Slashdot Mirror
ISP Responsibility in Fight Against Spam
netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"
Is that some of the worst offenders are the biggest. Do you want to cut off your customers from another ISP because the other ISP is an idiot? Maybe, until your own customers get upset because they no longer receive mail from their friends at the other ISP.
Dear every ISP in the world including the ones in your parent's basement,
Please rid your servers of spammers.
Sincerely,
The Internet
ps Yeah, right.
So when will the law suits start coming out against the ISP's that Spammers are getting their Internet connections through?
Or perhaps just 'getting paid extremely well to host spammers'?
This flies in the face of science.
..that nearly all spam emails nowadays aren't sent over open relays but over 0wn3ed i.e. trojaned PCs on high speed (cable, xDSL) connections.
For every listing backed by proof, post a large ad in the New York Times saying "THIS ISP SUPPORTS SPAMMERS" with the proof behind it. Enforce the PR leverage.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
What do we have to do to persuade networks...?
How about putting them on an RBL? When their customers can't send emails, and threaten lawsuits for breach of contract, the ISP operators tend to start paying attention.
For as much as AOL stunk way back where this was concerned you have to give them props for mostly wrangling in their millions of lusers. I with some other cable and dsl providers would take this charge.
Accountability is the only thing that will stop spam:
- don't want your mail servers to be blocked? Secure them so spammers can't use them.
- don't want to be considered a "spamvertising company"? choose a legitimate ad agency.
IMHO a multi-level effort is needed:
- ISP's need to have a blacklist of customers who are known spammers. They need to share info.
- Consumers need to have a website where they can check the legitimacy of a website, and see if it spams to advertise.
- Registrar's need to stop issuing a bazillion domains to known spammers. When a dozen of a person's domains are referred to as spam sites... no more registration. Share data among registrars.
The problem now is that there are no consequences for spamming. An extremely low chance of a lawsuit or jail. Extremely low.
Spam is cheap, and apparantly somewhat effective.
Until you make it not worth the time... people will do it.
Nobody holds the companies who advertise in spam responsible. Nobody holds ISP's who turn a blind eye to it responsible.
Longing for the good old days of when you got spam you fired off an email to postmaster, abuse and operator....
Wonderful solultion. So if people would just stop crashing cars we could get rid of all the safety features. If nations could just get along we could save billions in military spending.
The current email system does not take into account human nature and is therefore broken beyond all hope of an easy solution. It needs to be replaced with a system designed from the ground up with accountability in mind. Period.
-Ryan C.
Why take advice from AOL?
Because their userbase is:
A) Enormous; and
B) Very, very stupid.
What does this mean?
Look, my ISP -- whose co-owners I've got on speed-dial, and is incredibly clueful -- doesn't have a user spam problem, because pretty much only geeks use them (we pay a bunch extra for the privilege, too). AOL, on the other hand, has the saddest, most pathetic users in the world -- people who are the prime target for PC-p0wning software. Add to that the fact AOL is, like, pretty much the easiest ISP to sign up for. In other words, they're the biggest, fattest, juiciest spam target out there.
And yet, having looked at the 23,507 spam messages I've gotten over the last 303 days, do you know how many came from AOL?
Zero.
I know Carl (not personally, but I'm on some mailing lists with him). He's pretty damn smart. He has to be. Same thing about the rest of the anti-abuse folks at AOL. They're smart, and they're dedicated, and they're very, very, very good.
On the surface, AOL looks like the good guys here. However, their draconian spam policy can be as harmful as the span it's trying to prevent.
Here's how it works: AOL receives N complaints calling something spam after users click on the "mark this as spam" button. So AOL looks at the previous link in the received-from chain and blocks that entire network.
Sounds good right? Wrong.
Say Joe User works at my company part-time from home. Instead of another pop account, he has a forwarding address with our company that forwards to his AOL account. Joe gets spam, and reports it to AOL. AOL looks to see who sent it, sees my company in the "received-from" chain, and blocks not only us, but every other company hosted with our ISP. Thousands of legitimate emails now can't get to AOL addresses.
It gets worse. Many people use the "spam" button like the "delete" key to get rid of stuff they just don't want right now. AOL doesn't educate its users to realize that reporting something as spam has real consequences, and so people mark real email they requested as spam just because it's easier than deleting around it.
Our fabulous domain host FutureQuest has had to ban forwarding to AOL addresses as a result. AOL has been completely unreasonable in accepting any responsibility for intelligent spam blocking, and their users and legitimate businesses are suffering.
At least they're trying, but they're far from the good guys here.
You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"
Boss: "Thanks for your concern."
Try #2...the CTO...
You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"
Director: "Cost? My hands are tied...shareholders are disappointed and the board needs convincing anyway."
Try #3...the board...
You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"
Board: "What is this 'spam' nonsense you're talking about? You know, when I was your age we never had all these technology woes. I don't see how this will benefit anybody. Next on the agenda....."
Lets be careful about what ISPs have a "responsibility to fight". Today its spam, tomorrow it could be "terrorism" (read: your privacy).
Spam is annoying for those who get any but it doesn't justify the hysteria, IMHO.
Does anyone have any figures that detail how much spam come from zombie home user PCs? I thought the amount was significant, but the quote in this post seems to imply that the vast majority of it comes from less scrupulous service providers.
(aside: we host a few websites, one of which we discovered was running an exploitable version of PHPNuke - but not before a spammer did and pumped ~20,000 emails into our queue. I noticed it pretty quickly and deleted them and blocked this webmail software across all these sites lest it happen again - but it was an interesting demonstration to me that spammers look for any and every leverage they can get. I keep a much closer eye on our mail queue statistics now!)
My ISP, Sasktel in Saskatchewan, Canada has recently implemented a spam filtering service that has so far resulted in 2 false positives and no delivered spam. It completely blocks all virused emails as well. Finally, it sends out an email every once in a while to remind me to check the status of spam at the online message centre, where you can look at all email sent to me that is "suspicious."
They also have a fairly comprehensive policy against hosting spammers, which is nice to hear. I know that many of my friends who use other ISPs have been recently flooded with spam, but I've not had any problems thus far. It's nice to have an ISP that cares about its customers!
Condemnant quod non intellegunt.
Then why aren't spammers already their own ISP outfits? Obviously if spamming is their business, getting obstructive middlemen out of the way is a priority!
Unfortunately, one of the only things that's going to force most ISPs to start caring about the amount of spam coming from machines living on their netblocks is going to be the ISP's providers threatening to cut the lower-tier ISPs off if the lower-tier ISPs don't do something about their spam problems.
I used to be completely against ISPs blocking port 25 from non-MX machines to the outside world. Unfortunately, I've had to change my opinion. The vast majority of the spam that ends up in my spam mailbox (thanks, SpamAssassin and procmail!) and the mailboxes of my users comes from zombied/trojaned machines on residential, always-on internet connections (read, cable and DSL). Most of the e-mail gets tagged properly by SA, however if the ISPs themselves blocked outbound e-mail not relayed through the ISP's mail machines, things would work out much more nicely, the total volume of e-mail hitting other MTAs would drop, etc. There would be much rejoicing.
SPF is nifty, but it doesn't fix the underlying problem...It just allows for easier identification of mail that's coming from machines it shouldn't come from, etc. Actually getting lots of ISPs to adopt SPF is proving to be a slow process as well.
In short, ISPs aren't going to do anything to fix the problem unless they have to. Buying a few more boxes to handle the e-mail load (a huge generalization, but you get the idea) of the rampant spam is less of a problem for them than actually sorting out their mail systems to help fix the problem. A good place to start would be some method of making the top-tier connection providers responsible.
We managed to get into AOL's blackbooks after one of our dialup customers (of all things) got a worm that was firing out SPAM at an impressive rate for a 56k modem, and doing it over a four or five hour period. That's what finally tipped the balance and lead us to block port 25 traffic to everything but our mail servers. Any customer wanting to run a mail server has to get permission from us, and it's rightly understood that they will go down before we get into trouble again.
At any rate, once we cleaned up the problem, I emailed AOL and let them know we'd dealt with it and all was good.
If you want to talk about an ISP that was tough to deal with, it's RoadRunner. Somehow we got on their block list. They wouldn't respond to my emails to their abuse address, just a standard email with instructions. Even managed to get someone down in Florida who knew a friend of a friend of mine to call and complain, the technician got me a phone number to their security center in Virginia (or wherever it was), and all I got was a recorded message to email them, and then it hung up without even giving me a chance to leave a message.
I eventually gave up, blocked all RoadRunner addresses going in. Six months later I checked, and we were off the blacklist.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Suppose you are an ISP with a single T1.
You don't just sell the available bandwidth. You over-sell it. You might sell 2x your bandwith or 3x or 4x or 5x.
You do that because you know that each of your customers will not be using their entire bandwidth all the time.
But spammers use up a lot more bandwidth than the average customer.You don't do that. You show your boss how that idiot is using 10x the average bandwidth but only paying 1x the average fee.
That should be easy to do.There isn't one government. I get a ton of crap from
The key here is money. The people who behave irresponsibly use more bandwidth than the responsible people (yet pay the same monthly fees).
If you want to clean your own house, that's the way to do it.
That's the carrot. The stick is when your entire block is blacklisted because you did NOT deal with the problem that you knew about.
...at customer request. we give customers switches on their webpage-control-panel and they can block anyone and anything they want. a huge percentage of customers block china, korea, russia, etc. because they dont speak mandarin, cantonese, or read BIG5 or EUC-KR or KOI8. customer's choice. boo hoo for the spammers.
Before the flames roll in, let me say I'm not advocating a view, just throwing it out for thought. Let's say someone tries to draw some conclusions about the general opinions of slashdot posters. How do we reconcile the beliefs that ISPs are responsible for spam going through their systems, but not pirated files.
Distributed processing is where it is at.
If you own your own ISP, you're limited to the bandwidth that you're paying for (and you can be blocked easily).
With a bunch of zombie machines, you have TONS more bandwidth and you're not paying for it!
Plus - all those processors sending spam.
Just 10 zombies on 256K upload cable modems is 2.5Mb.
A regular T1 is only 1.54Mb.
You know what? When that dude talks about how the problem is solved, maybe he should stop pretending he's above us, and maybe start looking at the kind of system he's got.
...( silence ) ..." ...And here i am explaining to the bloke on the phone the situation, namely that we are getting "Report cards" without any kind of information as to why people are complaining, with no headers or anything at all to help us.
:"You know, there are databases on the net where you can get the abuse contact information for ISPs and things like that." :"Couldn't you have used those as a base for your own database?" ... and here are some other juicy interesting tidbits of information from this conversation...
...
here's a post i made in my blog about a situation that arived because of AOL's "system". Ever since that episode, i haven't been impressed at all by these people.
--------(start idiotic message from AOL)----------
Date: Mon, 5 Apr 2004 09:04:13 -0400 (EDT)
From: postmaster@aol.com
Subject: AOL email concerns for isp-where-i-work-abuse.net
To: abuse@isp-where-i-work-abuse.net
X-Scanned-By: MIMEDefang 2.39
Dear isp-where-i-work-abuse.net,
You are receiving this message via our automated "Report Card" process (which helps analyze AOL's Internet inbound mail) because our available data indicate that isp-where-i-work-abuse has risen above the acceptable threshold for complaints:
Total number of AOL member complaints: 186
AOL takes proactive steps to contact owners of mail servers whose e-mail transmissions are impairing the functioning of AOL's proprietary e-mail system, or causing significant levels of AOL customer complaints.
AOL requests that you take immediate steps to resolve the issues identified in this AOL Report Card. In the absence of a satisfactory resolution, AOL reserves the right to take measures to protect its email network and its member goodwill from any possible damage. These measures may include declining to accept e-mail transmissions from isp-where-i-work-abuse.net through AOL's proprietary e-mail network.
AOL strives to provide the best online experience possible for our members, and we pride ourselves on being intensely focused on consumers and their needs. Email is a core feature of the AOL service, and the proper functioning of AOL's e-mail system is vital to our members' goodwill.
Please review AOL's e-mail policies and guidelines, as well as other technical details concerning e-mail on the AOL network, at http://postmaster.info.aol.com
------------(end message)--------------
Ooohhh, AOL's proprietary e-mail network. No information that is gonna be any use in determining WHY people are complaining at all. I guess this should not be a surprise, considering this crap is coming in from AOL! So i do the next available thing , i go to the website. Result : No information that is gonna be any use in determining WHY people are complaining at all. But there's a phone number.
Result of calling 1-888-212-5537:
*dials phone*
"The holding time for the next available consultant will be more than ten minutes."
"Thank you for calling America online
*spits water all over desk, workdesk and papers*
(musak)
(an hour later)
Hello, this is postmaster helpdesk, can i help you?
REP:"oh, that's because you don't currently have a feedback loop with us."
ME : "huh? but we received your report cards in the abusemail box."
REP:"Yes, but you don't have a feedback loop with us"
ME
REP:"Yes, but we made our own database"
ME
REP:"I cannot comment on that"
REP: So what are your mail server's IP adresses.
ME : We have several : we're an ISP.
REP: Alright, then give em to me.
ME : That's why we use DNS names for our mail servers : if one breaks, we change the IP to another server while we fix the previous one.
REP: So you can't give me the IPs?
Peace and happyness to you, by LullySing
When his honey pot receives mail it tracks down the mail to the sending machine, works back to the ISP and mails a report to the ISP admins in realtime. If the PC is own3d then the admins usually disconnect it from the net fairly soon until the owners have fixed it, so the machines can only be used for a short time.
Because the admins work in parallel on the problem worldwide, apparently it's making a noticeable dent in the DDOS population; he connected to IRC and listened to the spammers bemoaning the fact that their favourite toys are getting fixed too quickly. :-)
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"The same methodology can be used to fight spam.
You don't care what is in the email the customers send, they just have to send it via your email server. This will stop almost every zombie spammer out there.
And that's how spam will be fixed. By looking at each characteristic of spam and dealing with each one, individually.I've had users specifically request info from a site and then dump the email with that info into the spam folder.
Fortunately, Spamassassin handles enough so that I only have to confirm 10 - 15 of those a day.If so, that day is very far away. People do buy things like penis pills and they do it online because they feel better not having to face another human being while doing it. Sad, but true.
Scotty Richter's OptInRealBig gang had their big pet ISP, named something along the lines of "wholesale bandwidth". AFAIKT, they mostly did business for Scotty, but they also sold bandwidth to other people, and they normally dealt with problems by explaining how they were shocked, shocked! to discover that one of their customers was a spammer! and would take care of them right away, usually by having their "customer" list-wash the complainer's address (they really *were* scrupulous about taking complainer's addresses off the list, though I had no way of knowing if they also resold the lists of complainers to other spammers), or worst case, by "getting rid of" their "bad" customer (i.e. renaming herbal-fake-viagra.com as fake-herbal-viagra.com with a different IP address on a different virtual server in their /19 block, or sometimes even "getting rid of" a whole virtual server, and giving it a new IP address.) Because they were pretending to be an honest, CAN-SPAM-law-abiding whitehat spammer, using their own IP address space, it was easier to trace them than the usual zombie-burning spammer, and I helped out with one or two rounds of complaining to their upstream providers when they got kicked off of one and found another. It usually required a couple exchanges of "No, I wasn't complaining to you to get them to 'investigate' and take my email address off their list, I was complaining to you to get you to cut them off unless they stop spamming entirely, which they're still doing, and I won't give you the email address they spammed, just the headers, and by the way they appear to be abusing a supposedly-inactive BGP Autonomous System Number" until they were cut off. Companies that *are* trying to hide are much tougher to get rid of.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Spam has been a huge problem for quite some time and the way that AOL deals with it is just shameful for them. I can't send emails to aol users from my sendmail server because AOL recognizes it as junkmail and refuses to accep it. Come on what's next blocking all OSS mail server just because people that uses them pay no royalties? AOL needs to seriously adjust their filter or maybe their spam strategy.
Why does anybody's choice of connectivity provider have anything to do with their choice of email provider? Sure, my DSL ISP gives me a mailbox and a shell account, but all I do with that mailbox is set it to forward to my real email to handle occasional administrative messages from the DSL folks.
Don't worry, Verizon is working hard to prevent you from doing that! They and BellSouth have petitioned the FCC to allow them to cut off all other ISPs' access to their raw DSL services. They're also making it harder for CLECs to offer DSL in competition with them. So you will get Verizon Online or nothing on DSL. If you don't like this, go the http://www.fcc.gov/ , go to e-filings, ECFS, read the comments and then leave one of your own on "04-440" (Verizon) or a Reply Comment (closing later this week) in "04-405" (BellSouth). SBC and Qwest will no doubt get the same privileges that the other Bells get.
I don't know if Verizon Online blocks Port 25, but if you use their mail server, you must have "@verizon.net" in the From: field. If you try to use your own domain, you commie terrorist spammer punk, your mail will be blocked. And if you want mail from foreigners, you commie terrorist, they will tell you to use Hotmail.
And if the FCC accepts their Petition, you won't have a choice if you want DSL. At least Comcast has a smart Port 25 filter (passes a limited number of mails, blocking spam blasters) and allows From: whatever.