ISP Responsibility in Fight Against Spam

netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"

The problem

Is that some of the worst offenders are the biggest. Do you want to cut off your customers from another ISP because the other ISP is an idiot? Maybe, until your own customers get upset because they no longer receive mail from their friends at the other ISP.

Re:The problem

[sjames]

Look, you have your IP block, and it's your damn responsibility to make sure that it isn't being abused.

Actually, the more attention you pay to what your customers' customers are sending over your network, the more legally liable you might be held for anything that slips through. The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).

As soon as you start controling what your users can put out on the net, you lose common carrier protections.

Keep in mind that the same tactics that help you clamp down on spam will keep you from playing dumb when the Scientologists or others want to SLAPP your customers.

Other things that hinder spam prevention include pointy headed morons who report legitamate mails as spam because they can't be bothered to unsubscribe to double opt-in lists that they DID subscribe to, blackhole lists that carpet bomb large groups of people everytime one unrelated abuser sends a spam (even if that abuser is null routed), or who include sites that somehow offend their political or social values, or might have said something bad about them. There's a reason spamasassin doesn't just take any blackhole list's word for it. Anyone who can't be bothered to check if the From: field is forged before badgering half the world's postmasters, etc.

The last thing we need is to make sure the above foolishness becomes fatal to all but AOL and Earthlink.

Ultimatly, spam will go away when people stop buying things from spammers. Nothing else will likely manage it.

The natural extension to your argument is that automakers are liable for drunk drivers, the phone company is liable for telemarket scams, and of course, the post office is liable for mail fraud.

Re:The problem

[geminidomino]

In the end, they'll go somewhere else to spam and we'll lose the revenue.

So it's better for you to profit from the spammer than for someone else to, since someone is going to?

Congratulations, you are part of the problem.

Clue in to human nature

[Ryan+C.]

Wonderful solultion. So if people would just stop crashing cars we could get rid of all the safety features. If nations could just get along we could save billions in military spending.

The current email system does not take into account human nature and is therefore broken beyond all hope of an easy solution. It needs to be replaced with a system designed from the ground up with accountability in mind. Period.

Re:Block port 25 outbound?

[CrankyFool]

Why take advice from AOL?

Because their userbase is:
A) Enormous; and
B) Very, very stupid.

What does this mean?

Look, my ISP -- whose co-owners I've got on speed-dial, and is incredibly clueful -- doesn't have a user spam problem, because pretty much only geeks use them (we pay a bunch extra for the privilege, too). AOL, on the other hand, has the saddest, most pathetic users in the world -- people who are the prime target for PC-p0wning software. Add to that the fact AOL is, like, pretty much the easiest ISP to sign up for. In other words, they're the biggest, fattest, juiciest spam target out there.

And yet, having looked at the 23,507 spam messages I've gotten over the last 303 days, do you know how many came from AOL?

Zero.

I know Carl (not personally, but I'm on some mailing lists with him). He's pretty damn smart. He has to be. Same thing about the rest of the anti-abuse folks at AOL. They're smart, and they're dedicated, and they're very, very, very good.

ISP's over-sell their lines, use that knowledge.

[khasim]

Do you honestly think that any ISP's admin gets to make revenue decisions.

They would if they phrased it correctly.

Suppose you are an ISP with a single T1.

You don't just sell the available bandwidth. You over-sell it. You might sell 2x your bandwith or 3x or 4x or 5x.

You do that because you know that each of your customers will not be using their entire bandwidth all the time.

But spammers use up a lot more bandwidth than the average customer.

If I started shutting off customers because they are inept netadmins, I'll get fired.

You don't do that. You show your boss how that idiot is using 10x the average bandwidth but only paying 1x the average fee.

That should be easy to do.

The only way that it's going to change is if the government makes the ISP liable for spam sent from it's ISP block.

There isn't one government. I get a ton of crap from .ch domains now.

In the end you'll be able to have AOL, Earthlink, or Comcast. Is that what you want?

I don't think that will happen. There is a market for the small, local ISP.

The key here is money. The people who behave irresponsibly use more bandwidth than the responsible people (yet pay the same monthly fees).

If you want to clean your own house, that's the way to do it.

That's the carrot. The stick is when your entire block is blacklisted because you did NOT deal with the problem that you knew about.