A Day with an ISP Spam Investigator

scumbucket writes "Network World Fusion has an interesting article about an abuse investigator for ISP Earthlink and his job of tracking down spammers. It's nice to see that major ISP's are making an effort to shut spammers down and kick them off of their networks."

A yawner

[SYFer]

Not that interesting really. No specifics, not much technique. He calls offenders, cancels accounts, etc. Phishing is another department. He doesn't take action on pedophiles and refers them to cops.

Where's the beef?

Re:A yawner

[Antique+Geekmeister]

Read it again. He "takes orders from the FBI", etc., regarding child pornography, he doesn't contact them.

What the article describes is entirely re-active. In no way is it pro-active: pro-active costs money, and keeps the spammers from signing up in the first place to send the spam. This is typical Earthlink, whose focus is on making the weekly progress reports their departments favor as taught by the "WISE" management techniques so favored by their Scientology educated president and his top staff.

It's not evil, but given their history of blowing off complaints for months or even years until faced with real consequences such as a Usenet Death Penalty where all posts from Earthlink would be actively cancelled, it's not topnotch.

Self interest

[ZenBased]

Well they dont do it because they wont to help the world. But spam means extra bandwidth, so extra cost. And maybe customers blame the ISP, so that might mean less customers. So it is the ISP's best interest to do something about spam.

Re:Self interest

[Spad]

Do their motives matter if they result in fewer spammers?

Just like the USPO

[Orien]

This is a dumb statement:

It's nice to see that major ISP's are making an effort to shut spammers down and kick them off of their networks.

That's just like having an article about someone at the Patent office who investigates prior art for tech patents and saying "at least the patent office is making an effort". What good does it do if it is still completely and tragically uneffective?

Re:White Hat or Censorship?

[AndroidCat]

No, spam can be turned into a work of art or literature. But then, so can any other kind of turd.

Oh, and it's not censorship. He's not a government or publisher. The spammer can find other places to publish his work other than my mailbox. (Just like wannabe painters can't exhibit in my living room.)

Re:Self interest (What is the Cost?)

[Detritus]

You are neglecting the admin time and cost of keeping the server running. Monitoring it for problems, keeping the software up-to-date, making configuration changes, keeping it backed up, documenting the configuration so that disaster recovery is relatively painless and quick.

Re:Self interest (What is the Cost?)

[afd8856]

Most viruses go over 40 kb and can go to about 200 kb (that's what I get). Most annoying are the mailer daemon failures that i get for viruses that i did not (or anybody else from my domain) send.

Re:Self interest (What is the Cost?)

[4nd3r5]

im no sysadmin or anything.

but if its 30 $ per day, its 10k per year.

further more you have to spend time and energy you have to spend sorting the mail. this is, ive heard, quite expensive in CPU time.

The best filters catch 99.9% of spam and only make 1 mistake in a thousand. ( i don't even think that they are that good).

1000 emplyoees gets 5 mails aday for a year thats 1.8 million mails, thats 1800 mails per year that goes down the drain. im not sure what that costs, but some of the are prolly quite expensive.

This is not absolute facts nor close, but my point is that the price of spam is more than the price of reciving spam.

Re:Self interest (What is the Cost?)

[Tim+C]

All of which has to be performed whether the machine is handling spam or not, unless you're laying on extra hardware to take the extra load caused by the spam...

Re:Self interest (What is the Cost?)

[6ULDV8]

Upwards of 80% of our network traffic is mail. Of that, 70 - 80% of that is inbound spam, trojans and viruses. If we could eliminate them entirely from outside our network, we wouldn't require so much bandwidth and bandwidth is a major portion of our fixed operating costs. Office space is cheap compared to bandwidth.

Its not just the total number of received messages that affect cost. Delivery rate causes problems with network availability. Because of distributed attacks and mail bombs, we have to be able to scale well above our average consumption or risk losing connectivity. I don't mind losing a single service nearly as much as I mind losing a network.

You want a dollar figure? It depends on the incident. No two spams are exactly the same. Your figure of $1 per GB is misleading because it assumes that the traffic is distributed over a entire billing cycle. What happens if that 1GB is delivered over a period of 1 minute? Ever seen a clogged pipe?

We spend most of our time building the next generation of services to combat misuse of our resources so that our clients can get that occasional letter from Grandma.

Job security? :)

[khasim]

"What good does it do if it is still completely and tragically uneffective?"

Gotta agree with you there. Particularly at an ISP.

If you KNOW your actions are ineffective, wouldn't you re-evaluate your approach and look for more effective actions?

Say ...... like limiting outbound email traffic on all new accounts. New accounts that hit your ceiling will be flagged for you to investigate, yet you will still be limiting the spam they can send and being a nice ISP.

From the article: "Yet canceling a spammer's account doesn't always solve the the problem. Serial spammers who have been kicked off the EarthLink network once will often jump back on, creating as many as four or five fraudulent accounts per day using stolen credit cards."

So if you limit new accounts to 1 email every 10 seconds (that's some fast typing), and put a ceiling of 200 emails a day, you'd quickly be able to spot the spammers. Yet those "four or five fraudulent accounts per day" would only be sending 1,000 spam messages a day.

Re:Welcome to the Global Economy.

[Elbow+Macaroni]

They don't make any money, give me a break. Basing a business on just advertising is pretty difficult. I've seem some articles about spammers who claim to make a bunch of money and meanwhile they live in a trailerpark somewhere. Spammers just make money off the idiots who hire them to send out spam. They are just con artists.

memory lane

[enilnomi]

Fun article for me. 25 years ago or so, I was the original "cable cop" in Michigan, USA (the job title was "system auditor"). This was before it was illegal to "steal" cable services, and the overall thrust of my work was to build a case for legislators.

About 50% of my time was indoors, pulling street-by-street printouts off our Tandem system and cleaning up/verifying account info by going back to original install paperwork. The rest of my time was spent climbing poles, verifying hookups and disconnecting the "non-subscribers." After a year of that, we had enough info to deliver numbers to the statehouse: 4% of all cable viewers weren't paying us for the service. That was enough for the legislators, and cable theft became a mid-range misdemeanor.

So then I started going after the midnight installers offering people "free HBO forever" at the low low price of $100 (or whatever). That was kinda fun...serveral times I was just hours behind these guys, removing service drops while the resident stood by watching, moaning eulogies for their recently departed 100 bucks.

I'm surprised that more ISPs don't have employees like the guy in TFA (or perhaps I'm surprised that we don't hear more about them)...losses due to spam are real, no? [In the case of cable, the "losses" were 99% paper; there was no extra drain on bandwidth, no guarentee these folks would have been paying us otherwise, and no real loss on the converters they were using (our collections folks did just fine charging 4X the cost for unreturned equipment). The only true "loss" was in tech-time, for the rare hookup that caused interference on a distribution line or radiated enough signal to breach FCC rules.]

Is the reason for this apparent lack of interest on the part of ISPs similar to that of the credit card companies during the early online days? Rather than appear inept at providing decent system integrity (easily spoofed card numbers, pitiful account verification, etc.), fraud and abuse were handled quietly, with costs taken off the bottom line. Or is the apparent less-than-vigorous investigation of spammers just part of the "?" step in the profit! formula...where bandwidth lost = cost of investigatory personnel, so screw the inconvenience to customers?

Passwords?

[jnguy]

Rush mentions that in one case he realized that the suspect was using a sports password scheme, does that mean that these people working at the ISPs can view our passwords? I happen to use maybe a set of 6 different passwords, but if someone can get one of them, they can access many things that are password protected for me. Its unreasonable to have a different password for every net logon you have, but I always thought that passwords were hashed so that even the system admin in most cases can't read them.

Re:Self interest (What is the Cost?)

[LoadWB]

Several years back the local ISP for which I worked had a spammer force us to take our mail server down because his advertising bomb went off in our spool drive and completely filled it. It took a number of hours to manually clean it up, sift through logs to find and block the offender, and bring the server back on-line. Ask our business clients how much not having email available for several hours cost them. Just for illustration, that email was also only about 3k in size, but once it multiplied in the queue it consumed all 2GB of the spool.

More recently, the local ISP for which I often do admin work had to build three new incoming mail servers and purchase spam and virus filter software for each machine at the rate of at least $6000 ea. plus subscription. Without these machines, user mail spools were filling up with spam and viruses; the older the account the worse off it was. Ask these folks how much it costs.

I have seen spam perform the equivalent of DoS floods: causing servers to crash, filling up T1s, causing CPU loads on older but otherwise working machines to hit 98%, and more. I host a domain which sees 28,000 spams per week on average. We employ RBLs in our fight against spam, as well as blocking a number of countries known for delivering nothing legitimate to our servers.

We see the shit come from all directions. In one night I observed a spam run against a hosted domain attempt to deliver 5,821 messages -- all forensically identical -- in less than 100 seconds from roughly 15 sources.

Why should it be the burden of the ISP to provide extra bandwidth, CPU processing power, memory, and storage space just to accomodate what it clearly a theft of services? The dual 66MHz SPARC system that was running an ISP back in 1995 is still running, and in a normal environment handles incoming and outgoing email just fine. Without the introduction of a front-end server, or replacement altogether (money spent no matter how you look at it) the machine often ran at 75% load or more during times when historically it ran no more than 30%.

The attitude of "well, it's going to happen anyway, might as well deal with it" is garbage. Adopting such an attitude in the face of a hurricane, the forces of which cannot be stopped, is fully acceptable. But in the face of spam which should not exist in the first place, this attitude is comparable to rolling over and taking it right up the rectum rather than dealing with the source.

Re:The characteristics of spam.

[cdrguru]

I don't understand why all the focus on ISPs. You call the phone company (any phone company) and say you want a data T1 connection. They give it to you and give you some IP addresses. They do not process email for you, they do not give you web space and they do not respond to complaints about what you are doing with your T1. If you are on a "burstable" plan, you need to hold your aggregate usage within those limits, but if you have a "full T1" and are paying for non-burstable service you can send 1.5Mb a second every second. Period. No service agreement, no TOS, no "abuse department", nothing.

Now, I suppose it is possible to get a T1 from Earthlink or some other ISP. Then, they may provide some services aside from just the data connection. And then there would be some TOS, some kind of service agreement and so on. But if you buy your service from the phone company I have never seen such a service agreement.

I expect this holds true for any sort of data connection from a telecommunications provider that is not providing any additional services, which means if you call SBC to get an OC48 they aren't going to ask you what you plan to do with it.

Re:How to solve the Spam problem

[Rew190]

I understand what you're saying, but no matter what sort of factors are concerned, it IS true that the majority of spam is coming out of country, and I do believe that America should be the country to clean it up.

everyone is first in line to expect us to fix it.

Don't you think we should, if the problem is coming from us?

Re:Earthlink

[Phroggy]

Now Zapp, you may ask: "What has that to do with anything?"

Precisely. I worked at Earthlink for over a year, and the only time I heard anybody mention anything related to Scientology while I worked there was a couple of crazy nutball customers.

Re:Customer Satisfaction vs. ISP Burden

[LoadWB]

"Why is it the ISP's burden to accommodate this theft of services? Because it's only theft if it's stolen from _somebody_, and as an ISP in a competitive market, you'd rather spend the money to provide better quality services than lose customers to other ISPs, so that means it's stolen from _you_. "

Horseshit. That is along the same lines as the police department telling a hotel manager that he should bullet-proof the glass and walls in his establishment to help with the onslaught of drive-by shootings.

A stack of $250 2GHz Celerons is still money spent on a problem which should be stopped at the source. Fighting spam and viruses should not become a competitve-edge industry any more than fighting crime should be. The $250 spent on each machine is not advertising which will turn new customers; it is not increasing the features and usefulness of your product which will turn new customers. Instead we are having to purchase bigger and stronger wedges to keep people out who should not be entering in the first place. We have bought the locks, we lock them, and the intruders still try to get in... when does the burden shift?

In any argument, spam steals resources from the ISP which would normally be allocated for customer use. Even if spam only consumes a little more processing power or bandwidth than normal traffic, it is still an unwanted abuse of our purchased resource. If you look at the situation from the point of those who sell you the bandwidth in the first place, the money you have spent is really not for the bandwidth, or processing power, or storage, or whatever, the money has been spent for the ability to use the full resources. And when that ability has been lessened by incoming garbage, your ability has been reduced, the value of the purchased product has been reduced, and therefor the money you have spent goes down the toilet.

Next month, tally up all of the time you spend deleting spam and viruses, the amount of bandwidth spam and viruses uses in your pipe, and the cost of your anti-virus/anti-spam software, then call up your provider and tell them that you should not have to pay for xx% of your service because it was not useful data to you.

Even better is to try that on per-use providers, or telephone systems. While we are at it, the same should be done with pop-up ads, adware, in-page advertisements, etc. etc. etc...

No wait, call up your ISP and tell them that they should increase your mail box storage space because you get so much spam or viruses.

Nothing doing. We place too much burden on the end user to buy anti-spam software or services, and too much burden on the ISP to accomodate the massive amounts of garbade data coming into their systems. No. The burden should be on those who are unburdened by this scourge. If adequate punishments can be inflicted upon those who ignore the standard of neighborly etiquette, the problem will begin to disappear.