ISP Responsibility in Fight Against Spam

netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"

He seems to miss..

..that nearly all spam emails nowadays aren't sent over open relays but over 0wn3ed i.e. trojaned PCs on high speed (cable, xDSL) connections.

Re:He seems to miss..

[DraKKon]

the ISP I use, DSLExtreme, blocks port 25 for all DSL/Dailup users..

"By default we filter port 25 to only allow outbound email through our mail servers."

You can request to unblock port 25 if you have a static DSL account... an on top of that...

"In addition, we will periodically scan port 25 over your DSL line to make sure your mail server is not an open relay. If we find an open relay on your mail server, the port 25 filter will be reinstated and you will be notified by the contact email address entered above."

If more ISP's were like that.. there wouldn't be as many z0mbi3z...

AOL's spam policy is unreasonable

[ables]

On the surface, AOL looks like the good guys here. However, their draconian spam policy can be as harmful as the span it's trying to prevent.

Here's how it works: AOL receives N complaints calling something spam after users click on the "mark this as spam" button. So AOL looks at the previous link in the received-from chain and blocks that entire network.

Sounds good right? Wrong.

Say Joe User works at my company part-time from home. Instead of another pop account, he has a forwarding address with our company that forwards to his AOL account. Joe gets spam, and reports it to AOL. AOL looks to see who sent it, sees my company in the "received-from" chain, and blocks not only us, but every other company hosted with our ISP. Thousands of legitimate emails now can't get to AOL addresses.

It gets worse. Many people use the "spam" button like the "delete" key to get rid of stuff they just don't want right now. AOL doesn't educate its users to realize that reporting something as spam has real consequences, and so people mark real email they requested as spam just because it's easier than deleting around it.

Our fabulous domain host FutureQuest has had to ban forwarding to AOL addresses as a result. AOL has been completely unreasonable in accepting any responsibility for intelligent spam blocking, and their users and legitimate businesses are suffering.

At least they're trying, but they're far from the good guys here.

Re:The problem

[Zocalo]

Or, to turn that on its head, when your RFC breaking "spamblocker-challenge" doesn't work (because it's an ill thought out hack) would you want to cut your customers off from receiving email from Europe and Asia just so you have less spam to deal with? Further more, despite numerous complaints from both your own customers, people trying to communicate them and the threat of a class action lawsuit, would you continue that practice for more than a month?

If you answered "yes" to those questions, then a career at Verizon is waiting for you, because that is exactly what they are doing. If ISPs are going to take responsibility for blocking spam and the prevention of the creation of BotNets that originate most of it then they need to take more care than these idiots.

Re:AOL doesn't check complaints before banning

[MightyMartian]

We managed to get into AOL's blackbooks after one of our dialup customers (of all things) got a worm that was firing out SPAM at an impressive rate for a 56k modem, and doing it over a four or five hour period. That's what finally tipped the balance and lead us to block port 25 traffic to everything but our mail servers. Any customer wanting to run a mail server has to get permission from us, and it's rightly understood that they will go down before we get into trouble again.

At any rate, once we cleaned up the problem, I emailed AOL and let them know we'd dealt with it and all was good.

If you want to talk about an ISP that was tough to deal with, it's RoadRunner. Somehow we got on their block list. They wouldn't respond to my emails to their abuse address, just a standard email with instructions. Even managed to get someone down in Florida who knew a friend of a friend of mine to call and complain, the technician got me a phone number to their security center in Virginia (or wherever it was), and all I got was a recorded message to email them, and then it hung up without even giving me a chance to leave a message.

I eventually gave up, blocked all RoadRunner addresses going in. Six months later I checked, and we were off the blacklist.