwords. Random evesdroppers can also find them out; most logins occur over plain text, which means -anyone- who cares to can read it, really.
In general, -everyone- can read your passwords. Yes, the admin at the end of the system might not be able to from a database, but in transit? Absolutely legible.
If you want any measure of security, -never- reuse a password. Barring that, never re-use a password for a non-throwaway account. It's a pain, sure...but you just do -not- have any security otherwise.

Rule #1 of password security is "NEVER REUSE PASSWORDS."

Re:Passwords?

[jnguy]

SSL?

Re:Passwords?

[evslin]

I actually went and looked at the service agreement for the first time just now. Just by skimming through, I did not see anything that clearly states that agents have access to your password, however I found this little nugget:

Usernames, passwords, email addresses and IP addresses are EarthLink's property and EarthLink may alter or replace them at any time.

So they could probably claim ownership over your password (as it exists within Midas, not over the password itself) and could justify allowing employees clear access.

More importantly, however, only customer service agents are granted access to billing information, and all activity (even just viewing the credit card number) is logged in the system. That to me is more important than who sees my password.

Re:Passwords?

[Phroggy]

Oh shut up about Earthlink and Scientology. I worked at Earthlink for over a year, and the only thing I ever heard about Scientology was from crazy psycho customers - people like yourself.

Storing passwords plaintext isn't insecure if nobody who isn't supposed to can get to those plaintext passwords, and it makes tech support a HELL of a lot easier. If you don't understand why, you've never worked in tech support.

Re:Passwords?

[Phroggy]

SSL?

If the server supports it. Most don't.

Re:Passwords?

[Phroggy]

Rush mentions that in one case he realized that the suspect was using a sports password scheme, does that mean that these people working at the ISPs can view our passwords?

It depends entirely upon the ISP, but yes, at most large ISPs, employees can view your password. It makes tech support MUCH easier when dealing with stupid people. If this bothers you, call your ISP and ask them, and if they don't encrypt their passwords, switch to an ISP that does.

Re:Passwords?

[Antique+Geekmeister]

You didn't see it because they papered over the L. Ron Hubbard quotes on their WISE management brochures when they started successfully buying other ISP's. Remember those weekly reports on all employees every Thursday, and how resources only went to people pushing salable products rather than people warning in advance about a disaster in the offing? Straight L. Ron Hubbard management policy, as taught by WISE. Storing passwords in plaintext is *always* insecure. It means that every one in the company who can access passwords, by hook or by crook, can access all of them in plain text and use them or sell them. It's not necessary in any modern software system, and it's an incredibly bad idea unless you want your employees (especially managers) to be able to access anyone else's resources at whim. You want to trust Eartthlink's co-founder Reed Slatkin, who got busted for running a pyramid scheme, with your mother's and cousin's email passwords that they probably foolishly use for their checking accounts and credit cards, and which can be stolen and sold off by any disgruntled employee or anyone who can pierce Earthlink's only modest database security? I don't think so. Friend, I've done tech support in various ways for several decades. Yes, it makes your tech support job easier to reset the password to whatever somebody had in their scattered email clients but can't be bothered to remember or reset. But it's still stupid.

Re:Passwords?

[ecartz]

Even if the passwords are encrypted with a one way hash, you can still figure them out. Anyone who deals with passwords frequently will learn the hashes in their system for a few common passwords (e.g. password, admin, etc.). If you have reason to believe that a particular password is being used, you can easily enough check by hashing it out and comparing (or just try to login with it).

This is not nearly as simple as reading a clear text password but still quite possible.

Re:Passwords?

[versus]

Have you ever heard of salt for DES or MD5 passwords?

Not censorship.

[evslin]

The First Amendment guarantees you protection of your right to free speech from encroachment by the U.S. government. It does not guarantee you the right to a venue or an audience. If a major ISP (or even a local ISP, for that matter) wants to prevent you from sending material they don't like using their equipment, that's not censorship - that's their right.

Earthlink

[CaptainZapp]

Maybe one should note that Earth Link was founded by Sky Daton, a long time Scientologist.

Now Zapp, you may ask: "What has that to do with anything?"

If you really don't know what staunch dfenders of free speech the Scientolgy[tm] "Church" is you might find some interesting reading at this link.

If you want to dig deeper then Xenu can guide you.

Re:Earthlink

Don't forget that Brian Wanger, their chief sys-admin, got caught on alt.religiion.scientology threatening critics of Scientology with confidential materials from Scientology's "auditing". The Scientologists hook you up to a lie detector called an "e-meter" and put you through hundreds if not thousands of hours of "auditing", writing down any crimes you've done in this or past lives, and use the material against you to blackmail you into shutting up about them if you ever threaten to sue them or expose them.

The Scientologists are the worst spammers in history, and probably the worst Usenet message cancellers: check out http://www.xenu.net for a history and verifiable data on how bad they are.

Re:Earthlink

[Phroggy]

Now Zapp, you may ask: "What has that to do with anything?"

Precisely. I worked at Earthlink for over a year, and the only time I heard anybody mention anything related to Scientology while I worked there was a couple of crazy nutball customers.

Re:Self interest (What is the Cost?)

I run my own mail server, so I see traffic before and after filtering. I receive, on average, one spam every eight minutes personally. Given ~130,000 users, your "million spams == $20-$30 cost" would accumulate on an hourly basis.

OH. MY. *FUCKING* GOD.

OH. MY. *FuCkInG* GOD. Is this true?

Re:Self interest (What is the Cost?)

[LoadWB]

Several years back the local ISP for which I worked had a spammer force us to take our mail server down because his advertising bomb went off in our spool drive and completely filled it. It took a number of hours to manually clean it up, sift through logs to find and block the offender, and bring the server back on-line. Ask our business clients how much not having email available for several hours cost them. Just for illustration, that email was also only about 3k in size, but once it multiplied in the queue it consumed all 2GB of the spool.

More recently, the local ISP for which I often do admin work had to build three new incoming mail servers and purchase spam and virus filter software for each machine at the rate of at least $6000 ea. plus subscription. Without these machines, user mail spools were filling up with spam and viruses; the older the account the worse off it was. Ask these folks how much it costs.

I have seen spam perform the equivalent of DoS floods: causing servers to crash, filling up T1s, causing CPU loads on older but otherwise working machines to hit 98%, and more. I host a domain which sees 28,000 spams per week on average. We employ RBLs in our fight against spam, as well as blocking a number of countries known for delivering nothing legitimate to our servers.

We see the shit come from all directions. In one night I observed a spam run against a hosted domain attempt to deliver 5,821 messages -- all forensically identical -- in less than 100 seconds from roughly 15 sources.

Why should it be the burden of the ISP to provide extra bandwidth, CPU processing power, memory, and storage space just to accomodate what it clearly a theft of services? The dual 66MHz SPARC system that was running an ISP back in 1995 is still running, and in a normal environment handles incoming and outgoing email just fine. Without the introduction of a front-end server, or replacement altogether (money spent no matter how you look at it) the machine often ran at 75% load or more during times when historically it ran no more than 30%.

The attitude of "well, it's going to happen anyway, might as well deal with it" is garbage. Adopting such an attitude in the face of a hurricane, the forces of which cannot be stopped, is fully acceptable. But in the face of spam which should not exist in the first place, this attitude is comparable to rolling over and taking it right up the rectum rather than dealing with the source.

The characteristics of spam.

[khasim]

The major spammers have agreements with the ISP's so they can use major amounts of bandwidth.

I'm guessing the article was about dial-up accounts because I don't see anyone opening 4 or 5 dsl accounts a day.

So, the easy solution is to block port 25 from your dial up accounts. Or, at the very least, limit the out-bound connections on port 25 from those accounts. Either by number of connections (limit the number of spam messages sent) or by a fixed number of destinations (a lot of spam can be sent to a few addresses).

Earthlink should also be blocking port 25 access from dial-ups to known open relays.

Re:The characteristics of spam.

[cdrguru]

I don't understand why all the focus on ISPs. You call the phone company (any phone company) and say you want a data T1 connection. They give it to you and give you some IP addresses. They do not process email for you, they do not give you web space and they do not respond to complaints about what you are doing with your T1. If you are on a "burstable" plan, you need to hold your aggregate usage within those limits, but if you have a "full T1" and are paying for non-burstable service you can send 1.5Mb a second every second. Period. No service agreement, no TOS, no "abuse department", nothing.

Now, I suppose it is possible to get a T1 from Earthlink or some other ISP. Then, they may provide some services aside from just the data connection. And then there would be some TOS, some kind of service agreement and so on. But if you buy your service from the phone company I have never seen such a service agreement.

I expect this holds true for any sort of data connection from a telecommunications provider that is not providing any additional services, which means if you call SBC to get an OC48 they aren't going to ask you what you plan to do with it.

Re:The characteristics of spam.

[Erik+Hollensbe]

ISP accounts are cheap.

Now, there are legitimate uses for these ports (I use a commercial ISP myself and I like to send mail through my TLS-enabled SMTP server).

There's a solution to this problem that's much easier than any major tech solution.

Block anything at the border in and out destined for ports under 1024, except tcp/ftp, tcp/http-ssl and tcp/http. If the user wants other ports open, they can CALL and elevate their account - no web-based ordering.

This solves a few problems:

1) Open relays cannot be used, at least without a tunnel.

2) Lovely phone tech like ANI gives an awesome paper trail for fraudulent accounts.

3) Detecting and stopping is a heck of a lot easier if your group is severely minimized - I might have missed one or two, but most users will never touch anything else under 1024 outside the ISP's network. Heck, with an aggressive, well-configured HTTP proxy none of these ports except for SSL (for privacy concerns) are even required to be outside.

4) E-Mail Viruses that talk straight to MX's will be stopped in their tracks or be forced to communicate with proxies, which can be shut down easily and defeat the whole advantage of using vulnerable hosts.

Yeah, it's draconian, but in reality it only effects a small percentage of users and those users are generally more aware of the consequences - grandma who likes to "surf the web" will probably never even notice.

Re:Self interest (What is the Cost?)

[Saint+Aardvark]

But in the face of spam which should not exist in the first place, this attitude is comparable to rolling over and taking it right up the rectum rather than dealing with the source.

Brother! TESTIFY! Woo! :-) With you 100%.

Insecure passwords at ISP

[solprovider]

One notorious spammer, whom EarthLink helped put behind bars, repeatedly used the names of sports such as baseball and football as his password.

Did anyone else see the implications of that? It says, "Earthlink admins know your password." Every security system I know stores passwords using a one-way hash. It is supposed to be impossible for an administrator to discover the password from the stored data. But this admin just admitted he is that checking the cleartext passwords. Make certain you use a different password for every account.

Now the spammers know to use random passwords, so the admins have one less method to catch them. Did he kill every account that used "baseball" as the password? Probably not a bad idea, but not practical for a commercial ISP.

---
My Earthlink account only started getting obvious spam in the last year. The Subjects are variations on one of these:
"ORIGINAL SOFTWARES TO ALL COUNTRIES"
"V1AGRA, C1ALIS, XANAAX, VAL1UM AT CHEAPEST PRICE"
Is there any spam filter that would not catch them just by looking at the Subject? I receive only four each week, so maybe Earthlink is not doing too poorly.

Re:Insecure passwords at ISP

[mOdQuArK!]

"Earthlink admins know your password."

Or they used a password-checking program to see if the spammer had used a weak password. (Not that there's much difference in the result.)

Re:Insecure passwords at ISP

[maskedbishounen]

Or they were monitoring packets. Most ISPs still don't offer secure logins. It should be fairly trivial to catch his password from their end, or even to find out what accounts he's using, for that matter.

Re:Insecure passwords at ISP

[WebCrapper]

Even though I loved MindSpring - this came from them. Their Customer DB stored passwords in plain text. Earthlinks shitty (by design standards) Customer DB only showed the last 2 chars (if I remember right). They had to reset passwords if someone forgot them. And yes, they are using a hybrid version of the MindSpring DB, so passwords are still plain text.

While I understand the implications of storing passwords in plain text, its wasn't that big of an issue. All views on a customers account - including the Credit Card (also stored in plain text while I was there - MAY still be) are logged. BTW, during my 4 years with the company, I never heard a rep using stolen CC's - so it either didn't happen or anyone that tried and got caught was fired immediately. Heck - I can only remember the managers in our Customer Service dept really complaining about 1 customer who found out the reps knew his password. The manager saying "the reps don't care because they have their own account, with their own email" pretty much shut the guy up.

The employees may know your password, but they have their own accounts, so there is no reason for them to really care. The other thing is, support reps knowing the passwords really helped when we needed to clear out a mailbox that was full. We could get into the mailbox with a rep-created tool and kill messages based on size or subject/sender (we couldn't read the messages). Without this, we would have had to tell the customer to log into webmail and kill their own messages, which your average customer would get confused about since they think just reading it will delete it from the server.

As for your comment on how spammers should create random passwords - don't have to. The accounts are assigned random passwords at setup (sometimes sales associates are nice and change them immediately for you). So this idiot spammer just decided that he would change them himself.

AND... in reply to your signature - one word: Brightmaild

Re:Insecure passwords at ISP

[solprovider]

Thanks for the info. I agree completely, but the privacy nuts usually get upset when they hear that someone needs to be trusted with other people's information.

As a consultant, I tell companies that they have to trust their admins. If they do not, then the company will have problems making IT an asset rather than an obstacle. I built an incredible single-signon system, and all passwords are encrypted for storage, but an admin could modify the program to save the unencrypted passwords. I wonder that companies do not require admins to be bonded, especially admins that have access to confidential customer information.

---
What is "Brightmaild"? Google knew nothing.

You might be referring to my remarks about spam through Earthlink rather than my sig. There is a Brightmail server-based spam-blocker, but I doubt I can convince Earthlink to implement it.

For the domains I host, I am trying to use SpamAssassin with SendMail. I may have set it up wrong, but it is not marking messages redirected using virtusertable.

Re:Insecure passwords at ISP

[WebCrapper]

Actually, Earthlink currently uses Brightmail for its "Spam Blocker".

To me, its a overpriced, but if they're making money from it - so be it.

Yawn...

[Rick+Zeman]

I'd really like to see real investigators in action like those of Spamhaus (for example) who have entire biographies and histories of spammers. Guys who are geeks, not paper pushers (so to speak).

This was pedantic in the extreme.

Because T-1's cost more and require physical loc.

[khasim]

"I don't understand why all the focus on ISPs."

Because, unless you have a peering agreement, you are connecting to an ISP.

"You call the phone company (any phone company) and say you want a data T1 connection."

Okay. That's a chunk of money and it has a physical connection point that is recorded. It is completely different than a dial-up account.

"They give it to you and give you some IP addresses."

From their block. That means that they are your upstream provider. If someone complains about your behaviour, they will complain to your upstream provider who will then cut you off (or not).

"They do not process email for you, they do not give you web space and they do not respond to complaints about what you are doing with your T1."

They do respond to complaints about what you are doing.

"I expect this holds true for any sort of data connection from a telecommunications provider that is not providing any additional services, which means if you call SBC to get an OC48 they aren't going to ask you what you plan to do with it."

That is correct. They will not. But you ARE plugged into THEIR network.

One end of the line terminates at your location, the other end terminates at the phone company's location.

So, traffic coming from your line goes through the phone company's network. And people can see who licensed that IP range to you. They will complain to your upstream provider.

Re: Blocking port 25

[Helen+O'Boyle]

Earthlink already blocks dialup access to port 25's other than their own SMTP servers. They started sometime in the early 2000's. How do I know this? It's a sad, sad story.

I was a consultant who telecommuted to work, from the other corner of the country. I used Earthlink dialup to get to the Net. Among other things, I had my outgoing mail server set to the company's mail server, so that my headers would appear identical to those of any other person in the company.

One weekend, our corporate admin updated the email server software on our servers. Now, be aware that the server apparently had some issues (wouldn't accept fragmented packets as a security workaround to a packet filter that didn't properly analyze them, for example) that resulted in my connectivity to it (from the other corner of the counry) not always being flawless.

I soon realized that that morning, after this server update, I could no longer send email to customers through the company's server. Note that the only change to the infrastructure I used to send mail, that I was aware of at the time, was the corporate server update. It seemed logical to me, knowing what types of tradeoffs were considered acceptable by that admin, that the network had been further broken in some way as a security measure. So, I called the guy and said, "Hey, I can't send mail through the company's server any more. What's the deal with that new software?". He said he didn't know and would look into it.

Hours of puzzling later, he got around to monitoring the network to see if the packets I said I was sending were getting to the server in the first place. Answer: no.

The Earthlink fsckers had picked the same weekend to enable port 25 blocking.

Yeah, the admin loved me from that point on. Not.

The workaround, since it was not acceptable to have my email going out with Earthlink headers and too many personal cohorts knew my Earthlink address for me to want to change providers: Admin set up a second mail server listening on a random port number, and told me the port number.

Re:Because T-1's cost more and require physical lo

[cdrguru]

From their block. That means that they are your upstream provider. If someone complains about your behaviour, they will complain to your upstream provider who will then cut you off (or not).

Not. Not ever. We went through a long period where some folks at SpamCop decided we were spammers because of a subscribe-to newsletter that they didn't remember or appreciate. So, we were spammers. Lots of complaints were received here. Lots of complaints were sent to McLeod USA (who we had a T1 from at the time). Some news:

• McLeod USA does not take abuse email about T1 customers. This bit-bucket it.
• We never received any contact from McLeod USA. We were copied on some emails to "abuse@mcleodusa.com" and tried to follow up on them with McLeod USA. They denied ever receiving the email.
• We are now with a different T1 provider. No service agreement, no TOS, nothing.

Spammers that use dial-up connections and cable modems can have problems with their ISP. You can complain to an upstream provider all you want and it is extremely unlikely to get anywhere. I suppose you might try complaining to Level3 about a spammer saying that SBC or McLeodUSA was unresponsive, but I don't think that is going to get anywhere either. Our current T1 cannot be terminated for any "TOS violation" - there is no TOS. This might not be true in all cases, but it is true in enough that spammers can operate with impunity over the network.

Until there is a clear definition that spam is illegal - which today there is not - spam will continue and network services will contine to be provided to spammers. If spam were somehow declared to be illegal - such as defining any email with a commercial message to be illegal - then network providers would be forced to do something. As it is today, there is really nothing that can be done about the origins of most spam.

Can you turn off the guy that decides to buy a list of 28 million email addresses and send email from their cable modem? Absolutely! Does this change the amount of spam that you can I get each day? No way.

Re:Self interest (What is the Cost?)

[dodobh]

Google Archive in HTML
Powerpoint format
Steve Atkins presentation to the ASRG: Google cache as HTML

Same as powerpoint

A graph of a random minute at a large email provider.
Each point is one host.

Those numbers are all very very real.

Yeah, right.

[Pig+Hogger]

Earthlink going after spammers?

Gimme a break.

Here are 570 000 spams that CAME FROM earthlink...

Re:Yeah, right.

[elemental23]

Do yourself a favor and learn how to read mail headers, as you obviously have no idea what you're talking about.

Please note that searching n.a.n-a.sightings for just "earthlink" will also give you a ton of examples of spam that was sent to Earthlink accounts, spam that was sent using a forged Earthlink return address, and completely non-Earthlink-related spam sightings posted by people with Earthlink e-mail addresses.

For example, please actually look at the first result of your search and explain to me how it came from Earthlink.

Re:Self interest (What is the Cost?)

[Erik+Hollensbe]

I'm going to make some assumptions here, but your solution was part of the problem.

Anyone who uses SA for high-volume traffic knows that it is slow and a hog - perl, while being useful, is not known for it's speed.

DNSBL + Caching DNS server (such as dnscache, but if you're an ISP you probably have better solutions) will block a heckuva lot of email. Solutions like messagewall take this even further - filtering on headers, attachment extensions, content types and virus checking *while the message is in transit*, did I mention it's lightning fast?

In other words, keeping your guaranteed spam from SA solves a *lot* of your processing issues. I've been a target of "spam bombs" in the past and watched my mail server shoot from < 1 load to > 100 in minutes (I also use FreeBSD). Installing and properly configuring messagewall dropped that processing with a similar bomb kept it around 3. messagewall is truly an amazing piece of software and works with any SMTP server (although you'll get much better performance if your server supports pipelining).

Probably my only beef with messagewall is that it will not work with multiple interfaces on the same system accepting SMTP - I imagine this is fairly rare, but certainly not out of the question. However, a properly configured sendmail installation can do almost everything that messagewall can at the cost of speed and possibly security (messagewall instantly chroots itself and also does all of it's DNS async - it's also very, very small).

The result is that only negatives make it to the content analyzer, that being SA, which after relieving itself of all that processing time analyzing content becomes a much more trivial task. If you're using white/blacklists, moving your databases off to a remote server will also save you load on that server.

Keep in mind that if you're using qmail, running the perl version of qmail-scanner slows things down considerably. I believe magic-smtpd will do what you want, and I've also heard of a C replacement for qmail-scanner. The perl version is remarkably flexible however, and ditching it is definitely something to think about long and hard before committing to.

Not criticism of your work, I'm sure you are well-qualified and justified in your actions, but there's a lot of mail software out there and most of it sucks, so learning about new, good tools can be hard.

Re:Self interest (What is the Cost?)

[Saint+Aardvark]

DNSBL + Caching DNS server -- Check. Once we got Sendmail to stop checking for IPv6 addresses, everything was fine. We were doing this long before we had SA.

As far as Perl and speed goes, from what I remember it wasn't much of an issue; we used the spamd c-based daemon to pass email to just-the-one copy of SpamAssassin, and it wasn't that bad. There was a bit of delay, but it was nothing like before when we were using Procmail. One bad entry in Procmail could bring the whole thing grinding to a halt.

We considered using SA as a milter (I'm pretty sure that option is/was available), but for reasons I can't remember decided against it. The sysadmin was a fan of Sendmail, so switching wasn't an option (though I hear qmail is being considered now).

One thing I wanted to do but didn't have the time for was to set up DCC; I think that would've helped significantly.

If you're using white/blacklists, moving your databases off to a remote server will also save you load on that server. -- We had nothing that sophisticated; the priority right then was to get spam filtering off our customer-facing mail server (and DNS, and POP, and radius...ugh). No whitelists beyond very simple SA stuff, and certainly no individual preferences for SA.

The result is that only negatives make it to the content analyzer, that being SA, which after relieving itself of all that processing time analyzing content becomes a much more trivial task. -- Absolutely. There's a lot that could have been done better, and no doubt that I made some bad choices (learning, always learning). But, though I bitch and moan, it was better than what we had before.

Thanks kindly for the compliment and the suggestions...it's always good to have a second opinion.

You have a point...

Cursory research points to this:

http://www.rickross.com/reference/scientology/hi st ory/Scien149.html

And also this concerning the other fellow (Reed):

http://www.slatkinfraud.com/elnk.shtml

Sky Dayton does indeed appear to be a follower of L. Ron, and his homepage still bears the quote mentioned in the article.

Customer Satisfaction vs. ISP Burden

[billstewart]

Why is it the ISP's burden to accommodate this theft of services? Because it's only theft if it's stolen from _somebody_, and as an ISP in a competitive market, you'd rather spend the money to provide better quality services than lose customers to other ISPs, so that means it's stolen from _you_.

It's also because tracing spammers sufficiently well that you can haul them into court and force them to pay is usually a lot more expensive, has a low probability of success, and if they're in the US where you can prosecute them, it usually just results in an uncollectable judgement against some low-life living in a double-wide trailer.

The bandwidth doesn't actually cost you much, compared to the legitimate web-surfing traffic of your users. Admin labor costs a lot. Complaint handling costs a lot (assuming you do it well.) Servers themselves are pretty cheap - yes, that 66 MHz Sparcstation can handle the non-spam load, but you can buy yourself a stack of $250 2GHz Celerons to handle most of the crunching labor; your choice as to whether to distribute the load using DNS or make it work in a single Beowulf cluster.

Re:Customer Satisfaction vs. ISP Burden

[LoadWB]

"Why is it the ISP's burden to accommodate this theft of services? Because it's only theft if it's stolen from _somebody_, and as an ISP in a competitive market, you'd rather spend the money to provide better quality services than lose customers to other ISPs, so that means it's stolen from _you_. "

Horseshit. That is along the same lines as the police department telling a hotel manager that he should bullet-proof the glass and walls in his establishment to help with the onslaught of drive-by shootings.

A stack of $250 2GHz Celerons is still money spent on a problem which should be stopped at the source. Fighting spam and viruses should not become a competitve-edge industry any more than fighting crime should be. The $250 spent on each machine is not advertising which will turn new customers; it is not increasing the features and usefulness of your product which will turn new customers. Instead we are having to purchase bigger and stronger wedges to keep people out who should not be entering in the first place. We have bought the locks, we lock them, and the intruders still try to get in... when does the burden shift?

In any argument, spam steals resources from the ISP which would normally be allocated for customer use. Even if spam only consumes a little more processing power or bandwidth than normal traffic, it is still an unwanted abuse of our purchased resource. If you look at the situation from the point of those who sell you the bandwidth in the first place, the money you have spent is really not for the bandwidth, or processing power, or storage, or whatever, the money has been spent for the ability to use the full resources. And when that ability has been lessened by incoming garbage, your ability has been reduced, the value of the purchased product has been reduced, and therefor the money you have spent goes down the toilet.

Next month, tally up all of the time you spend deleting spam and viruses, the amount of bandwidth spam and viruses uses in your pipe, and the cost of your anti-virus/anti-spam software, then call up your provider and tell them that you should not have to pay for xx% of your service because it was not useful data to you.

Even better is to try that on per-use providers, or telephone systems. While we are at it, the same should be done with pop-up ads, adware, in-page advertisements, etc. etc. etc...

No wait, call up your ISP and tell them that they should increase your mail box storage space because you get so much spam or viruses.

Nothing doing. We place too much burden on the end user to buy anti-spam software or services, and too much burden on the ISP to accomodate the massive amounts of garbade data coming into their systems. No. The burden should be on those who are unburdened by this scourge. If adequate punishments can be inflicted upon those who ignore the standard of neighborly etiquette, the problem will begin to disappear.

Re:Customer Satisfaction vs. ISP Burden

[billstewart]

Obviously the world would be a better place if we could just issue AK47s and small thermonuclear devices to spam hunters, instead of wimpy tools like blacklists and Bayesian filters, and make the spammers an offer they can't refuse. However, that's not realistic, and the economics of the world are such that many spammers make money spamming, and wanabee spammers send out lots of spam attempting to make money even if they're not successful, fleeing the country virtually (whether or not you do it physically) is inexpensive enough to arbitrage away the effects of most anti-spam laws, and investigative and legal costs make it usually non-economical for any individual ISP or email recipient to hunt down spammers unless bounties are fairly high. So were stuck with the little pests.

So if you're an ISP, and you can't shoot the spammers, the choice is either to

• spend a lot of resources to do spam filtering on your own machines, hoping to keep your customers relatively happy, or
• provide really cool tools for your customers to run on their own machines, spending your money on transporting the spam rather than filtering it, and annoying some customers, or
• don't filter the stuff at all, annoying more customers at a lower cost.

None of these solutions are very pleasant, but it looks like the first solution is the best choice for most ISPs, annoying as it is. And if you're that hotel manager in the situation you described, you try to get the police to stop drive-by shootings, but you also get yourself some bullet-proof glass so your customers don't get shot in the lobby.

You've got a niche business

[billstewart]

If you're in the business of providing people email service, as opposed to generic ISP connectivity services, then yes, spam is a major fraction of your bandwidth. But if you're a connectivity-type ISP, like the traditional dial ISP or a DSL ISP, usually most of your bandwidth is web browsing these days, or P2P file sharing traffic, and email is a much smaller fraction of the total bits. Spam may be 80% of your email, depending on how much you blacklist at the SMTP layer rather than accepting and discarding, and it may be 90% of your complaint traffic, but it's usually not a lot of bits. (Viruses are different, because they can really dog out the network for a while.)

Re:Self interest (What is the Cost?)

[heybo]

As the Postmaster I can say your wrong about the cost. Yes your figures on bandwidth and such are about right BUT you forget the cost of the employees it takes to handle complaints, blocking sites, and research it takes to find the site spamming to block them. About 60% of my time is spent not dealing with normal operation of the servers but dealing with spam issues and I don't do this for free. since email is a free offering to customers profits from other services have to pay my wage for dealing with this problem.

We're a small company and spam costs our company about $3000.00 a month. Bandwidth and storage isn't the cost problem but labor is what cost.

I know I don't process a million spam complaits in a month so your guess of it costing $20 to $30 an month is WAY off base. Like I said I like to get paid just as anyone else does and this is the true cost of spam. Me sitting here at this workstation trying to keep the bastards out. Besides even if it does only cost 4micro$ per spam it is still THIEF OF SERVICES no matter how you cut it. Spamming is stealing. I'm sure whatever job you work at you don't work for free. Neither do I. Just as in anything the largest cost of something is normally in the labor.

Spam Vigilante

If I had the money (I don't), I would pay for a professional hit on a few of the most notorious spammers. I'm not kidding.

I would pay big money for an experienced and expert hitman, to do the job carefully, patiently and thoroughly.

Once a couple of the well-known spammers were iced, I think we would see a serious decline in spam.

I don't feel all vigilante about other, more serious crimes. I don't think violence solves anything. I oppose the death penalty. I know this is an irrational position, but I don't care.

Does this make me a bad person?

MTA should bounce body free emails

[chris_sawtell]

I'm continually getting empty-body emails. I assume they are testing my address to see if it's alive. _Please_ could ISPs set up the MTAs to bounce empty messages.

Re:MTA should bounce body free emails

[Ronny+Cook]

Most email is accepted or bounced before the message body is available to the receiving ISP. By that point it's too late - the ISP has accepted the email, and the spammer will assume that it's a correct address.

Aside from which, bouncing email on that basis is against the relevant standards; and many users want to be able to receive such email - many messages are sent solely with a Subject: line and no message text.

How I fought SPAM....

I used to administer mail servers for a large ISP (millions of DSL/broadband connections). SPAM was punishing my servers and I would routinely get paged by my servers at 4am when the spools filled with outbound mail thanks to some sub that attented a MLM seminar somewhere. When I reported these clowns to my own abuse dept, little ever happened. I could produce tons of evidence that positively identified them as the sender, and still little happened. If the user finally had their account terminated, they would often signup for service again using an alias. I could easily spot this because I was keeping track of their account info as well. (10 different names, same street address, etc).

Anyway, I got tired of pissing in the wind so I started to fight them in a way that actually worked. I set their modems speeds to less than a 33.6k baud modem. If they called techsupt, nobody could help them because all the management tools showed their connection as CLEAN, good SNR, everything is GREEN... "Did you try rebooting?" "Can you open your network connections and verify the settings?" "thank you call again!"

Can't wait for wide-spread industry adoption of SPF!

Earthlink SpamBlocking

[solprovider]

I am uncertain Earthlink's SpamBlock works if you POP3 mail. I have it set to the "medium" setting, and have never received a "daily spam report".

(The "high" setting requires whitelisting everybody, which means giving Earthlink my address book. Even I do not have my address book; I just search for a previous email from somebody and click Reply.)

Whatever Earthlink is paying for the SpamBlock is too much if it does not do anything.

Re:Earthlink SpamBlocking

[WebCrapper]

Well, last I heard, they are using Brightmail for everyone, but like you said, it sucks. While working for them, I never saw a daily spam report either.

I do know that their system also worked on a challenge with required response system as well. Meaning you send me an email, their system doesn't recognize you so it sends you one saying "click here if you're real" and the mail goes through. I don't really know if they're still using it.

Like a lot of technologies Earthlink invests in, I wouldn't touch with a 10 foot pole - including Brightmail. In fact, my start-up has recently adopted the clause that if Earthlink invests in some new technology, we stay away from it.

A clue? (was Re:A yawner)

[valmont]

i've got karma to burn and I'm not guna sit idly by while watching clueless pundits get on their soapboxes and get modded as "insightful".

Do you have any fscking idea of what you're talking about? Would you care to enlighten me and give us a detailed list of "pro-active" steps they should be taking to prevent spammers from getting accounts in the first place? Did you read the article? Spammers have for years used stolen credit card accounts, fake business fronts to sign-up for connectivity and mail accounts from all pure-play ISPs out there and even, *gasp*, AOL. There's no way an ISP can have any idea of who opened the account and what they're guna do with it, until they start sending spam.

All ISPs have had their share of trouble with usenet. If you're big, if you're popular, if you're on-top of the flagpole, well yeah, you attract losers and get flack for it, not much you can do about that as an ISP. As a user, you can vote with your feet and go to a smaller ISP. I don't because I need the nationwide dial-up, I travel, and move around. However, the flip-side of being such a con-artist magnet is that you're in a great position to catch the fsckers red-handed, prosecute them and/or stick'em behind bars. Show me one another ISP who's had a better track record at doing this than earthlink. I'm all ears.

I'm amazed by all the slashdot pundits out there who are so outspoken against [insert whatever name of ISP who's trying to do something different], and seem to know so much about running an ISP. Why don't they offer links to their own ISPs and show us how they do things differently? I'm hardly being sarcastic, if you have the secret to making the internet a better place, then either let's hear it, or show me where to sign-up for an account.

I've looked at your other posts and I remember hearing about those cleartext password issues in the past. I really hope they've addressed them, thankfully, I don't use those account passwords for anything else. i'm not saying earthlink doesn't have issues they need to deal with. But if you're guna repeatedly get on your soapbox to bash them, try at least to stick to what you YOU KNOW. Who knows, maybe things have changed since they laid you off.

Re:A clue? (was Re:A yawner)

[Antique+Geekmeister]

Ahh. Notice that you didn't address the real point, that what Earthlink is doing is entirely re-active, not pro-active.

Pro-active technological seteps would be monitoring their user's SMTP traffic for excess outgoing traffic, blocking outgoing port 25, running viral scans for viruses over the past six months, blocking incoming SMB and other ports to home machines to reduce script kiddie installation of viruses, and more recently using SPF in their DNS. (OK, they're publishing SPF records: good! But they're not filtering on it yet.)

Netcom has a much better history of actually catching spammers: Earthlink's recent involvement of prosecution of a child pornographer was *in spite of* their policies, not due to their policies, since the FBI was simply subpoena-ing records which Earthlink only very reluctantly provided. (Understandable reluctance, but it's not like they reported or caught the misbhavior.)

Other pro-active steps would include refusing to sell "pink" contracts which some professional spammers use to buy up commercial spamming space. Even if the spammers get kicked off for abusing such a pink contract, such contracts are pretty cheap and can easily be used by a professional spammer to send many millions of messages before this spamfighter in the original article can get around to unplugging them. And by buying a set of them at a time, under slightly different names, they can continue to abuse quite a lot of the Earthlink connectivity and fall over to the next set of accounts whenever needed.

Now, passwords. I suggest you talk to your relatives and less technologically oriented friends and assess how many of them use the same passwords for their email, for their banking, for their web services like Slashdot and Expedia, for their FTP sites, and for a dozen other services. Even if it's only 10% of such users (and I'm sure it's higher, from harsh experience!), that means that the Earthlink accounts people have access to many thousands of bank accounts, not just to email.

That's a real temptation. Add in the limited security in place in a facility stupid enough to keep such data online for convenience, and you're asking to be hacked by script kiddies. Add in the long history of Scientology's "Guardian Office", now called the "Office of Special Affairs" in breaking into buildings, planting bomb threats to discredit authors, and generally being nasty crooks, and I trust their upper level staff heavily involved in Scientology such as Sky Dayton (president) and Brian Wanger (one of their leading sys-admins) to keep these data safe about as much as I trust a chipmunk not to steal bird seed from the bird feeder in my back yard.

And friend, my data is not from working from them. It's from talking to their active staff at the sys-admin level, although admittedly my last long talk with any of them was at MacWorld two years ago. Maybe it's changed, but there's frankly no reason to think so: they're still doing those L. Ron Hubbard mandated weekly reports every Thursday, at least last I heard.

Re:A clue? (was Re:A yawner)

[valmont]

okay from some cursory googling around for Brian Wanger, you appear to be referring to gossip that's about 10 years old. As I've said in other posts, could we like, move on? All that gossip even predates earthlink being a publicly traded company. If any of this ever was true you'd bet your @ss this all woulda been cleaned-up real fast prior to going public.

You do realize that netcom was acquired a long long time ago by mindspring, which merged with earthlink in like, 2000 or something? This kinda makes your whole netcom point rather irrelevant, doesn't it?

Your whole "pink contract" rant is pure conjecture based on rumors of such practices by pretty-much all ISPs. Would you care to back-up your claims with some substance?

As far as the proactive steps you started your post with, "blocking outgoing port 25" depends largely on cooperation from the local telco and cable monopolies that own the broadband networks earthlink has to rent from them. it's a crappy issue anyway because then you'll have certain end-users getting all-up in arms against "censorship". It's a damned if you-do damned if you don't situation. I've however recently seen some level of blocking of outgoing port 25 traffic on my home earthlink dsl connection. I didn't dig too deep, I might try it again tonight and report back. But again, it's a very fine line to walk if they do, and i'm not sure i would be too happy about that as a user. I like to connect to certain mail servers outside of verizon/earthlink's networks for troubleshooting purposes.

As far as monitoring spikes in SMTP traffic, you clearly didn't read the article, as Rush mentioned they do exactly that.

Blocking inbound SMB/139 should be the responsibility of the user. Again, if you start indiscriminately blocking ports, your usual nerds will get all up in arms. And that's the only technologically realistic way of doing this. earthlink offers a lot of tools to detect spyware and viruses, and discounted deals on integrated AV software, and all their broadband modems come with transparent NAT support for added protection, *and* their site offers comprehensive education to users.

And again, since I've shown your netcom bit to be irrelevant, you fail to show me ISPs out there who handle these issues better. I'm standing-by with my credit card.

And again, as I've said in my previous post, we're in agreement about the password issue as I've read about it before, the real question, which you don't seem to have any authority to answer (so please, don't try with yet another "i have no reason to believe that they did" answer), is whether or not they've improved their practices. I've been on the phone with their (very courteous) tech support a couple of times this year, for various account-related issues, and I don't remember ever having to blurt out my account password. I may have been lucky. I don't know.

Re:A clue? (was Re:A yawner)

[Antique+Geekmeister]

According to folks at trade shows, Brian Wanger was still there 4 years ago, still in good management graces. So he's learned to shut up on Usenet since the old threats he made against Dennis Erlich of exposing confidential material from Dennis's confidential "auditing" or confessional meteerial, but that's not startling, especially because his higher ups in the Office of Special Affairs probably had a little talk with him about doing it so publicly, and the cult pulled every publicly identifiable member off the Usenet group since then.

I was aware Netcom had been bought out: it's not too shocking they wound up with Earthlink, but it's a loss. The ISP's have been going through real feeding frenzies to drive each other out of business andn leave only a few sharks active.

But notice the bait and switch here: nowhere do you say "they don't have password access", you say "you didn't have to blurt out your password". That's not what the password entries are for, the cleartext passwords are so that they read the password to *you* when you lose it. Given that kind of behavior, how touch can it be to psych out the call center people and get them to give you someone else's password? Or for a disgruntled employee to give your password to a friend of theirs, or to sell the list to a cracker, or even to poke around in the accounts of co-workers who also have Earthlink accounts.

All of this stuff is possible: much of it is even extremely likely given the overall size of their call center staff. The possibility of misuse is exacerbated by the historical behavior of the cult of which several of their top staff are very active members.

Now, blocking SMB and outgoing port 25: this is fairly trivial at the core routers. It's very difficult to block at the scattered Points of Presence (POP) of other providers around the world, but by doing it as a general policy on their own directly controlled networks, they could vastly encourage the policy worldwide. Plenty of ISP's worldwide do precisely this, but not enough to set it as a default.

But they're learning.

Re:Self interest (What is the Cost?)

[Antique+Geekmeister]

No, a big chunk of the CPU and network time of mailservers is eaten up by spam, even if you don't try to block. With over half of all email being spam these days, and much of that email bouncing and thus not being directly spam but still resulting from it, it's even worse. For many sys-admins, dealing with the spam when a particular burst of it exceeds any sane threshold they might have predicted for spam takes many hours, if not days, of expensive adminn time to clear up. And it keeps happening to small sites that can hardly afford the resources.

Just an idea..

[aztracker1]

I know that I am at the bottom of the queue, but something I have a tendancy to do, and try to do a few times a week, (about 1 in 100 spam), is take the 5-10 minutes, to tracert to the website they are advertizing, and report it to them, their upstream, and their upstream's connection (getting to a backbone level isp)...

Also, sending an email to every contact on their whois (noting that more and more "hide" their whois, send it to the abuse at the registrar)..

If everyone did this for just one spam a day, it would make a *huge* difference... Also, if everyone would simply have an auth-relay for their smtp, and impliment SPF, that would go a long way too.. then people could actually reject based on spf. then blackhole lists could actually work.