Is There Any Reason to Report Spammers to ISPs?

marko_ramius asks: "For years I've been a good netizen and reported spam that I get to the appropriate contacts at various ISPs. In the entire time that I've done this I've gotten (maybe) 5 or 6 responses from those ISPs informing me that they have taken action against the spammer. In recent years however, I haven't gotten any responses. Are the ISP's so overwhelmed with abuse reports that they aren't able to respond to the spam reports? Do they even bother acting on said reports? Is there any real reason to report spammers?"

Yes

[YGingras]

... but it's rarely worth the effort. Just repport to your favorite real time block list and we'll thank you.

Reporting helps, keep doing it

[TheSkyIsPurple]

I've worked for a very large ISP, and we never responded to them, but we took action on every single report.

Often, just counting against a mailhost for eventual blockage and upline reporting... but it helped block spam from other people (and more spam to yourself) at the least.

yep

[gregm]

If nothing else just report the spammers to irritate your ISP. If enough of us eat up our ISP's time complaining, those spammer clients of their's will seem less valuable. Also as was said before, please for the love of god report them to the block lists.

Re:yep

[Secrity]

PROPERLY reporting spam to the PROPER ISP is not a problem and is productive. The problems are when idiots report spam to the wrong ISP and when abusive comments are added to spam reports. For spam email it is only necessary to forward the spam email with FULL headers, and with a SHORT explanation (such as "abc.com" is on your network") if the headers do not indicate why the report is being sent to a particular ISP.

I provided tier 3 abuse support to a large ISP and set up the abuse desk for the now defunct dialup offering of the ISP, my advice to the abuse desk people was to shitcan any abuse report that contained contained abusive comments added by the person reporting the spam. Adding abusive comments is not reporting abuse, it IS abuse.

Definitely report if you have clue

[Peter+Cooper]

The sad thing is that most people who report spam are the idiots of the Internet who don't understand things like joe-jobbing, etc, and assume that because it says "jkrwejkrweq@yourdomain.com" in the From field, it's not necessarily anything to do with "yourdomain.com". SPF is, supposedly, a solution to this but the penetration seems pretty low. Certainly in my experience it's not usually Hotmail or Gmail customers who send the all-caps "STOP SENDING ME E-MAIL" to joe-job victims, but people on various .com domain names most likely hosted at hundreds of different budget web hosts who have poor anti-spam tools (or none at all).

Re:Definitely report if you have clue

[Mister+J]

As long as the reports go to someone who is smart enough to understand those things, the reports can help.

If they go to the wrong person, all that serves to do is annoy someone who has absolutely nothing to do with the spam and can't do anything to fix it. Such emails are usually the most inflammatory, so hackles are already up before you waste time verifying that the original spam was indeed nothing to do with us. Plus, like the boy who cried wolf, every one of these makes you that little bit less inclined to care about the real spam reports that come in. Oh, and forget replying to such messages - I learned long ago that "It's nothing to do with us" is rarely an answer they're interested in hearing, no matter how politely you put it and how detailed your explanation of "this is why and here's who's really responsible" is.

Please continue!

[J.+T.+MacLeod]

I work for a regional ISP.

We frequently receive notifications of spam email as well as virus-laden email that has originated from our network. We only respond to the sender if they request that we do (and even then, if it's not necessary and the request isn't polite, we may not).

That means we almost never send a reply to the person who notified us. However, we DO take care of every single notification we receive. If we aren't able to immediately contact the customer and fix the issue (generally a home user with a virus doing the spamming), then we either shut off their service or, more frequently, block outgoing connections from their IP to port 25 anywhere.

Please don't let the silence discourage you. We're hard at work and appreciate the notices that help us keep our networks and services running smoothly for our customers.

Not at all!

[VincenzoRomano]

Spammers run their own MTA or MTAs other than those by the ISP.
Provided that there is a clear proof (and not just someone's report) that a customer is a spammer, they would have two options:
1. filter out their outgoing SMTP traffic or
2. shutting down the link

Spammers then would probably change ISP in a snap.
The real (technical) point should be: why spammers do exist? One answer could be "because SMTP has not been designed to cope with authentication and authorisation."
Maybe it's important to look at problems from the correct perspective.

Too Many Electrons

[slarrg]

Every time a spammer sends an email to your computer its electrons collect in your inbox. If you don't send another email out those electrons will build-up and short out your machine. Send a report, containing these electrons, to the ISP so they can properly purge the excess electrons and allow other internet users to use them.

Re:Dont bother - they're in on the racket

[walt-sjc]

That may have been back when you worked there, but it's quite obvious that it's not the case now. If ISPs gave a shit, they would block outbound port 25 by default for dynamic IP clients (and maybe ALL IPs). That would stop at LEAST 95% of the spam botnets. This works best with a tool to allow you to open the port if needed (running a mail server.) Running a mail server on a dynamic address at this point is futile as a good portion of servers will block you anyway. MUA's should all be configured to use port 587 for authenticated submission.

ISPs could also install sniffers to watch the rate of outbound off-network port 25 SYN packets, and investigate unusual activity. Oh and don't go saying that this is difficult - just talk to AT&T and the government - they have been sniffing ALL traffic.

But it's VERY VERY rare to find an ISP that does ANYTHING AT ALL to stop outbound spam. Oh sure, they are perfectly willing to install blacklists and filters on inbound, but outbound? Nothing. They don't care. The only way to fix this is to make habitual offenders be financially liable. ISPs also need to make end users liable and start enforcing their TOS, disconnecting grannie and her POS windows box that has no firewall, anti-virus, and is running spambot software.

No, I strongly disagree...

[msauve]

with any sort of port blocking, either inbound or outbound. Unless free and open communications are allowed, they're not an ISP, they're a "web browsing service provider," and they are damaging, not helping, the Internet. Port blocking is anathematic to the purpose of the Internet, it interferes with open peer to peer communications. Port blocking is the equivalent of governmental prior restraint.

What ISPs should do is to identify nodes which have actually been infected by a botnet (or are otherwise sending spam/malware) and nuke them in accord with every ISP TOS out there. But, that would be more work, and cut into their revenues, so they don't want to do that.

I run a firewall (iptables), run up-to-date malware scanners, and take responsibilty for what leaves my network. If my security is ineffective, and one of my machines starts spewing spam, I should be cut off and held responsible. But, I should not be penalized or limited because of the actions of others.

Finally, it should be obvious that port blocking, refusing acceptance of smtp connections originating from dynamic IPs, etc. simply hasn't been effective against spam. Spam continues to increase, and will continue to do so until action is taken closer to the root causes - networks start going after originating machines, law enforcement start going after businesses using spam (and, of course, instituting a death penalty for anyone caught purchasing any product from a spammer).

Re:No, I strongly disagree...

[kchrist]

You obviously have no idea what the reality of this is like but I'll try anyway.

We absolutely did shut down the users sending the spam, but the largest offenders didn't care, because they weren't legitimate customers; they were large-scale spammers creating literally dozens of spam accounts daily, using stolen credit cards. Surely you've heard the expression "whack-a-mole"? That's what we were playing and the deck is stacked against us in a situation like this. These particular spammers were almost exclusively using overseas open relays to send spam from these fraudulent dialup accounts and implementing port 25 filtering got them almost entirely off our network in one fell swoop.

Once we reduced the load of that particular problem we were able to go after the smaller spammers, the ones spamming through our own mail servers. These were much easier to catch and we terminated the accounts on sight. We also charged a $200 "clean up" fee, but again, spamming and credit card fraud go hand-in-hand, so this had little effect as a deterrent.

We implemented port 25 filtering somewhere around 2000 or 2001. This was before the rise of the spam botnets we see today. Spam proxies are hard problems to solve because the vast majority of end users out there simple aren't able to understand what's happening, yet they are the ones who have to deal with it. Nonetheless, we gave them one warning, accompanied by loads of information on what software to download/buy or who to hire to fix the problem, and then terminated the accounts if they didn't fix it.

Tell me again how we left anyone alone to abuse the internet?

You're also talking about two different things here, I think. Outbound port 25 filtering does not result in mail being blocked. Anyone unable to send legitimate mail through other mail servers was given the available options: use our outbound mail servers or use the mail submission port (587) on their other server. Either of these are trivial and no mail was prevented from going out, ever.

If you're talking about blocking mail originating on dynamic IP address ranges, this is an entirely separate and unrelated thing. This can result in non-delivery of legit mail (obviously) but the senders got a helpful bounce telling them what the problem was. And again, mail servers running on dynamic IP address should smarthost their mail through another server. Problem solved.

I'm sorry if either of these things upsets your utopian vision of a free, wide open internet, but the reality is that there are very serious problems that cannot be dealt with without taking what may look to you like extreme measures. We had a small number of customers like you -- people who absolutely rejected the trivial changes required to work with our new policies -- and a business decision was made that we can't make 100% of the people happy 100% of the time, and we were ok with that. We had a far greater number of customers who made the changes they needed to, and then never thought of it again because in the end, it really wasn't a big deal to most people.

Re:Dont bother - they're in on the racket

ISP's are not common carriers and never have been. When will this myth die!?!