ISP Responsibility in Fight Against Spam

netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"

The problem

Is that some of the worst offenders are the biggest. Do you want to cut off your customers from another ISP because the other ISP is an idiot? Maybe, until your own customers get upset because they no longer receive mail from their friends at the other ISP.

Re:The problem

[scooby111]

Thanks. Do you honestly think that any ISP's admin gets to make revenue decisions. If I started shutting off customers because they are inept netadmins, I'll get fired. What good will that do. The only way that it's going to change is if the government makes the ISP liable for spam sent from it's ISP block. When that happens, technologies that can stop the spam cold will finally start to seem cost effective and rational. I suspect that many small ISP's will simply go out of business if it happens. In the end you'll be able to have AOL, Earthlink, or Comcast. Is that what you want?

Re:The problem

[MightyMartian]

Look, you have your IP block, and it's your damn responsibility to make sure that it isn't being abused. The problem is there are too many revenue hungry ISPs out there who refuse to take any damn responsibility for the crap being puked out of their networks, and when guys like me, suffering joe jobs and distributed dictionary attacks try to contact you guys, we either get no response, or just "we're merely the upstream provider, you'll have to talk to them".

Quite frankly, I think IANNA and the other IP provisioning authorities should start threatening guys like you with loss of your subnets if you don't start policing the traffic. Guys like you have cost my company thousands of dollars as we try to protect our customers (and in some cases our equipment) from attacks coming from lazy, greedy networks filled with simpering yes men and bloated CEOs and CIOs. Your attitude is typical of the irresponsible twits who have allowed this poison to screw things up.

Re:The problem

[scooby111]

I agree, it is my responsibility. Do you have any idea how to accomplish that? We monitor connections for suspicious activity. We watch logs of bouncebacks. When we get abuse reports, we investigate them thoroughly. We forward the abuse reports to the admin in question and they either ignore it or have no idea how to fix the problem. If they ask for help, we give them what help we can. If we keep getting abuse reports, we shut the account down.

Usually at this point, someone in management gets an angry email from the account threatening to quit and I get the directive to re-enable the account and I can't convince them other wise. Rinse, repeat.

What exactly would you have me do differently? We've discussed the ability to block outgoing port 25, but nobody in the front office wants to go for it. I for one welcome a law that finally allows me to enforce some filtering without getting fired for it.

Re:The problem

[techno-vampire]

In the long run, outbound port 25 blocking saves money. Instead of having to pay for the bandwidth used by a zombie to relay spam, all you get is a bunch of outgoing requests dropping on the floor. Suggest this to your PHB's and see if it helps.

Re:The problem

[sjames]

Look, you have your IP block, and it's your damn responsibility to make sure that it isn't being abused.

Actually, the more attention you pay to what your customers' customers are sending over your network, the more legally liable you might be held for anything that slips through. The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).

As soon as you start controling what your users can put out on the net, you lose common carrier protections.

Keep in mind that the same tactics that help you clamp down on spam will keep you from playing dumb when the Scientologists or others want to SLAPP your customers.

Other things that hinder spam prevention include pointy headed morons who report legitamate mails as spam because they can't be bothered to unsubscribe to double opt-in lists that they DID subscribe to, blackhole lists that carpet bomb large groups of people everytime one unrelated abuser sends a spam (even if that abuser is null routed), or who include sites that somehow offend their political or social values, or might have said something bad about them. There's a reason spamasassin doesn't just take any blackhole list's word for it. Anyone who can't be bothered to check if the From: field is forged before badgering half the world's postmasters, etc.

The last thing we need is to make sure the above foolishness becomes fatal to all but AOL and Earthlink.

Ultimatly, spam will go away when people stop buying things from spammers. Nothing else will likely manage it.

The natural extension to your argument is that automakers are liable for drunk drivers, the phone company is liable for telemarket scams, and of course, the post office is liable for mail fraud.

Re:The problem

[geminidomino]

In the end, they'll go somewhere else to spam and we'll lose the revenue.

So it's better for you to profit from the spammer than for someone else to, since someone is going to?

Congratulations, you are part of the problem.

Re:The problem

[Zphbeeblbrox]

I have little sympathy for users who and companies who get buried by spam. The solutions for their problems are out there. Any company not pushing a client like Thunderbird with "real" built in spam filtering deserve what they get. There is no excuse for using outlook anymore. I honestly don't have a spam problem. I may get 50+ spam mails a day but I don't see a single one of them. Every one except for the occasional mail a month gets swept into my spam box and then automatically cleaned out of there after a set period of time. Users will stop buying spam when spam stops showing up for them. And educating users on how to avoid it has to be part of the problem.

More Law Suits

[XtremeGod]

So when will the law suits start coming out against the ISP's that Spammers are getting their Internet connections through?

a touch of psychology, a brickbat of capitalism

[ChipMonk]

What do we have to do to persuade networks...?

How about putting them on an RBL? When their customers can't send emails, and threaten lawsuits for breach of contract, the ISP operators tend to start paying attention.

Re:a touch of psychology, a brickbat of capitalism

[sexistentialist]

The problem with _this_ solution is with the validation of the complaints. Some people complain because they get emails from companies that they purchased items from after checking or not unchecking the "please keep me informed" box on the order form. User stupidity doesn't warrant blacklisting an entire ISP's network.

In my tenure as a network administrator at various locations I've seen the full scope of offenses, from those which are blatant violations of the AUP to those which are users complaining about emails they requested. I've seen one offender result in the blacklisting of an entire /19 netblock, and then I watched the RBL admins ignore all requests to have the block removed from the RBL.

RBLs with no oversight provide no real value to their subscribers. Again, it comes back to the issue of validation - who validates the complaints, and then who validates that the behavior of the ISP has changed, or that they've removed the offending party? This is no more than vigilantism, and the argument is that the RBL isn't doing anything other than providng something that their users have asked for.

In the same line as users being stupid and admins implementing mail systems with no real security, many people will subscribe to an RBL because they think it will solve a problem, failing to understand the ramifications and negative repurcussions associated with its use.

If the system generates a single false positive, then the system itself has failed.

Creds

[Transdimentia]

For as much as AOL stunk way back where this was concerned you have to give them props for mostly wrangling in their millions of lusers. I with some other cable and dsl providers would take this charge.

Re:He seems to miss..

[CrankyFool]

No. He doesn't. There's a reason why responsible ISPs (there's that word again) don't allow normal l0ser users to connect to port 25 outside their network.

The days of "Oh, here's your static IP and full internet access" are bhind us. I'm all for "if you demonstrate clue, you may have unfiltered unbound access; otherwise, no port 25 for you!"

(also: Port 587 is your friend).

Clue in to human nature

[Ryan+C.]

Wonderful solultion. So if people would just stop crashing cars we could get rid of all the safety features. If nations could just get along we could save billions in military spending.

The current email system does not take into account human nature and is therefore broken beyond all hope of an easy solution. It needs to be replaced with a system designed from the ground up with accountability in mind. Period.

Re:Block port 25 outbound?

[CrankyFool]

Why take advice from AOL?

Because their userbase is:
A) Enormous; and
B) Very, very stupid.

What does this mean?

Look, my ISP -- whose co-owners I've got on speed-dial, and is incredibly clueful -- doesn't have a user spam problem, because pretty much only geeks use them (we pay a bunch extra for the privilege, too). AOL, on the other hand, has the saddest, most pathetic users in the world -- people who are the prime target for PC-p0wning software. Add to that the fact AOL is, like, pretty much the easiest ISP to sign up for. In other words, they're the biggest, fattest, juiciest spam target out there.

And yet, having looked at the 23,507 spam messages I've gotten over the last 303 days, do you know how many came from AOL?

Zero.

I know Carl (not personally, but I'm on some mailing lists with him). He's pretty damn smart. He has to be. Same thing about the rest of the anti-abuse folks at AOL. They're smart, and they're dedicated, and they're very, very, very good.

How the presentation will go

[SamMichaels]

You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"

Boss: "Thanks for your concern."

Try #2...the CTO...

You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"

Director: "Cost? My hands are tied...shareholders are disappointed and the board needs convincing anyway."

Try #3...the board...

You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"

Board: "What is this 'spam' nonsense you're talking about? You know, when I was your age we never had all these technology woes. I don't see how this will benefit anybody. Next on the agenda....."

Caution

Lets be careful about what ISPs have a "responsibility to fight". Today its spam, tomorrow it could be "terrorism" (read: your privacy).

Spam is annoying for those who get any but it doesn't justify the hysteria, IMHO.

Re:Blacklisting them publically.

[sexistentialist]

I don't think that the average individual cares that ISP XYZ hosts spammers. If you were to take out an ad that told me the top 50 ISPs in Korea that supported spamming, not only would I not care, but Koreans wouldn't see your ad. Who should fund the advertisements?

Re:He seems to miss..

[pthomsen]

...nearly all spam emails nowadays aren't sent over open relays but over 0wn3ed i.e. trojaned PCs...

Really?

How do you know this? I'd love to see the stats that support this. I'm not trying to be facetious, I'd really like to get hard data like that.

I agree 100% with Carl. Forcing admins to get a clue about the state of their outbound mail is key. And as he says, there are ways to control all this stuff. Even trojaned PCs can be controlled, by limiting the number of outbound messages from that machine to something reasonably low (like 5/hour). If the machine goes over that, you have (most likely) found a trojaned machine.

Of course, there are going to be significant costs to this approach in the beginning, because of the (presumably) large number of pwned PCs in the world. However, the ongoing cost of keeping up with spam complaints, storage requirements, and bandwidth costs should exceed the price of handling a large load of complaints over a relatively short term (giving a quick ROI), which all PHBs (including myself) like to use to sell it to higher-ups.

ISP's over-sell their lines, use that knowledge.

[khasim]

Do you honestly think that any ISP's admin gets to make revenue decisions.

They would if they phrased it correctly.

Suppose you are an ISP with a single T1.

You don't just sell the available bandwidth. You over-sell it. You might sell 2x your bandwith or 3x or 4x or 5x.

You do that because you know that each of your customers will not be using their entire bandwidth all the time.

But spammers use up a lot more bandwidth than the average customer.

If I started shutting off customers because they are inept netadmins, I'll get fired.

You don't do that. You show your boss how that idiot is using 10x the average bandwidth but only paying 1x the average fee.

That should be easy to do.

The only way that it's going to change is if the government makes the ISP liable for spam sent from it's ISP block.

There isn't one government. I get a ton of crap from .ch domains now.

In the end you'll be able to have AOL, Earthlink, or Comcast. Is that what you want?

I don't think that will happen. There is a market for the small, local ISP.

The key here is money. The people who behave irresponsibly use more bandwidth than the responsible people (yet pay the same monthly fees).

If you want to clean your own house, that's the way to do it.

That's the carrot. The stick is when your entire block is blacklisted because you did NOT deal with the problem that you knew about.

Re:How about "accountability"

[Rizz]

Domain registration companies will never blacklist spammers -- that's how they make their money. Everyone knows selling domains leads to a big fat wallet at the end of the day, why would they want to reduce their profit forecast for some lowsy spam? ..and to those that see signatures: Go disable them. There's never anything useful anyway.

Re:Block port 25 outbound?

I must agree, there is no noticable spam fom AOL. However, AOL has THE most idiotic, convuluted, bass-ackwards, methods of UCE reporting to other ISP's.

They periodically send a spam "report" to ISP's telling of a certian threshold the ISP has reached on their spam radar. But there is no way what so ever of finding headers of spam originating from an ISP's network from this "report".

That and the abuse "report" is not always sent to the Whois lookup abuse contact for the IP range in question (which would lead anyone to believe they do not perform proper reverse lookups to begin with).

The ISP I work for shuts down ALL users who show up in a ~legitimate~ spam/abuse complaint, a ticket is filed so we can track repeat violators, the TSS staff contacts the user and walks them through cleaning their systems before they are let back on the network.

Come on AOL, if you are serious about spam, then play the game like every knowledgable ISP does. File a PROPER abuse complaint with the Whois listed abuse or tech address for the IP block, send the complete headers with the abuse complaint. Don't give us this " if the rest of the ISP's.." crap.

Throw me a bone AOL, and I'll shut a zombied machine down within 5 minutes of recieving your email.

Corner pay phones don't accept incoming calls.

[khasim]

I agree with most of that, but you're off on the "common carrier" bit.

The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).

As soon as you start controling what your users can put out on the net, you lose common carrier protections.

The phone company won't control what you say, but they can do some things like having the corner pay phones only able to make outgoing calls so that criminals won't be able to setup shop with them.

The same methodology can be used to fight spam.

You don't care what is in the email the customers send, they just have to send it via your email server. This will stop almost every zombie spammer out there.

And that's how spam will be fixed. By looking at each characteristic of spam and dealing with each one, individually.

Other things that hinder spam prevention include pointy headed morons who report legitamate mails as spam because they can't be bothered to unsubscribe to double opt-in lists that they DID subscribe to,...

I've had users specifically request info from a site and then dump the email with that info into the spam folder.

Fortunately, Spamassassin handles enough so that I only have to confirm 10 - 15 of those a day.

Ultimatly, spam will go away when people stop buying things from spammers. Nothing else will likely manage it.

If so, that day is very far away. People do buy things like penis pills and they do it online because they feel better not having to face another human being while doing it. Sad, but true.

a serious problem

[cg0def]

Spam has been a huge problem for quite some time and the way that AOL deals with it is just shameful for them. I can't send emails to aol users from my sendmail server because AOL recognizes it as junkmail and refuses to accep it. Come on what's next blocking all OSS mail server just because people that uses them pay no royalties? AOL needs to seriously adjust their filter or maybe their spam strategy.