Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISP Responsibility in Fight Against Spam

Posted by samzenpus on from the no-more-spam dept.

netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"

12 of 314 comments (clear)

  1. The problem by Anonymous Coward · · Score: 5, Insightful

    Is that some of the worst offenders are the biggest. Do you want to cut off your customers from another ISP because the other ISP is an idiot? Maybe, until your own customers get upset because they no longer receive mail from their friends at the other ISP.

    1. Re:The problem by scooby111 · · Score: 5, Interesting

      It's not even necessarily the ISP. I know that my mail servers aren't being used by spammers because I monitor them carefully. We have corporate customers that run their own email servers on our IP blocks that are overrun. We try to work with them to close down open relays or even suspend accounts when they seem unwilling or unable to stop spamming, but there's only so much we are able or willing to do to shut down a clueless netadmin's mail server.

      In the end, they'll go somewhere else to spam and we'll lose the revenue.

    2. Re:The problem by sjames · · Score: 4, Insightful

      Look, you have your IP block, and it's your damn responsibility to make sure that it isn't being abused.

      Actually, the more attention you pay to what your customers' customers are sending over your network, the more legally liable you might be held for anything that slips through. The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).

      As soon as you start controling what your users can put out on the net, you lose common carrier protections.

      Keep in mind that the same tactics that help you clamp down on spam will keep you from playing dumb when the Scientologists or others want to SLAPP your customers.

      Other things that hinder spam prevention include pointy headed morons who report legitamate mails as spam because they can't be bothered to unsubscribe to double opt-in lists that they DID subscribe to, blackhole lists that carpet bomb large groups of people everytime one unrelated abuser sends a spam (even if that abuser is null routed), or who include sites that somehow offend their political or social values, or might have said something bad about them. There's a reason spamasassin doesn't just take any blackhole list's word for it. Anyone who can't be bothered to check if the From: field is forged before badgering half the world's postmasters, etc.

      The last thing we need is to make sure the above foolishness becomes fatal to all but AOL and Earthlink.

      Ultimatly, spam will go away when people stop buying things from spammers. Nothing else will likely manage it.

      The natural extension to your argument is that automakers are liable for drunk drivers, the phone company is liable for telemarket scams, and of course, the post office is liable for mail fraud.

    3. Re:The problem by geminidomino · · Score: 4, Insightful

      In the end, they'll go somewhere else to spam and we'll lose the revenue.

      So it's better for you to profit from the spammer than for someone else to, since someone is going to?

      Congratulations, you are part of the problem.

  2. Dear every ISP in the world, by Anonymous Coward · · Score: 5, Funny


    Dear every ISP in the world including the ones in your parent's basement,

    Please rid your servers of spammers.

    Sincerely,
    The Internet

    ps Yeah, right.

  3. Blacklisting them publically. by strredwolf · · Score: 4, Interesting

    For every listing backed by proof, post a large ad in the New York Times saying "THIS ISP SUPPORTS SPAMMERS" with the proof behind it. Enforce the PR leverage.

    --

    --
    # Canmephians for a better Linux Kernel
    $Stalag99{"URL"}="http://stalag99.net";
  4. Clue in to human nature by Ryan+C. · · Score: 4, Insightful

    Wonderful solultion. So if people would just stop crashing cars we could get rid of all the safety features. If nations could just get along we could save billions in military spending.

    The current email system does not take into account human nature and is therefore broken beyond all hope of an easy solution. It needs to be replaced with a system designed from the ground up with accountability in mind. Period.

    --
    -Ryan C.
  5. Re:Block port 25 outbound? by CrankyFool · · Score: 5, Insightful

    Why take advice from AOL?

    Because their userbase is:
    A) Enormous; and
    B) Very, very stupid.

    What does this mean?

    Look, my ISP -- whose co-owners I've got on speed-dial, and is incredibly clueful -- doesn't have a user spam problem, because pretty much only geeks use them (we pay a bunch extra for the privilege, too). AOL, on the other hand, has the saddest, most pathetic users in the world -- people who are the prime target for PC-p0wning software. Add to that the fact AOL is, like, pretty much the easiest ISP to sign up for. In other words, they're the biggest, fattest, juiciest spam target out there.

    And yet, having looked at the 23,507 spam messages I've gotten over the last 303 days, do you know how many came from AOL?

    Zero.

    I know Carl (not personally, but I'm on some mailing lists with him). He's pretty damn smart. He has to be. Same thing about the rest of the anti-abuse folks at AOL. They're smart, and they're dedicated, and they're very, very, very good.

  6. AOL's spam policy is unreasonable by ables · · Score: 5, Informative

    On the surface, AOL looks like the good guys here. However, their draconian spam policy can be as harmful as the span it's trying to prevent.

    Here's how it works: AOL receives N complaints calling something spam after users click on the "mark this as spam" button. So AOL looks at the previous link in the received-from chain and blocks that entire network.

    Sounds good right? Wrong.

    Say Joe User works at my company part-time from home. Instead of another pop account, he has a forwarding address with our company that forwards to his AOL account. Joe gets spam, and reports it to AOL. AOL looks to see who sent it, sees my company in the "received-from" chain, and blocks not only us, but every other company hosted with our ISP. Thousands of legitimate emails now can't get to AOL addresses.

    It gets worse. Many people use the "spam" button like the "delete" key to get rid of stuff they just don't want right now. AOL doesn't educate its users to realize that reporting something as spam has real consequences, and so people mark real email they requested as spam just because it's easier than deleting around it.

    Our fabulous domain host FutureQuest has had to ban forwarding to AOL addresses as a result. AOL has been completely unreasonable in accepting any responsibility for intelligent spam blocking, and their users and legitimate businesses are suffering.

    At least they're trying, but they're far from the good guys here.

  7. Re:AOL doesn't check complaints before banning by MightyMartian · · Score: 4, Informative

    We managed to get into AOL's blackbooks after one of our dialup customers (of all things) got a worm that was firing out SPAM at an impressive rate for a 56k modem, and doing it over a four or five hour period. That's what finally tipped the balance and lead us to block port 25 traffic to everything but our mail servers. Any customer wanting to run a mail server has to get permission from us, and it's rightly understood that they will go down before we get into trouble again.

    At any rate, once we cleaned up the problem, I emailed AOL and let them know we'd dealt with it and all was good.

    If you want to talk about an ISP that was tough to deal with, it's RoadRunner. Somehow we got on their block list. They wouldn't respond to my emails to their abuse address, just a standard email with instructions. Even managed to get someone down in Florida who knew a friend of a friend of mine to call and complain, the technician got me a phone number to their security center in Virginia (or wherever it was), and all I got was a recorded message to email them, and then it hung up without even giving me a chance to leave a message.

    I eventually gave up, blocked all RoadRunner addresses going in. Six months later I checked, and we were off the blacklist.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  8. ISP's over-sell their lines, use that knowledge. by khasim · · Score: 5, Insightful
    Do you honestly think that any ISP's admin gets to make revenue decisions.
    They would if they phrased it correctly.

    Suppose you are an ISP with a single T1.

    You don't just sell the available bandwidth. You over-sell it. You might sell 2x your bandwith or 3x or 4x or 5x.

    You do that because you know that each of your customers will not be using their entire bandwidth all the time.

    But spammers use up a lot more bandwidth than the average customer.
    If I started shutting off customers because they are inept netadmins, I'll get fired.
    You don't do that. You show your boss how that idiot is using 10x the average bandwidth but only paying 1x the average fee.

    That should be easy to do.
    The only way that it's going to change is if the government makes the ISP liable for spam sent from it's ISP block.
    There isn't one government. I get a ton of crap from .ch domains now.
    In the end you'll be able to have AOL, Earthlink, or Comcast. Is that what you want?
    I don't think that will happen. There is a market for the small, local ISP.

    The key here is money. The people who behave irresponsibly use more bandwidth than the responsible people (yet pay the same monthly fees).

    If you want to clean your own house, that's the way to do it.

    That's the carrot. The stick is when your entire block is blacklisted because you did NOT deal with the problem that you knew about.
  9. Re:He seems to miss.. by DraKKon · · Score: 4, Informative

    the ISP I use, DSLExtreme, blocks port 25 for all DSL/Dailup users..

    "By default we filter port 25 to only allow outbound email through our mail servers."

    You can request to unblock port 25 if you have a static DSL account... an on top of that...

    "In addition, we will periodically scan port 25 over your DSL line to make sure your mail server is not an open relay. If we find an open relay on your mail server, the port 25 filter will be reinstated and you will be notified by the contact email address entered above."

    If more ISP's were like that.. there wouldn't be as many z0mbi3z...

    --
    "It's not like your minds are as open as the source you love..." - Me to the majority of Slashdot.