Slashdot Mirror
ISP Responsibility in Fight Against Spam
netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"
Or perhaps just 'getting paid extremely well to host spammers'?
This flies in the face of science.
For every listing backed by proof, post a large ad in the New York Times saying "THIS ISP SUPPORTS SPAMMERS" with the proof behind it. Enforce the PR leverage.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
It's not even necessarily the ISP. I know that my mail servers aren't being used by spammers because I monitor them carefully. We have corporate customers that run their own email servers on our IP blocks that are overrun. We try to work with them to close down open relays or even suspend accounts when they seem unwilling or unable to stop spamming, but there's only so much we are able or willing to do to shut down a clueless netadmin's mail server.
In the end, they'll go somewhere else to spam and we'll lose the revenue.
Accountability is the only thing that will stop spam:
- don't want your mail servers to be blocked? Secure them so spammers can't use them.
- don't want to be considered a "spamvertising company"? choose a legitimate ad agency.
IMHO a multi-level effort is needed:
- ISP's need to have a blacklist of customers who are known spammers. They need to share info.
- Consumers need to have a website where they can check the legitimacy of a website, and see if it spams to advertise.
- Registrar's need to stop issuing a bazillion domains to known spammers. When a dozen of a person's domains are referred to as spam sites... no more registration. Share data among registrars.
The problem now is that there are no consequences for spamming. An extremely low chance of a lawsuit or jail. Extremely low.
Spam is cheap, and apparantly somewhat effective.
Until you make it not worth the time... people will do it.
Nobody holds the companies who advertise in spam responsible. Nobody holds ISP's who turn a blind eye to it responsible.
Longing for the good old days of when you got spam you fired off an email to postmaster, abuse and operator....
Does anyone have any figures that detail how much spam come from zombie home user PCs? I thought the amount was significant, but the quote in this post seems to imply that the vast majority of it comes from less scrupulous service providers.
(aside: we host a few websites, one of which we discovered was running an exploitable version of PHPNuke - but not before a spammer did and pumped ~20,000 emails into our queue. I noticed it pretty quickly and deleted them and blocked this webmail software across all these sites lest it happen again - but it was an interesting demonstration to me that spammers look for any and every leverage they can get. I keep a much closer eye on our mail queue statistics now!)
Then why aren't spammers already their own ISP outfits? Obviously if spamming is their business, getting obstructive middlemen out of the way is a priority!
Unfortunately, one of the only things that's going to force most ISPs to start caring about the amount of spam coming from machines living on their netblocks is going to be the ISP's providers threatening to cut the lower-tier ISPs off if the lower-tier ISPs don't do something about their spam problems.
I used to be completely against ISPs blocking port 25 from non-MX machines to the outside world. Unfortunately, I've had to change my opinion. The vast majority of the spam that ends up in my spam mailbox (thanks, SpamAssassin and procmail!) and the mailboxes of my users comes from zombied/trojaned machines on residential, always-on internet connections (read, cable and DSL). Most of the e-mail gets tagged properly by SA, however if the ISPs themselves blocked outbound e-mail not relayed through the ISP's mail machines, things would work out much more nicely, the total volume of e-mail hitting other MTAs would drop, etc. There would be much rejoicing.
SPF is nifty, but it doesn't fix the underlying problem...It just allows for easier identification of mail that's coming from machines it shouldn't come from, etc. Actually getting lots of ISPs to adopt SPF is proving to be a slow process as well.
In short, ISPs aren't going to do anything to fix the problem unless they have to. Buying a few more boxes to handle the e-mail load (a huge generalization, but you get the idea) of the rampant spam is less of a problem for them than actually sorting out their mail systems to help fix the problem. A good place to start would be some method of making the top-tier connection providers responsible.
And yet, having looked at the 2,000 BOUNCE messages I've gotten over the last 30 days, do you know how many came from AOL?
Approximately 400.
Oh yeah, the bounces come because a SPAMMER is using my spoofed email addresses in my domain.
AOL bounces SPAM from back to SPOOFED "From:" email addresses.
...at customer request. we give customers switches on their webpage-control-panel and they can block anyone and anything they want. a huge percentage of customers block china, korea, russia, etc. because they dont speak mandarin, cantonese, or read BIG5 or EUC-KR or KOI8. customer's choice. boo hoo for the spammers.
Before the flames roll in, let me say I'm not advocating a view, just throwing it out for thought. Let's say someone tries to draw some conclusions about the general opinions of slashdot posters. How do we reconcile the beliefs that ISPs are responsible for spam going through their systems, but not pirated files.
Distributed processing is where it is at.
If you own your own ISP, you're limited to the bandwidth that you're paying for (and you can be blocked easily).
With a bunch of zombie machines, you have TONS more bandwidth and you're not paying for it!
Plus - all those processors sending spam.
Just 10 zombies on 256K upload cable modems is 2.5Mb.
A regular T1 is only 1.54Mb.
You know what? When that dude talks about how the problem is solved, maybe he should stop pretending he's above us, and maybe start looking at the kind of system he's got.
...( silence ) ..." ...And here i am explaining to the bloke on the phone the situation, namely that we are getting "Report cards" without any kind of information as to why people are complaining, with no headers or anything at all to help us.
:"You know, there are databases on the net where you can get the abuse contact information for ISPs and things like that." :"Couldn't you have used those as a base for your own database?" ... and here are some other juicy interesting tidbits of information from this conversation...
...
here's a post i made in my blog about a situation that arived because of AOL's "system". Ever since that episode, i haven't been impressed at all by these people.
--------(start idiotic message from AOL)----------
Date: Mon, 5 Apr 2004 09:04:13 -0400 (EDT)
From: postmaster@aol.com
Subject: AOL email concerns for isp-where-i-work-abuse.net
To: abuse@isp-where-i-work-abuse.net
X-Scanned-By: MIMEDefang 2.39
Dear isp-where-i-work-abuse.net,
You are receiving this message via our automated "Report Card" process (which helps analyze AOL's Internet inbound mail) because our available data indicate that isp-where-i-work-abuse has risen above the acceptable threshold for complaints:
Total number of AOL member complaints: 186
AOL takes proactive steps to contact owners of mail servers whose e-mail transmissions are impairing the functioning of AOL's proprietary e-mail system, or causing significant levels of AOL customer complaints.
AOL requests that you take immediate steps to resolve the issues identified in this AOL Report Card. In the absence of a satisfactory resolution, AOL reserves the right to take measures to protect its email network and its member goodwill from any possible damage. These measures may include declining to accept e-mail transmissions from isp-where-i-work-abuse.net through AOL's proprietary e-mail network.
AOL strives to provide the best online experience possible for our members, and we pride ourselves on being intensely focused on consumers and their needs. Email is a core feature of the AOL service, and the proper functioning of AOL's e-mail system is vital to our members' goodwill.
Please review AOL's e-mail policies and guidelines, as well as other technical details concerning e-mail on the AOL network, at http://postmaster.info.aol.com
------------(end message)--------------
Ooohhh, AOL's proprietary e-mail network. No information that is gonna be any use in determining WHY people are complaining at all. I guess this should not be a surprise, considering this crap is coming in from AOL! So i do the next available thing , i go to the website. Result : No information that is gonna be any use in determining WHY people are complaining at all. But there's a phone number.
Result of calling 1-888-212-5537:
*dials phone*
"The holding time for the next available consultant will be more than ten minutes."
"Thank you for calling America online
*spits water all over desk, workdesk and papers*
(musak)
(an hour later)
Hello, this is postmaster helpdesk, can i help you?
REP:"oh, that's because you don't currently have a feedback loop with us."
ME : "huh? but we received your report cards in the abusemail box."
REP:"Yes, but you don't have a feedback loop with us"
ME
REP:"Yes, but we made our own database"
ME
REP:"I cannot comment on that"
REP: So what are your mail server's IP adresses.
ME : We have several : we're an ISP.
REP: Alright, then give em to me.
ME : That's why we use DNS names for our mail servers : if one breaks, we change the IP to another server while we fix the previous one.
REP: So you can't give me the IPs?
Peace and happyness to you, by LullySing
When his honey pot receives mail it tracks down the mail to the sending machine, works back to the ISP and mails a report to the ISP admins in realtime. If the PC is own3d then the admins usually disconnect it from the net fairly soon until the owners have fixed it, so the machines can only be used for a short time.
Because the admins work in parallel on the problem worldwide, apparently it's making a noticeable dent in the DDOS population; he connected to IRC and listened to the spammers bemoaning the fact that their favourite toys are getting fixed too quickly. :-)
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"We just have a lot of providers not bothering to care...In the end, they'll go somewhere else to spam and we'll lose the revenue.
Well I lost one two weeks ago for this very reason. The customer is a prominant business (one of the largest in one of the communities we service, in our area of about 1/4 of a state). They left for Qwest after a year of absolute refusal to address their IT disasters, leading up to the final "last straw" incident in December.
In typical "smaller business with bigger infrastructure requirements", this is a real estate office with several dozen workstations for agents. They have several NT4 servers (patchlevel zero - never been patched), running IIS, FTP, Telnet, Exchange, filesharing, etc. Internet access is critical for updating listings, and they had a dedicated connection through my network. Unfortunately, they inadvertantly became a hosting site for spammers. Not only does this consume network and server resources (and represents a significant security disaster), but this also invites retaliation. Three times during 2004, DDoS retailation caused significant impairment to my network and outages to their service.
Their response? Blame the ISP. Refusing to address their security nightmare, I had to rate shape them in order to restrict DDoS impact, filter countless port ranges and spend no less than 10 hours a month to dealing with their mess. Finally they solved it for us this month by replacing their dedicated service with a $50/month Qwest DSL line. I'm sure Qwest will give them the 24x7 on-call support we provided for this rate and allow them to exhaust Qwest's community network's capacity with DDoS attacks.
So yes, they will leave the ISP when security is taken seriously? I'd care only from the visibility this client has in their community, but fully recognize that if they continue to get hacked and ignore their responsibility for operating a reliable IT system, they will eventually suffer the consequences.
Now if we can get GAAP-like requirements for information security passed and make it a crime to run a neglected IT shop... but I digress!
Scotty Richter's OptInRealBig gang had their big pet ISP, named something along the lines of "wholesale bandwidth". AFAIKT, they mostly did business for Scotty, but they also sold bandwidth to other people, and they normally dealt with problems by explaining how they were shocked, shocked! to discover that one of their customers was a spammer! and would take care of them right away, usually by having their "customer" list-wash the complainer's address (they really *were* scrupulous about taking complainer's addresses off the list, though I had no way of knowing if they also resold the lists of complainers to other spammers), or worst case, by "getting rid of" their "bad" customer (i.e. renaming herbal-fake-viagra.com as fake-herbal-viagra.com with a different IP address on a different virtual server in their /19 block, or sometimes even "getting rid of" a whole virtual server, and giving it a new IP address.) Because they were pretending to be an honest, CAN-SPAM-law-abiding whitehat spammer, using their own IP address space, it was easier to trace them than the usual zombie-burning spammer, and I helped out with one or two rounds of complaining to their upstream providers when they got kicked off of one and found another. It usually required a couple exchanges of "No, I wasn't complaining to you to get them to 'investigate' and take my email address off their list, I was complaining to you to get you to cut them off unless they stop spamming entirely, which they're still doing, and I won't give you the email address they spammed, just the headers, and by the way they appear to be abusing a supposedly-inactive BGP Autonomous System Number" until they were cut off. Companies that *are* trying to hide are much tougher to get rid of.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I run a small business. I run my own email and web servers. My ISP (Northwest Internet) allows me to do this, and they have been very helpful. Yes, I monitor my email servers, Yes, I test any messaging solution to make sure it is not an open relay before bringing it online. So what you are saying is that I should not be allowed to host my own email servers. That is not an acceptable solution for my business.
No, I don't send out UCE/Spam.
Now, my ISP is not lax about these issues. For example, many of my customers have received calls about them sending out mass mailers. If something seems amiss, they will certainly call about it first before they take any further action.
They will try to work with their customers to a) let them know there is a problem and b) give them a reasonable ability to solve it.
However, I am sure that if one abuses their network that they will pull the plug on the account. They just know that if they do this without making a good faith effort to make things work for the customer, they risk being sued by the customer (for lost business, etc). I have been relatively happy with their service.
Quite frankly, I think IANNA and the other IP provisioning authorities should start threatening guys like you with loss of your subnets if you don't start policing the traffic.
Hmmm.... I think that if there is a drought and you water your lawn, the city might be able to shut off your water if you want to set this sort of precident. Maybe they should. If you get heatstroke and require emergency medical attention, that is still *less than the monitary damage* that taking down my internet line would provide.
Guys like you would make it impossible for me to carry on my own operations and help my customers run their email servers on-site. This would have cost me hundreds of thousands of dollars too. So who wins? Furthermore, it would make it impossible for my customers to have third parties host their email because they need more accounts than their ISP gives them and this would cost each of them hundreds of thousands of dollars. Put simply, encouraging ISP's (using the means you suggest) to prevent their customers from running email servers will get everyone nowhere real fast including, I suspect, your business.
Look, the answer is to let the market work. We already have RBLs which help this happen. I have seen at least one ISP go out of business because they were blacklisted after spammers took over their email servers. That seems fair enough.
LedgerSMB: Open source Accounting/ERP
This can be very annoying. Like lots of /.ers out there, I have a work laptop. I have it configured to use my companies ASMTP so that when I travel I don't have to reconfigure everywhere I go. This didn't work at home with my previous provider when then decided to cut off external Port 25 access without warning and without a grandfather clause to get mine opened ... since it required a static DSL account.
Ouch