ISP Responsibility in Fight Against Spam

netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"

The problem

Is that some of the worst offenders are the biggest. Do you want to cut off your customers from another ISP because the other ISP is an idiot? Maybe, until your own customers get upset because they no longer receive mail from their friends at the other ISP.

Re:The problem

[scooby111]

It's not even necessarily the ISP. I know that my mail servers aren't being used by spammers because I monitor them carefully. We have corporate customers that run their own email servers on our IP blocks that are overrun. We try to work with them to close down open relays or even suspend accounts when they seem unwilling or unable to stop spamming, but there's only so much we are able or willing to do to shut down a clueless netadmin's mail server.

In the end, they'll go somewhere else to spam and we'll lose the revenue.

Dear every ISP in the world,

Dear every ISP in the world including the ones in your parent's basement,

Please rid your servers of spammers.

Sincerely,
The Internet

ps Yeah, right.

Re:Block port 25 outbound?

[CrankyFool]

Why take advice from AOL?

Because their userbase is:
A) Enormous; and
B) Very, very stupid.

What does this mean?

Look, my ISP -- whose co-owners I've got on speed-dial, and is incredibly clueful -- doesn't have a user spam problem, because pretty much only geeks use them (we pay a bunch extra for the privilege, too). AOL, on the other hand, has the saddest, most pathetic users in the world -- people who are the prime target for PC-p0wning software. Add to that the fact AOL is, like, pretty much the easiest ISP to sign up for. In other words, they're the biggest, fattest, juiciest spam target out there.

And yet, having looked at the 23,507 spam messages I've gotten over the last 303 days, do you know how many came from AOL?

Zero.

I know Carl (not personally, but I'm on some mailing lists with him). He's pretty damn smart. He has to be. Same thing about the rest of the anti-abuse folks at AOL. They're smart, and they're dedicated, and they're very, very, very good.

AOL's spam policy is unreasonable

[ables]

On the surface, AOL looks like the good guys here. However, their draconian spam policy can be as harmful as the span it's trying to prevent.

Here's how it works: AOL receives N complaints calling something spam after users click on the "mark this as spam" button. So AOL looks at the previous link in the received-from chain and blocks that entire network.

Sounds good right? Wrong.

Say Joe User works at my company part-time from home. Instead of another pop account, he has a forwarding address with our company that forwards to his AOL account. Joe gets spam, and reports it to AOL. AOL looks to see who sent it, sees my company in the "received-from" chain, and blocks not only us, but every other company hosted with our ISP. Thousands of legitimate emails now can't get to AOL addresses.

It gets worse. Many people use the "spam" button like the "delete" key to get rid of stuff they just don't want right now. AOL doesn't educate its users to realize that reporting something as spam has real consequences, and so people mark real email they requested as spam just because it's easier than deleting around it.

Our fabulous domain host FutureQuest has had to ban forwarding to AOL addresses as a result. AOL has been completely unreasonable in accepting any responsibility for intelligent spam blocking, and their users and legitimate businesses are suffering.

At least they're trying, but they're far from the good guys here.

ISP's over-sell their lines, use that knowledge.

[khasim]

Do you honestly think that any ISP's admin gets to make revenue decisions.

They would if they phrased it correctly.

Suppose you are an ISP with a single T1.

You don't just sell the available bandwidth. You over-sell it. You might sell 2x your bandwith or 3x or 4x or 5x.

You do that because you know that each of your customers will not be using their entire bandwidth all the time.

But spammers use up a lot more bandwidth than the average customer.

If I started shutting off customers because they are inept netadmins, I'll get fired.

You don't do that. You show your boss how that idiot is using 10x the average bandwidth but only paying 1x the average fee.

That should be easy to do.

The only way that it's going to change is if the government makes the ISP liable for spam sent from it's ISP block.

There isn't one government. I get a ton of crap from .ch domains now.

In the end you'll be able to have AOL, Earthlink, or Comcast. Is that what you want?

I don't think that will happen. There is a market for the small, local ISP.

The key here is money. The people who behave irresponsibly use more bandwidth than the responsible people (yet pay the same monthly fees).

If you want to clean your own house, that's the way to do it.

That's the carrot. The stick is when your entire block is blacklisted because you did NOT deal with the problem that you knew about.