Slashdot Mirror
Is There Any Reason to Report Spammers to ISPs?
marko_ramius asks: "For years I've been a good netizen and reported spam that I get to the appropriate contacts at various ISPs. In the entire time that I've done this I've gotten (maybe) 5 or 6 responses from those ISPs informing me that they have taken action against the spammer. In recent years however, I haven't gotten any responses. Are the ISP's so overwhelmed with abuse reports that they aren't able to respond to the spam reports? Do they even bother acting on said reports? Is there any real reason to report spammers?"
... but it's rarely worth the effort. Just repport to your favorite real time block list and we'll thank you.
I've worked for a very large ISP, and we never responded to them, but we took action on every single report.
Often, just counting against a mailhost for eventual blockage and upline reporting... but it helped block spam from other people (and more spam to yourself) at the least.
If nothing else just report the spammers to irritate your ISP. If enough of us eat up our ISP's time complaining, those spammer clients of their's will seem less valuable. Also as was said before, please for the love of god report them to the block lists.
The sad thing is that most people who report spam are the idiots of the Internet who don't understand things like joe-jobbing, etc, and assume that because it says "jkrwejkrweq@yourdomain.com" in the From field, it's not necessarily anything to do with "yourdomain.com". SPF is, supposedly, a solution to this but the penetration seems pretty low. Certainly in my experience it's not usually Hotmail or Gmail customers who send the all-caps "STOP SENDING ME E-MAIL" to joe-job victims, but people on various .com domain names most likely hosted at hundreds of different budget web hosts who have poor anti-spam tools (or none at all).
I work for a regional ISP.
We frequently receive notifications of spam email as well as virus-laden email that has originated from our network. We only respond to the sender if they request that we do (and even then, if it's not necessary and the request isn't polite, we may not).
That means we almost never send a reply to the person who notified us. However, we DO take care of every single notification we receive. If we aren't able to immediately contact the customer and fix the issue (generally a home user with a virus doing the spamming), then we either shut off their service or, more frequently, block outgoing connections from their IP to port 25 anywhere.
Please don't let the silence discourage you. We're hard at work and appreciate the notices that help us keep our networks and services running smoothly for our customers.
Spammers run their own MTA or MTAs other than those by the ISP.
Provided that there is a clear proof (and not just someone's report) that a customer is a spammer, they would have two options:
1. filter out their outgoing SMTP traffic or
2. shutting down the link
Spammers then would probably change ISP in a snap.
The real (technical) point should be: why spammers do exist? One answer could be "because SMTP has not been designed to cope with authentication and authorisation."
Maybe it's important to look at problems from the correct perspective.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
Every time a spammer sends an email to your computer its electrons collect in your inbox. If you don't send another email out those electrons will build-up and short out your machine. Send a report, containing these electrons, to the ISP so they can properly purge the excess electrons and allow other internet users to use them.
That may have been back when you worked there, but it's quite obvious that it's not the case now. If ISPs gave a shit, they would block outbound port 25 by default for dynamic IP clients (and maybe ALL IPs). That would stop at LEAST 95% of the spam botnets. This works best with a tool to allow you to open the port if needed (running a mail server.) Running a mail server on a dynamic address at this point is futile as a good portion of servers will block you anyway. MUA's should all be configured to use port 587 for authenticated submission.
ISPs could also install sniffers to watch the rate of outbound off-network port 25 SYN packets, and investigate unusual activity. Oh and don't go saying that this is difficult - just talk to AT&T and the government - they have been sniffing ALL traffic.
But it's VERY VERY rare to find an ISP that does ANYTHING AT ALL to stop outbound spam. Oh sure, they are perfectly willing to install blacklists and filters on inbound, but outbound? Nothing. They don't care. The only way to fix this is to make habitual offenders be financially liable. ISPs also need to make end users liable and start enforcing their TOS, disconnecting grannie and her POS windows box that has no firewall, anti-virus, and is running spambot software.
I worked for a smaller National ISP (MindSpring) and our engineers tried this one day without telling anyone. 2 hours later, Technical Support was being killed by customers complaining that they couldn't send mail to other required sources. After our NOC figured it out, the engineers had to turn things back the way they where and the call Q cleared up.
The problem with your situation is that the same customers that complain about the spam that come in rely on Port 25 to allow their users access to company servers. It's too much to ask of these people to change the mail server on the sending machine - they'll just scoff at you.
Some of the smarter ones use another Port to get around these type of issues but even then, it sometimes causes problems. Ignorance is bliss.
I used to work for an Australian ISP,
and Believe me they took spam seriosuly...
not just for reasons of stopping spam, and credibility, but for profit..
See, we'd give them 2 chances - they got reported for spamming we'd give them a call and tell them
what going on and ask them nicely to please fix it. if its a suspected botnet, get a pc tech - if its spammer (its happened)
then stop your freakin' spam.
if they got reported again, accounts get suspended. give them another call explain the situation again, and advise them that they need to
cease their spam immediately (for deliberate spamming) or get their PC checked by a PC Tech (BotNet style), the Account would NOT be unsuspended until they
could garuntee us they they had remedied the situation, at this point we'd advise them that if we get another spam report they would be charged $5 PER EMAIL
for spam sent.
If spam happens again, account is suspended again, an invoice generated and sent to the customer for the spam, and this - we'd wait for their call.
with any sort of port blocking, either inbound or outbound. Unless free and open communications are allowed, they're not an ISP, they're a "web browsing service provider," and they are damaging, not helping, the Internet. Port blocking is anathematic to the purpose of the Internet, it interferes with open peer to peer communications. Port blocking is the equivalent of governmental prior restraint.
What ISPs should do is to identify nodes which have actually been infected by a botnet (or are otherwise sending spam/malware) and nuke them in accord with every ISP TOS out there. But, that would be more work, and cut into their revenues, so they don't want to do that.
I run a firewall (iptables), run up-to-date malware scanners, and take responsibilty for what leaves my network. If my security is ineffective, and one of my machines starts spewing spam, I should be cut off and held responsible. But, I should not be penalized or limited because of the actions of others.
Finally, it should be obvious that port blocking, refusing acceptance of smtp connections originating from dynamic IPs, etc. simply hasn't been effective against spam. Spam continues to increase, and will continue to do so until action is taken closer to the root causes - networks start going after originating machines, law enforcement start going after businesses using spam (and, of course, instituting a death penalty for anyone caught purchasing any product from a spammer).
"National Security is the chief cause of national insecurity." - Celine's First Law
Greetings,
Please keep reporting. I handle the abuse complaints for a regional ISP. We have never had an actual spammer on our network, but the reports have helped us clean up some very badly infested machines of our users. Since I receive about 50 of these complaints a week, with maybe 1 in 1000 being from our IP space, I have to agree that it is frustrating when people report to me, but the only mention of my IP or domain space is an obviously forged header. At least it is obvious to anyone who can read email headers. I will not respond to any report unless specificly asked, and even then it will be a short reply stating that it is either been dealt with, it is not our user, or that it is under investigation. No details are ever given out due to privacy.
We do not (yet) block port 25 by default, however we do rate restrict it, and monitor usage on a per-IP bases. We have been in business for over 13 years and due to that, management is not happy with having to contact our customers to get them to update their email client settings. We are setting up all new clients to use SMTP authentication and all helpdesk tickets dealing with email get them switched over as well. We figure that in another 1 maybe 1.5 years we will have everyone switched over and then we can block all port 25 access without causing too much disruption (Management's bigged fear).
Reduce, reuse, cycle
Abouta year or two ago, I was having serious problems with comment spam, with hundreds a day coming from a single IP address. I banned the IP for 7 days and put various protection schemes in place to prevent further abuse. Once the 7 days was up, there were literally thousands of attempts, but now each one was stopped and logged in an easier to understand format. With this in hand, I looked up the address to find it originated from one of The Planet's customers. Even after sending reports with links to the logfiles, months (and tens of thousands of attempts to spam my comments) went before I received any response whatsoever. That response was as a direct result of speaking to one of The Planet's higher profile customers who I've worked with in the past to try to get some help in the situation.
Only after doing an end-run around the abuse department did I see some *real* action taken on behalf of The Planet. Previously all they seem to have done was moved the customer to a different IP address, which would have been very counter-productive had I just kept blocking the original IP address.
tinfoilmedia
ISP's are not common carriers and never have been. When will this myth die!?!
We were a pretty small ISP. We only caught two people spamming in all the time I was there, and warnings were enough to stop it. We got on RBLs once because our old mail server was an open relay, and we had no desire to let any of our customers get us back there again. The majority of spam coming from our local customers were due to worms on their computers. That is where blocking port 25 at the gateway was so damn effective.
I have this feeling that you don't know a lot about spam and how it is propagated. There's a reason that everyone ran around blocking consumer IPs, weighting against IPs without MX records, and greylisting IPs that pumped in too many invalid addresses in a short period of time (indicating a distributed dictionary attack (it didn't help that our upstream provider was the source of a lot of these attacking addresses).
The world's burning. Moped Jesus spotted on I50. Details at 11.
I would guess that in the meantime that if the account has pumped out a few million spams, then the traffic would have put up flags, but if that hasn't shut them down, perhaps my email did. Hopefully. Otherwise that DomainKeys thingie will be meaningless. If it already isn't.
DT
Is this thing on? Hello?
I forward spams to spam@uce.gov . I know that someone looks at at least some of these; does anyone know if it actually does any good ?
The most interesting facts are in the end of this post. Keep reading...
I am reporting some of the spam I get, but not most of it. Mainly spam sent by advertisers in my country. Some of it is sent by spammers that tend to use the same ISP and I don't see that the ISPs are doing anything against these spammers. I use SpamCop to report, both because its easier for me, and because I believe it is better service to the receiving abuse desk that gets a reliable report. This is one thing I would like to hear more about: how helpful are spamcop reports, and do abuse desks use the tools spamcop provides for them.
Then there are botnet spammers. I am following one such spammer. Reporting seems pointless but I was glad to see the parent post and several others that indicate that sometimes the info is used to help a customaer clean their PC. However, I am interested in another aspect: I have a list of several hundred IP adresses this spammer has used to send email that are scattered all around the world. It seems to suggest use of a botnet, but I have no positive evidence that any of these IP addresses represents an infected PC. There might be anther explanation, such as they are using open relays/proxies, but it seems most of these IP addresses are not listed as open relays/proxies at the time of reporting, and they are almost all identifyable in consumer dynamic IP ranges. So I would really like to somehow get a positive reply from an ISP that can actually say "yes, we identified that this is a hijacked PC and we detected it spewing out tons of spam similar to the one you reported.". I have the spammer's cellphone number and list of clients, collection of hundreds of spam messages sent from different IP addresses and all with forged sender credentials, but the missing part is actually being able to tell that one of these hundreds of IP addresses have been positively detected to be hijacked and controlled by the spammer. I also tried several times to contact owners of domains forged in headers to get an actual response saying they did not agree for their identity being used and never got a response, but at least I know one blogger that complained about his own identity being forged by this spammer (and he complained to the police but AFAIK nothing much happenned).
Finally, I premissed in the first sentence that the best part would come in the end, and that is why I would want to follow this one spammer. Well, it looks like a botnet operator, but the real story is the sort of clients that hire the botnet operator to use a botnet to send spam with forged identities on their behalf. Almost none of them were close to what you would associate with spam, such as illegal pharmacies, gambling, porn etc. The sort of clients they do serve are companies selling real products or services. They also got several colleges (the sort that gives real bachelor's degree that is accepted by graduate schools). They got a stock broker and a financial investment company owned by a multi billion dollars corporation. They got a big telemarketter as a client, and interestingly at the same time they worked with this client they started offering "targetted mailings". And last week they finally got the biggest client: ME. Not that I ordered any jib by them. My government hired them. I pay taxes. So it's my money they got paid to use their botnet to send me spam offering me loans from my government if I am a small business. It's an Israeli spammer, operating openly in Israel, with even the government as a client, and selling the services of a network of hijacked PCs all around the world (USA, China, Germany, France, Spain, Russia, Argentina, Brazil, and many more countries that I have on record). This kind of thing must be stopped!