Spamhaus: MCI Makes $5M A Year In Spam Profits

An anonymous reader submits "According to a new Spamhaus report, MCI makes $5 million a year hosting spammers and illegal spamware. MCI/UUNET has long topped the Spamhaus spam supporting ISPs list, with nearly 200 active SBL entries. MCI even took on spammers such as iMedia, when they were terminated by Savvis in their half-hearted response to leaked pro-spam memos."

only $5 million

[bird603568]

with a compiny that brig is % million that much? maybe 500 million but only 5?

Re:only $5 million

[bird603568]

woops i hit post what was meant to been said was: with a company that big what % is 5$ million? It cant be that much. 50$ or 500$ million then would be a big deal.

Re:only $5 million

[Stevyn]

Their gain of $5 million is costing companies many times that. That's why it's bad.

Re:only $5 million

[ssimontis]

Still, this article shows several things. Lots of people complain that we can't do anything to stop spam without getting several countries to cooperate. While this might be true in the long run, we can still shut down all the spammers in the United States. One of the biggest ways we can stop spam is forcing ISPs to stop supporting it. I am not sure what could be done, but perhaps a large-scale boycott could have an effect?

Re:only $5 million

[thogard]

If 5 mil is nothing to them, then we need to get them to stop.
The only way to do that is nail them where it hurts most, their stock price. The only way to do that is blacklist them and let wall street know its going to happen and make sure that it does happen.

What needs to happen is that on Apr 1, we make fools of them by taking down their entire network. This is going to take massive planning because they run such a major part of it. The real problem is most name servers are still on it as well as many of the main web sites.

So for this to work, everyone running mail servers will need to to have a RBL type blacklist in place that gives out the same message that is clear and to the point. Then Web sites should return pages explaining the issue clearly. The idea is full up every ISP call centers with questions to the point that anyone paying MCI will be screaming at them. The result is that mci will either get their act together with the spamers or the net will prove that a permanent blacklist won't be so bad.

This is very difficult to do in a corporate environment. however sometime the big bosses can be convinced by letting them know just how much the spam and viruses are costing and don't forget the fraud. Remind them of the people who siphon millions out of large companies to help their new buddies in Nigeria.

illegal spamware?

[dougmc]

and illegal spamware.

What's illegal about spamware? I thought it was spamming that was illegal, not software that could be used for spamming.

And in any event, one person's `spamware' may very well be another person's tool of choice for sending out mail to a large (and yet legitimate) mailing list.

Re:illegal spamware?

[rpozz]

I assume some spamware uses zombie networks to send spam. Surely that's illegal.

Re:illegal spamware?

[Secrity]

Spamming in the US is not illegal, sending spam illegally is illegal. Selling spamware IS illegal in Virginia and UUNet has a large presence in Virginia.

The Virginia law says:

18.2-152.4. Computer trespass; penalty. ... B. It shall be unlawful for any person knowingly to sell, give or otherwise distribute or possess with the intent to sell, give or distribute software which (i) is primarily designed or produced for the purpose of facilitating or enabling the falsification of electronic mail transmission information or other routing information; (ii) has only limited commercially significant purpose or use other than to facilitate or enable the falsification of electronic mail transmission information or other routing information; or (iii) is marketed by that person or another acting in concert with that person with that person's knowledge for use in facilitating or enabling the falsification of electronic mail transmission information or other routing information.

Re:illegal spamware?

[timmyf2371]

That's kind of a harsh law, sounds akin to making filesharing software illegal because of the actions of its users.

Now I know why they prohibit port 25

If you run your own zombie- mailserver, you're competing with them on a lucrative business of theirs.

Impose an E-embargo against MCI

[Gary+Destruction]

ISPs should impose an E-embargo against MCI because they support spammers. All mail and traffic from MCI should be blocked until MCI stops helping spammers.

Re:Impose an E-embargo against MCI

MCI == UUNet == huge portion of the backbone. It's impossible, and this is an old old pissing match.

Re:Impose an E-embargo against MCI

[pavon]

You do realize that UUNET(/MCI/WorldCom) supports roughly one third of all the traffic on the internet, don't you. You can't simply block one third of all your legitimate incoming mail.

Furthermore, I don't want to make ISP's responsible for the content that they are hosting. I think that would set very bad precedent, and the internet as a whole will be much better off if if ISPs are legal regarded as common carriers.

Fight the spammers not the postal service.

Re:Impose an E-embargo against MCI

[dubl-u]

Furthermore, I don't want to make ISP's responsible for the content that they are hosting. I think that would set very bad precedent, and the internet as a whole will be much better off if if ISPs are legal regarded as common carriers.

This isn't about content; it's about behavior. If I rant with a bullhorn at 4 am on your street, the cops will happily haul me off for disturbing the peace, even if I'm reading the Bill of Rights.

Sending spam is in the same category as running DDOS attacks, spreading viruses, or attempting to break in to other people's servers. It's an abuse of the network, and ISPs have no legal or moral obligation to lend their resources to people abusing the network, any more than a landlord has the obligation to let somebody run a crack house.

Wierd...

[NetNifty]

I'm not defending MCI/UUNET, or even sure if this is the same MCI that this story is about, but an MCI's AUP:

Email Sending unsolicited mail messages, including, without limitation, commercial advertising and informational announcements, is explicitly prohibited. A user shall not use another site's mail server to relay mail without the express permission of the site.

Which is strange because in the article it mentions "MCI is the only American, and indeed only Western network, where this spam support activity is 'not against our policy,'".

Or does MCI just post that as it's AUP on it's site to cover it's back if it wants to close an account for spamming in the future, or to comply with possible regulations etc?

Urgent request..

[adeyadey]

Dear sir,

I am a former member of the MCI ISP, here in my home country on Nigeria. Recently we have aquired the rights to $5 million ($5,000,000) US, which is ours to dispose of by rights, but we urgently need a business partner in Europe to help realise this sum. For use of your services we are prepared to offer you %20 of net proceeds. Please do not discuss this with anyone, since confidentiallity is paramount...
Please reply with your name, contact address & phone number & bank details for further discussions..

Yours

AA Albalone..

One simple suggestion

[brian.glanz]

If as TFA reads "MCI is the only American, and indeed only Western network, where this spam support activity is 'not against our policy'," then Congress should rule their (in)activity explicitly against the law. Most ISPs already agree as a matter of their own policy. Yes, the spammers will go elsewhere, but the U.S. should first clean our own house. Writing this law (or lines in a law) seems like a no-brainer.

BG

Re:One simple suggestion

[nzkbuk]

As much as I'd like to agree with your view, things get very tricky if you start doing that.

I work for a large ISP / Hosting company and I have seen on more than 1 occasion where 1 site has had spam complaints from a competitor where the sole intent was to get rid of others selling similar products / services.

Yes most spam is an open & shut case and we'll pull any & everything relating to the spam (including occasions where the only connections was a colo hosting the DNS).

MCI Doesn't care about $5M revenue sources

[skoda]

MCI is a $27 billion company. (according to http://global.mci.com/about/investor_relations/fun damentals/).

Corporately, they don't care about $5M revenue streams. If it's not a homerun, billion dollar profit potential, it's not going to be developed.

I doubt MCI is actively pursuing SPAM as a business venture. Not unless they believe it's going to generate billions in the next five years. Otherwise, this is a non-story, about MCI making a few pennies because they aren't 100% vigilant.

Re:MCI Doesn't care about $5M revenue sources

[mboverload]

Then they should have no quals about cutting off the spammers.

Re:MCI Doesn't care about $5M revenue sources

[pyrois]

The point is, they're still making $5M so why bother cutting off the spammers unless it is advantageous for them to do so. I.E. if they make $5M by keeping the spammers, I'm sure they'd drop them if they could make $10M in that action. It's kind of like if you make $80,000/year and every year an extra $5 appears in your account. Even if somebody told you "hey if you stop serving such and such, those $5 will disappear." Why would you bother? In fact, if somebody said "if you stop serving those people, that $5 will turn into $10" you still probably wouldn't care:P In order for MCI to have a legitimate reason to cancel those accounts, they'd have to make hundreds of millions from that decision and/or be in legal trouble. Otherwise, it's a non-issue.

Re:MCI Doesn't care about $5M revenue sources

[Whyte]

Corporately, they don't care about $5M revenue streams. If it's not a homerun, billion dollar profit potential, it's not going to be developed.

I believe you are correct in that the board of directors for MCI, in the course of business, would not be overly concerned about losing $5 million a year in business, or even $5 million a month in business. On the other hand, one of the many VPs at MCI in charge of the smaller regional sales units would probably view the loss of $5 million in revenue as possibly the end of his/her employment.

The decision making process for finding and enrolling actual customers is RARELY done at the board level. With few exceptions this type of activity is done at the business unit level, and these are often broken into smaller regionally or line-of-business units.

Activists need to find a way to target the individuals who are actually in charge of driving and maintaining relationships with incorporated spam outfits. These are likely to be your average Sales VPs not your board members. Ensuring that board members understand the potential public relations problems associated with these negative associations and the specific presence of them in their own organization has to be one of the better ways to bring about change.

The top decision makers in a corporation are usually much more interested in maintaining their corporate image of being a "good" public citizen because they view the value of a solid public image toward the generation of future business. So when we can, we should bring those "bad" public citizens to the attention of the board of directors for which they work.

Making Money

[Bonhamme+Richard]

Note: I'm stealing this for Richard Marcinko's Rogue Warrior's Strategy for Success. Don't sue me Dickie, I gave you credit.

To paraphrase an anecdote used as an example in Dickie's book :

Johnson and Johnson's Corporate credo lists J&J's responsibilities in this order 1) to the consumer 2) to the employees 3) to the community 4) to the shareholders (meaning to making money.)

When Tylenol (a J&J product) was tampered with in Chicago, resulting in the deaths of several people, the local police advised J&J that it was an isolated incident, and that a recall was not necessary.

J&J recalled anyway (a $350 million process) and consumers flocked back to Tylenol when it was reintroduced to the market with new tamper proof packaging. Since consumers had proof that J&J cared about them, J&J ended up making money.

The moral of the story is that caring about your consumers may be less profitable in the short run but that in the long run companies that put the consumer first do better. It's obvious to me that MCI does not put the consumer first. Point 4 on the J&J credo is point 1 in MCI's strategy. MCI just lost one customer.

Re:Making Money

[slashname3]

The credo list you have (1. to the customer 2. to the employees 3. to the community 4. to the shareholders) was a short term abberation that virtually no company in the world today would agree with.

All companies today use the following order 1. shareholders 2. shareholders 3. shareholders 4. company executives.

Companies today have a vision that is about 3 months out to the next quarterly report. The reason is that shareholders will trash a companies stock if they don't exceed all expectation each quarter. And companies have no loyalty or responsibility toward employees. Employees are the first ones cast adrift so a company can show a short term improvement on their bottom line. As to customers, I have to think that most companies feel their customers are morons and idiots. Just look at the commercials they run. :) It has been long known that many companies calculate just how bad they can perform customer service without running off most of the thier customers. Why do you think companies want you to input your account numbers when you call customer service? So they can identify really good customers from the rest of and drop you into a long wait queue in India. Really good customers (read high dollar value customers) get put at the head of the line and get routed to customer service centers here in the US.

J&J was in a shear panic over that incident. And they did what they did because they felt the company was dead if they did not. Bottom line. Nothing more nothing less.

Re:Making Money

[buss_error]

The company I work for put out a 1.2 M USD bid for telecom service. MCI and SAVVIS both bid.

I printed a list of the spammers on both, set them in front of my boss along with the RBL entries for them, and told him I couldn't work for a company that would support these people with contracts, that I would have to leave if either bid was accepted. And I ment it. And he could tell.

End result: Both were disqualified from the bidding process.

MCI & SAVVIS: Get rid of your spammers. All of them.

Not surprising.

[jwcorder]

Aren't we talking about the same MCI/Worldcomm that cooked their books 2 years ago? So bad accounting practices don't seem to be the only questionable business in which they participate.

Non Unique

[discordja]

Why is this news? Almost every bandwidth provider in the country will house spammers so long as they aren't breaking any laws. Internap, the largest bandwidth provider in the states, houses a good number of spammers even tho it's "against policy" to send unsolicited email. If the almighty dollar is involved don't expect companies to be "moral."

God doesn't care if you don't say "bless you!"

[MorboNixon]

As a former employee of UUNet, whom, in turn, got bought out by Worldcom, which was once and now is again called MCI...*breath*...I can say that my pop.net POP3 account I had when I employee there remained active for at least 4 years after I left in 2000. It only got deleted after I stopped checking it for over a month.

What does this mean? Well, speaking from experience, they don't have nearly as many people monitoring this stuff as they should. So, my guess is that this SPAM abuse is the result of neglect. However, as with most any telecom/IT company, Marketing and Sales drives the business, the techies are beholden to the machinations of the Marketroids and Salesbots. This could be their bright idea.

Re:God doesn't care if you don't say "bless you!"

[WoBIX]

They're not the only ISP that doesn't pay attention to accounts. A friend with a dial-up account back in the mid nineties closed her account when she moved. She discovered that she still had email access to it, and even dial-up was still available. Her boyfriend shared the dial-up info with a bunch of their friends and they all had free net access for several years. Last I checked it was still active.

I bet it costs MCI more than $5M

[sbaker]

Yeah - they may inadvertently make $5M from spammers - but I bet the cost of spam to them is a LOT more than that. It follows that this is not an intentional part of their business model - but merely the residue of spammers that they've been unable to eliminate.

Re:New mail protocol

[LukaFox]

That's true. SMTP is just what it claims to be: simple. The only problem with a new mail protocol would be backwards compatibility. It couldn't be compatible with SMTP and still be effective in preventing spam or email spoofing. However, ISPs are not going to want to implement a protocol that no clients can use, and email clients are not going to support protocols that are not actually in use as easily. SMTP has been around for a long time, and replacing it isn't going to be easy. SMTP would have been replaced already if it weren't so universally used.

We've already got competing solutions to some of the problems with SMTP, but not a lot of people are using them. Most people don't encrypt email, S/MIME still is not widely used.

Of course. They're criminals

[Animats]

What do you expect? Worldcom/MCI was run by criminals. Their former CEO, Bernie Ebbers, is on trial right now in New York for fraud and conspiracy.

Re:New mail protocol

[thogard]

Your problem is someone else feature. SMTP allows things such as anonymous mail which was considered important in emails early days. The real problem is someone sees anonymity as a business venture and the suckers fall for it. If you remove that, then the spamers will just lead longer paper trails which will cost them slightly more but wont stop anything. After all these guys are going out and paying cash for T3 setups fees and monthly fees in advance for a circuit they expect to get a few days use out of. They will be happy to comply with any sill new rules an advanced email system will provide.

X.400 fixed all the problems. You can buy a pateneted solution today that fixes all your email problem but it costs several tens of thousands of dollars per year in license fees alone to run an x.400 system.

Re:Wierd...Two different things

[Secrity]

The part of the AUP that you are quoting only prohibits the sending of spam. The article is talking about "spam support" which includes other things, such as web site hosting.

From the article:

"MCI Worldcom's official position on the issue is that MCI can't stop their spam gangs selling proxy hijacking spamware from MCI's network as that would be 'censoring' the distribution and sale of illegal proxy hijacking software.

MCI is the only American, and indeed only Western network, where this spam support activity is "not against our policy". Spamhaus maintains that MCI's 'protected speech' excuses for servicing known spam gangs and proxy spamware distribution sites are dishonest and non-sensical in the face of the Internet's spam epidemic."

Re:MCI has an even better reason to stop this

[justin12345]

No spamming is now specifically LEGAL in the United States thanks to the CAN SPAM bill. You just can't do things like fake reply-to lines and you have to give an opt-out method; there are a few other regulations too that don't come to mind.

The Nigerian thing and viral spam has always been illegal as they constitute fraud and vandalism (repectively). But they aren't usually described as spam and won't ever be effected by legislation or probably anything else other than email filters.

Explain to me

[mattmentecky]

Could someone tell me the rationale for the Slashdot crowd supporting the file sharing programs/networks because they can be used for legit purposes and the "owners" stay out of the mix so to speak, and then on the other hand, slaming MCI for basically doing the same thing in this case? Sounds hypocritical to me.

Re:Explain to me

[timmyf2371]

It's rather simple - filesharing gives people something for nothing whereas spam annoys people and wastes their time.

Not saying I agree with this "philosophy" by any means though.

Re:Explain to me

[DreamerFi]

I'm sorry, I'm not aware of any legit uses of software that sends bulk mail via virus-infected computers owned by others. Please enlighten us.

No suprising considering MCI's past.

[PocketPick]

They've also had some of the highest fines when it comes to violating the do-not-call list.

Example

MCI's spam policy hurts clients

[John3]

I've found our mail server blocked by several smaller RBL's merely because our Class C is part of MCI's pool. Granted that most ISP's don't use these small personal RBL's, but it isn't a good sign when someone will block MCI's entire IP block because of the amount of spam originating within their network.

I wish they were still just uuNet. :-(

Re:MCI's spam policy hurts clients

[bani]

this is the while point.

if MCI won't listen to complaints from non-customers who are victimized by them, the pressure to change needs to come directly from MCI customers.

IOW, RBLs _make_ spam MCI's problem. the more MCI ignores their abusive customers, the more MCI will be blocked, and the more MCI customers will complain to them.

the idea is that either:
1) mci will come to their senses and nuke their spammers, or
2) go out of business after all their customers leave in disgust.

it looks like they're hellbent on 2), especially after their ceo was indicted and their CFO plead guilty to fraud.

Re:MCI's spam policy hurts clients

[Skapare]

I would not call getting your email to work 100% again to be "suffering". You'll suffer more staying with MCI. Of course, if MCI was not blacklisted and blocked, you wouldn't have this incentive to leave MCI. No battle is needed. You simply hunt for a new ISP that has no history of supporting spam (suggestion: avoid telephone companies and cable companies), and sign up. Have your company lawyer write a notification to MCI that you are cancelling your contract due to their documented failure to provide full internet service. Send that to MCI along with a bill detailing your costs of making the switch (not that we would expect them to pay it ... but it would serve as a notice that you have something to add on to a counter sue if they hassle you over this). Then switch your firewall and server addresses, including DNS changes. I've twice moved entire ISPs between upstream providers; it's not all that hard to do if you plan it.

As the internet is gradually dividing into 2 parts, guess which MCI will be stuck in.

They make far more than $5M from spam

[Pig+Hogger]

Those sleazebags make far more than a mere $5 million from spammers. Whenever each of their customers are getting spammed, they're only too happy to send them the bill for extra-bandwidth consumed (plenty of people have T-1 or above high-speed connections that are rated by used bandwidth).

Hosting spam costs more than is brings in.

I've worked for a major hosting provider, and I can
tell you, hosting spammers is a money-loosing proposition. Our company used to host some spammers, of the "following the letter (but not spirit) of the law", "We're not spammers! <wink-wink nudge-nudge>"
variety. Some of them were huge accounts, including our biggest customer.

None of them were worth it. The spammers themselves were a huge drain on our support dept, and many of our other customers were constantly complaining because of our IP blocks being blacklisted.

Finally, we bit the bullet, and showed all of the spamhouses the door (like I said, including our biggest customer). It was a good, and very profitable, move. Within two months, all of our IPs were off the blacklists, our support costs dropped, and our reputation went up, attracting more customers (and big ones, at that).

Moral of the story:
1) Hosting spammers is a bad idea, for business as well as moral, reasons.
2) (The big point) Blacklists work. Very. Well.