Ask Slashdot: Dealing With Anti-Spam Service Extortion?

An anonymous reader writes "I work for a European ISP, and lately we're receiving quite a few complaints from customers about not being able to send emails because of UCEProtect's listings. After checking with their site, we found out that our whole AS (!) was blacklisted. Their 'immediate removal policy' asks for money, around 90 euros Per IP for end users and 300 euros for ISPs, and their site has bold statements like 'YOU ARE LOSING YOUR RIGHT TO EXPRESSDELIST YOUR IP IF YOU ARE STUPID AND CLAIMING THIS WOULD BE BLACKMAIL...' Could this be considered extortion-blackmail ? Has anyone else on Slashdot dealt with this service before?"

Excessive smiley faces

[egcagrac0]

Maybe it's the language barrier, but that seems like a lot of smiley faces and profanity for a professional organization.

Their revenue model seems odd as well - it's almost like they're set up just to extract money from senders.

My instinct is don't pay them, figure out why you got listed, and stop whatever triggered the listing.

If the customers are complaining excessively, consider the unblock fee - once. Definitely terminate the accounts of the spammers.

Some Suggestions

Firstly, as Pamela Jones over at Groklaw would tell you in a heartbeat, convince someone at your company to take legal advice. If your company is contemplating action of any kind in response to what has happened, it is critically important that you understand that your intended steps will not undermine you at some later date. Only a legal professional can tell you that. So please, get proper legal advice.

Secondly, thinking about the relationship between yourself and the party you believe to be performing the blocking/spam filtering. Is the issue between your company and the third party, or your *clients* and the third party? I can understand that you are coming under fire from your clients, but please refer back to the first point, above.

Third, go get familiar with the relevant legal frameworks. Your legal support, when you hire, them, is going to start asking legal questions. You understand the tech, but take the time to familiarise yourself with the law. Start with: RIPA (the Regulation of Investigatory Powers, which, IIRC, makes it illegal to intercept any communication between two parties), PEC (the Privacy in Electronic Communications Act [2003]), and take a quick look at the DPA (Data Protection Act [1998]) inasmuch as the data being generated and acted upon by the third party [email addresses] was created for the express purpose of *routing email traffic*, not *filtering* email traffic. There may be an argument that the filtering is inappropriate. See how a lawyer (I'm not one) can help you here???

Fourth, are there any professional trade bodies or organisations that both your company and the third party subscribe to (i.e. a UK Association of ISPs) that may have a dispute handling process? Are the two parties able to sit down with an arbitrator? If so, this might be a free service that you could try?

Fifth, if all of the above fail, then use of the Internet in the UK is regulated by various Government departments and Quango Regulators, such as the ICO (Information Commissioner's Office) and Ofcom (the Communications Watchdog). As above if you have taken proper legal advice from a law firm with expertise in this area, they should advise you on the best method of engagement.

I understand that you want to help your clients, but in this case it's critically important that any steps you take don't make it worse. Legal advice must be step 1.

Hope this helps...

Re:Flip side....

There are two kinds of false positives: The individual email kind and the netblock kind. Users care about individual email. They want to receive legitimate email even if it comes from an IP address that belongs to a spam-friendly ISP. Blacklists are more concerned with netblocks. They don't rate individual messages. They rate ISPs. The submitter is affiliated with a hosting cooperative. They're probably not openly spam friendly, but cooperatives are usually short on manpower, so their monitoring and their response times may not make them sufficiently "tough on spam" for some tastes.

If UCEProtect is run properly, then they have evidence of spam coming from that netblock, and if their listing and delisting policies are well defined and implemented, then they are well within their rights to require compensation if an ISP wants them to manually check that they've cleaned up their act and expedite delisting. If UCEProtect is much too trigger happy, then wrongfully accused ISPs should complain to the recipients' ISPs who use UCEProtect to block email and get them to remove or reduce the influence in the scoring. A rogue DNSBL has no power if nobody uses them.

There is a reason you are listed.

[strredwolf]

There is a reason you are listed:

* You have spam originating from your system for too long of a time.
* You are unresponsive to reports.

So, your entire network range is listed. Everyone is bouncing emails. Everyone is complaining to you, and you've noticed. You've been forwarded the site, and you're contemplating just paying them off... except that it just won't work. You'll be relisted again, and with reason -- someone on your network spammed and nobody's listening.

Thus:

* If you haven't done so, open up abuse@ and point it to somebody with the power to diagnose, disable, and close accounts.
* If the guy behind abuse@ doesn't have said above power, GIVE IT TO HIM.
* If the guy behind abuse@ does, but doesn't use it, FIRE HIM.
* If you haven't done so, disable outbound port 25 at your border router with the exception of an out-bound SMTP server.
* Put an outbound spam filter in place.

If you are unwilling to do the above, then there is one last thing you will eventually do: CLOSE SHOP.

Re:NEVER trust and AC

[Xenx]

I have the questionable pleasure of experiencing a deluge of backscatter since the rise of the Festi botnet, and I must say that I find the lack of sanity checks on automated replies appalling. It is not a courtesy to autorespond to spam by sending the spam "back" to a person who didn't send it in the first place and gave you all the information you need to clearly and easily establish that fact (Domainkeys / SPF).

There is only one place for automatically sending a message back to the original sender, and that's before accepting the mail in the first place. The sender sends the address information first. Reject the email then and there and include your out of office information with the bounce. Once you've accepted the mail, don't autorespond.

I agree about companies needing to push SPF and the like more. Sure, it still can cause some headache supporting.. but it helps address the problem.

As for the second bit, you've got to be joking. First, putting the out of office in the bounceback does nothing to mitigate the issue. You're still receiving an email for each and every bounced email. Second, millions of people have email that is hosted through another company. They realistically cannot set up individual bouncebacks for every single customer.

Re:Flip side....

[dynamo52]

"Spam is a problem where false positives generally cost less than false negatives"

This may be true if you are a basement dwelling slashdotter but out in the real world a single false positive is one too many. Try explaining your position to a client or executive who missed a million dollar inquiry due to your overly aggressive spam filters.

Stop sending spam then.

[Dynamoo]

If you don't want to be blacklisted, then stop sending spam. Simple.

I've seen this story several times before with people complaining about "blackmail" with different blacklists and filters, and in all cases I have ever seen there has been some sort of real problem. Remember that there are different levels of blacklisting, from the lowly backscatter blacklisting which hits a lot of legitimate organisations, up to Level 3 (which indicates that you've been informed of a problem for a long time but basically don't give a fuck), up to the next step which is de-peering or permanent widespread blacklisting. OP is clearly drinking in the last-chance saloon on this one.

Top tip: running an ISP is harder than it looks. Not managing abuse of your systems will eventually cause major problems, and in the worst cases will drive you out of business and have law enforcement forcing their way into you server rooms to take your kit. Don't assume that YOU are the innocent party and the the complainers are just making it up if you want to remain in the ISP business..

Re:Someone is full of himself

[bruns]

Hola, thanks for pointing out this to the AC above. I'm the current maintainer of the AHBL, Brielle.

After a while of maintaining a DNSbl, you start to refine your policies and how you handle things - unfortunately, with the amount of douchebags and assholes who operate mail servers and networks out there, those policies tend to get more restrictive and locked down to prevent abuse.

We used to offer a whitelisting service, where responsible ISPs could register to avoid auto-listing of their blocks. Had to nuke that due to being lied to and threatened (big surprise there). I used to provide free consulting to smaller ISPs who got listed to assist them in cleaning up their networks, securing their servers, etc. Had to nuke that program too - you can thank GoDaddy for that.

These ISPs, the ones that whine about being listed, usually have a good reason why they are listed. They won't publicly admit it obviously, but the almighty buck tends to override the common sense that you need to properly control and manage your own networks. If you are willing to allow your customers to spam, abuse, and just be downright shitheads from your IP space in exchange for money, then you need to be willing to accept the consequences.

The only reason why things are the way they are today, is because people don't know how to behave and be a good online neighbor. In other words...

"This is why we can't have nice things!"