Slashdot Mirror
Is There Any Reason to Report Spammers to ISPs?
marko_ramius asks: "For years I've been a good netizen and reported spam that I get to the appropriate contacts at various ISPs. In the entire time that I've done this I've gotten (maybe) 5 or 6 responses from those ISPs informing me that they have taken action against the spammer. In recent years however, I haven't gotten any responses. Are the ISP's so overwhelmed with abuse reports that they aren't able to respond to the spam reports? Do they even bother acting on said reports? Is there any real reason to report spammers?"
... but it's rarely worth the effort. Just repport to your favorite real time block list and we'll thank you.
I've worked for a very large ISP, and we never responded to them, but we took action on every single report.
Often, just counting against a mailhost for eventual blockage and upline reporting... but it helped block spam from other people (and more spam to yourself) at the least.
If nothing else just report the spammers to irritate your ISP. If enough of us eat up our ISP's time complaining, those spammer clients of their's will seem less valuable. Also as was said before, please for the love of god report them to the block lists.
The sad thing is that most people who report spam are the idiots of the Internet who don't understand things like joe-jobbing, etc, and assume that because it says "jkrwejkrweq@yourdomain.com" in the From field, it's not necessarily anything to do with "yourdomain.com". SPF is, supposedly, a solution to this but the penetration seems pretty low. Certainly in my experience it's not usually Hotmail or Gmail customers who send the all-caps "STOP SENDING ME E-MAIL" to joe-job victims, but people on various .com domain names most likely hosted at hundreds of different budget web hosts who have poor anti-spam tools (or none at all).
"They"?
A few may actually behave like this, but I'd be willing to bet that the majority aren't.
I've worked for a large ISP, and we worked with others to fight this stuff. Spam represented a great waste of our resources, and a great distraction to actually providing an actual product for our customers.
I work for a regional ISP.
We frequently receive notifications of spam email as well as virus-laden email that has originated from our network. We only respond to the sender if they request that we do (and even then, if it's not necessary and the request isn't polite, we may not).
That means we almost never send a reply to the person who notified us. However, we DO take care of every single notification we receive. If we aren't able to immediately contact the customer and fix the issue (generally a home user with a virus doing the spamming), then we either shut off their service or, more frequently, block outgoing connections from their IP to port 25 anywhere.
Please don't let the silence discourage you. We're hard at work and appreciate the notices that help us keep our networks and services running smoothly for our customers.
Many ISPs have a policy not to notify you what they have done and some are not allowed by law (data protection and privacy legislations). So the lack of responce does not mean a thing. Personally I would have preferred that all hook it up into their ticketing system so users get a reply, but some of them still run ticketing on primitive crap that does not have an Email interface (like one well known "best ISP for 200X" in the UK).
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Spammers run their own MTA or MTAs other than those by the ISP.
Provided that there is a clear proof (and not just someone's report) that a customer is a spammer, they would have two options:
1. filter out their outgoing SMTP traffic or
2. shutting down the link
Spammers then would probably change ISP in a snap.
The real (technical) point should be: why spammers do exist? One answer could be "because SMTP has not been designed to cope with authentication and authorisation."
Maybe it's important to look at problems from the correct perspective.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
Interesting.. not that many comments, and three responses saying "I'm a decent sized ISP employee, and while we don't respond, we at least look into each complaint." I can only hope so.
While reading over this article and thinking, I came up with another interesting idea. I have recently registered a domain which I'm sure is ripe for joe jobs. It is basically a private image hosting service. Flickr-esque in nature, but... just for my friends to upload, world to see.
Because of this privilege, and other semi-obvious reasons, I don't want anyone with an account on my domain sending an email with a jpg attachment. Why can't we set up an anti-spam utility which says "ok, the from: address is this domain. This domain uses ____ rules. This email [does|does not] follow the rules" and flag appropriately. If I had an email from my domain with a jpg attachment, it's obviously spam. Other similar rules applied appropriately could help filter spam.
Side note.. in the new discussion system, where is the respond to article button, instead of reply to post??? I gotta be missing something obvious here...
We don't need no Net Explorer We don't need no Thought control
Every time a spammer sends an email to your computer its electrons collect in your inbox. If you don't send another email out those electrons will build-up and short out your machine. Send a report, containing these electrons, to the ISP so they can properly purge the excess electrons and allow other internet users to use them.
If you look at the new doo-hickey at the top of the comments (where you can move sliders for full, abbreviated, and hidden message preference) you'll see a low contrast (blue on gray on my plain vanilla Firefox/Ubuntu setup) menu. Reply (to article) is on the far right side. HTH.
the clueless admins at Charter have their outbound spam filters set so it is next to impossible to report spam. When attempting to forward a spam to the originating ISP, Charter will bounce it back as if the report itself were spam. Even trying to forward the bounced report to Charter results in a bounce. A direct email resulted in no response. Of course, since Charter also blocks outbound port 25 (smtp), I have no choice but to send through their misconfigured relay agent.
"National Security is the chief cause of national insecurity." - Celine's First Law
That may have been back when you worked there, but it's quite obvious that it's not the case now. If ISPs gave a shit, they would block outbound port 25 by default for dynamic IP clients (and maybe ALL IPs). That would stop at LEAST 95% of the spam botnets. This works best with a tool to allow you to open the port if needed (running a mail server.) Running a mail server on a dynamic address at this point is futile as a good portion of servers will block you anyway. MUA's should all be configured to use port 587 for authenticated submission.
ISPs could also install sniffers to watch the rate of outbound off-network port 25 SYN packets, and investigate unusual activity. Oh and don't go saying that this is difficult - just talk to AT&T and the government - they have been sniffing ALL traffic.
But it's VERY VERY rare to find an ISP that does ANYTHING AT ALL to stop outbound spam. Oh sure, they are perfectly willing to install blacklists and filters on inbound, but outbound? Nothing. They don't care. The only way to fix this is to make habitual offenders be financially liable. ISPs also need to make end users liable and start enforcing their TOS, disconnecting grannie and her POS windows box that has no firewall, anti-virus, and is running spambot software.
If you start to ask them to filter one specific thing then it means they are taking away their impartiality.
wasn't Common carrier status meant to mean "If you start to manage the traffic of the customer, you start to become liable for it"?
liqbase
Yeah, I used to subscribe to that belief, but the spam problem needs drastic action to deal with. The FACT is that many ISPs already block port 25 and "manage" traffic to a certain extent already, and are still "common carrier's."
I worked for a smaller National ISP (MindSpring) and our engineers tried this one day without telling anyone. 2 hours later, Technical Support was being killed by customers complaining that they couldn't send mail to other required sources. After our NOC figured it out, the engineers had to turn things back the way they where and the call Q cleared up.
The problem with your situation is that the same customers that complain about the spam that come in rely on Port 25 to allow their users access to company servers. It's too much to ask of these people to change the mail server on the sending machine - they'll just scoff at you.
Some of the smarter ones use another Port to get around these type of issues but even then, it sometimes causes problems. Ignorance is bliss.
Obviously trying it without telling anyone is stupid. Tell customers ahead of time, give them the info they need such as "use port 587, 465 (for broken MS clients) or your VPN dammit", etc. Doing nothing does not solve the problem. Just because Mindspring engineers are morons doesn't mean that the idea is bad.
I used to work for an Australian ISP,
and Believe me they took spam seriosuly...
not just for reasons of stopping spam, and credibility, but for profit..
See, we'd give them 2 chances - they got reported for spamming we'd give them a call and tell them
what going on and ask them nicely to please fix it. if its a suspected botnet, get a pc tech - if its spammer (its happened)
then stop your freakin' spam.
if they got reported again, accounts get suspended. give them another call explain the situation again, and advise them that they need to
cease their spam immediately (for deliberate spamming) or get their PC checked by a PC Tech (BotNet style), the Account would NOT be unsuspended until they
could garuntee us they they had remedied the situation, at this point we'd advise them that if we get another spam report they would be charged $5 PER EMAIL
for spam sent.
If spam happens again, account is suspended again, an invoice generated and sent to the customer for the spam, and this - we'd wait for their call.
ISPs have terms of service. Many will take your site down if you host MP3s, warez, or porn (obviously, others are quite happy for you to do so). Many have broad language saying you're basically not allowed to be a "server". Which if strictly enforced, would stop you doing almost everything.
amazingly enough, they're still around. And free! Provide your own connection, and use AOL for free. They finally moved form being a connection provider to a content provider. They still offer dial-up for $10/mo, which isn't bad. Smart move on their part.
My friend works for a local ISP here in town. He was telling me about their system, which will automatically shut people down. If they send a certain number of e-mails in a certain period, a flag goes on their account and their access to the mail server is blocked for 24 hours (the first time).
When their access is restored, if it continues to happen they get longer and longer blocks. He told me a story about a woman who called in who just didn't seem to understand this concept and her access was currently being blocked for something like 2 weeks, which was one of the longest blocks he'd seen.
I work for a small national ISP. We always take action on spam reports (we hate spam as much as you do, probably more...), but almost never respond to the people who make the reports. There are only two of us, and we're very busy -- and I doubt the people who are complaining about no response are going to look any more favorably on an automatic response.
Please though, keep reporting. It helps us weed out the spammers we haven't caught by other means.
Sometimes we just don't get enough information to take action though. If you're going to report spam, send in a copy of the ENTIRE email (useless without headers...), and make sure the timestamps are correct. If your clock is wrong, I'll do my best to figure it out, but I can't promise anything.
with any sort of port blocking, either inbound or outbound. Unless free and open communications are allowed, they're not an ISP, they're a "web browsing service provider," and they are damaging, not helping, the Internet. Port blocking is anathematic to the purpose of the Internet, it interferes with open peer to peer communications. Port blocking is the equivalent of governmental prior restraint.
What ISPs should do is to identify nodes which have actually been infected by a botnet (or are otherwise sending spam/malware) and nuke them in accord with every ISP TOS out there. But, that would be more work, and cut into their revenues, so they don't want to do that.
I run a firewall (iptables), run up-to-date malware scanners, and take responsibilty for what leaves my network. If my security is ineffective, and one of my machines starts spewing spam, I should be cut off and held responsible. But, I should not be penalized or limited because of the actions of others.
Finally, it should be obvious that port blocking, refusing acceptance of smtp connections originating from dynamic IPs, etc. simply hasn't been effective against spam. Spam continues to increase, and will continue to do so until action is taken closer to the root causes - networks start going after originating machines, law enforcement start going after businesses using spam (and, of course, instituting a death penalty for anyone caught purchasing any product from a spammer).
"National Security is the chief cause of national insecurity." - Celine's First Law
I agree that not telling anyone was a bad mistake...
While I'm not in the middle of the US IT situation, I don't think it's used as much as it should be.
Greetings,
Please keep reporting. I handle the abuse complaints for a regional ISP. We have never had an actual spammer on our network, but the reports have helped us clean up some very badly infested machines of our users. Since I receive about 50 of these complaints a week, with maybe 1 in 1000 being from our IP space, I have to agree that it is frustrating when people report to me, but the only mention of my IP or domain space is an obviously forged header. At least it is obvious to anyone who can read email headers. I will not respond to any report unless specificly asked, and even then it will be a short reply stating that it is either been dealt with, it is not our user, or that it is under investigation. No details are ever given out due to privacy.
We do not (yet) block port 25 by default, however we do rate restrict it, and monitor usage on a per-IP bases. We have been in business for over 13 years and due to that, management is not happy with having to contact our customers to get them to update their email client settings. We are setting up all new clients to use SMTP authentication and all helpdesk tickets dealing with email get them switched over as well. We figure that in another 1 maybe 1.5 years we will have everyone switched over and then we can block all port 25 access without causing too much disruption (Management's bigged fear).
Reduce, reuse, cycle
Abouta year or two ago, I was having serious problems with comment spam, with hundreds a day coming from a single IP address. I banned the IP for 7 days and put various protection schemes in place to prevent further abuse. Once the 7 days was up, there were literally thousands of attempts, but now each one was stopped and logged in an easier to understand format. With this in hand, I looked up the address to find it originated from one of The Planet's customers. Even after sending reports with links to the logfiles, months (and tens of thousands of attempts to spam my comments) went before I received any response whatsoever. That response was as a direct result of speaking to one of The Planet's higher profile customers who I've worked with in the past to try to get some help in the situation.
Only after doing an end-run around the abuse department did I see some *real* action taken on behalf of The Planet. Previously all they seem to have done was moved the customer to a different IP address, which would have been very counter-productive had I just kept blocking the original IP address.
tinfoilmedia
By all means, send your complaint.
If enough people complain, they will take action. The "legitimate" ISPs at least (as opposed to the "bulletproof" ISP).
Include the ip address / spamvertized URL on the subject. Makes it easier for the poor lackey they have tasked with reading the abuse mail and opening tickets/reports/whatever.
Or use a service like spamcop or mynetwatchman (for portscanning attacks). Usually, the postmaster and abuse accounts are not filtered in any way so they get a HUGE amount of spam and it easy for an email complaint from a random address to slip by unnoticed. But mail from predictable sources can be classified easily and acted upon.
No sig
ISP's are not common carriers and never have been. When will this myth die!?!
and how many customers did you cut off for sending spam (intentional or unintentional) in violation of your TOS? How may peers did you sever because they weren't policing their users, and were therefore sending spam your way?
I have little sympathy for lazy ISPs, who've created the bed they are now forced to lie in.
ISPs allow spam because they make more money putting up with it than by dealing with it properly.
"National Security is the chief cause of national insecurity." - Celine's First Law
I don't know when your story occured, but it's worth pointing out that Earthlink/Mindspring was in fact among the first handful of major ISPs to implement outbound port 25 filtering across most of their dynamically assigned address ranges.
Yes, it was a support nightmare (and I wasn't even on the support floor) but the drop in outbound spam was astounding.
Web consulting +
Late 1998. After a few months, it was turned back on. I think the engineers figured out most that where using remote port 25's and automated a message about updating SMTPs.
Seconded.
I don't work for an ISP, just a small hosting company. But we respond to each and every incoming SPAM/abuse report. It eats up valuable time, but ignoring it just isn't something we should do.
> That may have been back when you worked there, but it's quite obvious that it's not the case now.
You just say they don't do the blocking... you don't assert in any fashion how they benefit from it.
There's a vast difference between an ISP who can't be bothered to block traffic, and one who is in collusion with the spammers.
I personally hate that my ISP blocks port 25 outbound. I wish they did something more intelligent like tracking spam complaints back to the subscriber and blocking port 25 for those subscribers, or issuing a warning or something...
1. The ISP contractually commits, under severe penalty, to maintain full confidentiality and security for all email passing through their servers. That includes supporting encrypted sessions (from the customer and to the endpoint, including giving the customer control over associated certificates), allowing the customer to control when log events are deleted, guaranteeing ISP employees cannot view or intercept, not archiving or recording email, and completely ignoring any subpoena or other governmental demands for monitoring or maintaining records of email. Will you do that?
2. Gives the customer full control over email filtering/reject messages/retry frequency/fail timeouts, etc., plus full access to all log events related to that user's email. Can you do that?
3. Assumes full legal responsibility, including incidental and consequential damages, related to delivery of email. Will you do that?
"National Security is the chief cause of national insecurity." - Celine's First Law
I run a small ISP hosting mostly dedicated servers. These servers pretty much all expect to have the ability to send outbound e-mail. We monitor and maintain these servers pretty closely, but sometimes a mistake by a client allows a machine to be used for sending spam and doing remote SSH compromise attempts. Those are our two biggest problems.
For example, one client set up a "demo" account with an extremely easy to guess password. This was compromised by a remote SSH brute-force client, and the account was then used to run that same attack program. Another instance involved awstats. A year or two ago, attackers were searching google for "awstats $VERSION", looking for specific versions that were vulnerable. We had gone through our client machines a month or two earlier looking for installed versions of awstats that were vulnerable, but this client had installed a vulnerable version after we had done the sweep.
The biggest spam problem has been with web forms that aren't properly checking their input, and can then be used to send spam to a bunch of recipients.
We act on every one of the spam reports we get that does not come from AOL. Well, except for the spamcop ones that are so vague as to be useless. We're registered with both AOL and spamcop to get alerts about problems with our IP ranges. I'm just about ready to dump AOL, because something about the AOL user interface makes users report as spam messages almost interchangably with "delete". We have clients who run legitimate e-mail lists, with double opt-in, so I'm assuming that users who start reporting these messages as spam simply are too lazy to unsubscribe from the list when they decide they no longer want to read it. Or perhaps they just are reporting messages on the list that they aren't interested in. The AOL reports produce so much noise that it's almost impossible to make use of.
But, at least the AOL reports include the full (nearly unchanged) messages that the user is reporting. Some of the spamcop reports are "We received 2 messages from this host to one of our spamtraps in the last 12 hours." Actually, they are quite a lot more terse than this. I realize why they're being vague, and this worries me, but what can I do about this sort of report? I can't even tell if the problem is originating from a list on this client's server (they host a lot of discussion lists about their mission) or if it came from an open web form. A mailing list means that somebody intentionally subscribed a list of addresses including a spamcop spamtrap, a violation of the AUP with us. A broken web form means that someone else is using the server to send spam, in a way we can shut down. Finally, it may be just a bounce message from some spam that was sent externally with the return address of this spamtrap.
I can't tell with that sort of report.
So, in short, these reports, if accurate, *ARE* acted upon by ISPs.
Sean
At the Large Corporate ISP of Doom that I work at, we actually do enforce the AUP, and I regularly get calls from Granny-I-Don't-Know-How-To-Right-Click saying (in a not-so-concise manner), "Your level 1 rep told me something about my computer has a virus and was sending out spam? But I only play Pogo! How could I get a virus?!"
...that's what gives you a dial tone through the Digital Phone service...."
I then need to go through the whole song and dance about "Yes, I understand you've not got the slightest idea on how to operate a computer. No, I'm not going to sit with you for an hour while you try to figure out what a virus is. Yes, you should power off or unhook your computer until you can get it fixed. No, don't unhook your modem because -click!-
Greetings,
The situation you have brought to our attention has been investigated
and treated by a member of our staff. We have enforced our
AUP(Acceptable Use Policy) against the offending account.
Sympatico always enforces a strong anti-abuse policy; customers who
abuse the network risk having their service terminated. Should you
encounter any Internet Abuse originating within the Sympatico network,
please do not hesitate to contact us again at abuse@sympatico.ca.
Regards,
Steve
Internet Security Analyst
Bell Internet Management Services
http://security.sympatico.ca/
abuse@sympatico.ca
Original Message Follows:
Dear Sirs,
Please view the attached unsolicited e-mail received on Wed,
25 Apr 2007 14:57:02 -0400, apparently coming from IP 74.12.79.139
(bas1-toronto02-1242320779.dsl.bell.ca), inside a network owned by you.
Please check it out, and handle your user according to your TOS/AUP.
Thank you.
"...See, we'd give them 2 chances - they got reported for spamming we'd give them a call and tell them
what going on and ask them nicely to please fix it. if its a suspected botnet, get a pc tech..."
You're better than Pacific Bell (now AT&T) in California. One of their residential customers in Los Angeles had their computer hijacked by a botnet. I called PacBell's DSL customer service and tried to give them the IP address of the infected machine. Their response? PacBell: "Nothing we can do about it. Try blocking them on your end."
Since their residential customer is on DHCP, I have to periodically reblock the offending hijacked computer when people complain about the level of spam getting through. This single hijacked computer accounts for about 1/3 to 1/2 of the spam we receive.
I would guess that in the meantime that if the account has pumped out a few million spams, then the traffic would have put up flags, but if that hasn't shut them down, perhaps my email did. Hopefully. Otherwise that DomainKeys thingie will be meaningless. If it already isn't.
DT
Is this thing on? Hello?
I forward spams to spam@uce.gov . I know that someone looks at at least some of these; does anyone know if it actually does any good ?
There's two reasons there's no reason to bother anymore.
#1: You probably have no clue where the e-mail actually originated. And even if you are educated enough to interpret the headers of your e-mail, #2 becomes the problem.
#2: These days, 99.9% of the IP addresses that send spam belong to retirees running Windows 98 on dialup connections who use less than 30 hours per month. As soon as I take the time to go through our dialup logs (or our ADSL logs) and track them down, I immediately recognize them (and/or their usage logs and tech support histories confirm it anyway) as being entirely harmless 3rd party victims. I send them a polite form e-mail about how their computer is infected with a virus, and to please go to free.grisoft.com to download a virus scanner. 98% of the time I never hear a response back, even if I know they check their e-mail on a regular basis. It remains the length and breadth of what I can do to fix the problem (If I had control over our ADSL network, I would have restricted outgoing SMTP to a few servers years ago).
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Completely unrelated but can you post a link to the "Navajo and the snake" tale??
Nope. The "Sender ID" patent covers the PRA algorithm, not SPF-classic. Yes, you should be aware that some recipients filter based on PRA (e.g. Hotmail/Live), but no Microsoft IP is infringed by publishing SPF records or filtering based on such records.
Simplistically, MARID died because it tried to achieve "broad consensus" amongst people who were OK with the PRA IP and those that weren't. Neither side could persuade the other to back down.
I'd like to thank all the folks at ISPs who've responded here.
I long since gave up reporting spammers, even ones who appeared to have a legitimate product (or one that would be legitimate if it wasn't spammed for), because the volume is just too high. I can't even afford the bandwidth to accept mail that's potentially spam: I drop connections from dialup addresses at HELO, and I have several countries blacklisted at that level.
The only spam I report any more is stuff that gets through my filters, doesn't seem to be sent from a botnet, *and* the product is something I'm potentially interested in. I won't buy from the spammer, and I take the effort to report them in an attempt to reduce the chance that the spammer will get a competitive advantage over legitimate businesses that I really care about. This may happen a couple of times a month, so it's not a great burden... and I wish I could do it more often.
I'm glad to hear that this might still have some impact.
Once more, we see the real colors of an ISP - money. Exactly how does extorting more money for a connection magically make it so you can unblock ports without allowing spam? The restrictions are NOT based on spam, or DOS, or any other form of net abuse. They're about extorting money from users. The argument was made that port 25 needs blocking because of spammers signing up for dialup accounts using stolen credit cards. Port blocking isn't a solution to the real problem, which is lazy ISPs who don't practice proper account controls, and won't enforce their TOS, including peering agreements. Which gets to another of the root causes of Internet problems - ISPs who think they can act as content arbitrators (no servers for you, port blocks, etc.), yet expect the immunity of a common carrier. You can't have your cake, and eat it too. Decide what you want to be. The Internet is nothing more than a bunch of networks who've agreed to interconnect based on common standards (IP/ICMP). If you're not providing at least full support for those two, you're not an ISP.
"National Security is the chief cause of national insecurity." - Celine's First Law
It seems to me like any good botnet would be moving to use the outbound services used by the victim machine anyway. That's what I'd do if I were writing a botnet program.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
It helps, when responding to a thread, to actually read it before swallowing your foot.
"National Security is the chief cause of national insecurity." - Celine's First Law
The most interesting facts are in the end of this post. Keep reading...
I am reporting some of the spam I get, but not most of it. Mainly spam sent by advertisers in my country. Some of it is sent by spammers that tend to use the same ISP and I don't see that the ISPs are doing anything against these spammers. I use SpamCop to report, both because its easier for me, and because I believe it is better service to the receiving abuse desk that gets a reliable report. This is one thing I would like to hear more about: how helpful are spamcop reports, and do abuse desks use the tools spamcop provides for them.
Then there are botnet spammers. I am following one such spammer. Reporting seems pointless but I was glad to see the parent post and several others that indicate that sometimes the info is used to help a customaer clean their PC. However, I am interested in another aspect: I have a list of several hundred IP adresses this spammer has used to send email that are scattered all around the world. It seems to suggest use of a botnet, but I have no positive evidence that any of these IP addresses represents an infected PC. There might be anther explanation, such as they are using open relays/proxies, but it seems most of these IP addresses are not listed as open relays/proxies at the time of reporting, and they are almost all identifyable in consumer dynamic IP ranges. So I would really like to somehow get a positive reply from an ISP that can actually say "yes, we identified that this is a hijacked PC and we detected it spewing out tons of spam similar to the one you reported.". I have the spammer's cellphone number and list of clients, collection of hundreds of spam messages sent from different IP addresses and all with forged sender credentials, but the missing part is actually being able to tell that one of these hundreds of IP addresses have been positively detected to be hijacked and controlled by the spammer. I also tried several times to contact owners of domains forged in headers to get an actual response saying they did not agree for their identity being used and never got a response, but at least I know one blogger that complained about his own identity being forged by this spammer (and he complained to the police but AFAIK nothing much happenned).
Finally, I premissed in the first sentence that the best part would come in the end, and that is why I would want to follow this one spammer. Well, it looks like a botnet operator, but the real story is the sort of clients that hire the botnet operator to use a botnet to send spam with forged identities on their behalf. Almost none of them were close to what you would associate with spam, such as illegal pharmacies, gambling, porn etc. The sort of clients they do serve are companies selling real products or services. They also got several colleges (the sort that gives real bachelor's degree that is accepted by graduate schools). They got a stock broker and a financial investment company owned by a multi billion dollars corporation. They got a big telemarketter as a client, and interestingly at the same time they worked with this client they started offering "targetted mailings". And last week they finally got the biggest client: ME. Not that I ordered any jib by them. My government hired them. I pay taxes. So it's my money they got paid to use their botnet to send me spam offering me loans from my government if I am a small business. It's an Israeli spammer, operating openly in Israel, with even the government as a client, and selling the services of a network of hijacked PCs all around the world (USA, China, Germany, France, Spain, Russia, Argentina, Brazil, and many more countries that I have on record). This kind of thing must be stopped!
eliminates very near 100% of spam from zombie hosts, because they will never attempt to resubmit mail if the recipient mailserver is busy. All RFC-compliant mailservers will try back later if told to do so; zombies will not.
d
http://www.openbsd.org/cgi-bin/man.cgi?query=spam
illum oportet crescere me autem minui