ISP Responsibility in Fight Against Spam 314
netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"
The problem (Score:5, Insightful)
More Law Suits (Score:3, Insightful)
a touch of psychology, a brickbat of capitalism (Score:3, Insightful)
How about putting them on an RBL? When their customers can't send emails, and threaten lawsuits for breach of contract, the ISP operators tend to start paying attention.
Creds (Score:2, Insightful)
Re:He seems to miss.. (Score:4, Insightful)
The days of "Oh, here's your static IP and full internet access" are bhind us. I'm all for "if you demonstrate clue, you may have unfiltered unbound access; otherwise, no port 25 for you!"
(also: Port 587 is your friend).
Clue in to human nature (Score:5, Insightful)
The current email system does not take into account human nature and is therefore broken beyond all hope of an easy solution. It needs to be replaced with a system designed from the ground up with accountability in mind. Period.
Re:Block port 25 outbound? (Score:5, Insightful)
Because their userbase is:
A) Enormous; and
B) Very, very stupid.
What does this mean?
Look, my ISP -- whose co-owners I've got on speed-dial, and is incredibly clueful -- doesn't have a user spam problem, because pretty much only geeks use them (we pay a bunch extra for the privilege, too). AOL, on the other hand, has the saddest, most pathetic users in the world -- people who are the prime target for PC-p0wning software. Add to that the fact AOL is, like, pretty much the easiest ISP to sign up for. In other words, they're the biggest, fattest, juiciest spam target out there.
And yet, having looked at the 23,507 spam messages I've gotten over the last 303 days, do you know how many came from AOL?
Zero.
I know Carl (not personally, but I'm on some mailing lists with him). He's pretty damn smart. He has to be. Same thing about the rest of the anti-abuse folks at AOL. They're smart, and they're dedicated, and they're very, very, very good.
Re:The problem (Score:2, Insightful)
How the presentation will go (Score:4, Insightful)
Boss: "Thanks for your concern."
Try #2...the CTO...
You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"
Director: "Cost? My hands are tied...shareholders are disappointed and the board needs convincing anyway."
Try #3...the board...
You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"
Board: "What is this 'spam' nonsense you're talking about? You know, when I was your age we never had all these technology woes. I don't see how this will benefit anybody. Next on the agenda....."
Caution (Score:2, Insightful)
Spam is annoying for those who get any but it doesn't justify the hysteria, IMHO.
Re:Blacklisting them publically. (Score:2, Insightful)
Re:The problem (Score:3, Insightful)
Quite frankly, I think IANNA and the other IP provisioning authorities should start threatening guys like you with loss of your subnets if you don't start policing the traffic. Guys like you have cost my company thousands of dollars as we try to protect our customers (and in some cases our equipment) from attacks coming from lazy, greedy networks filled with simpering yes men and bloated CEOs and CIOs. Your attitude is typical of the irresponsible twits who have allowed this poison to screw things up.
Re:He seems to miss.. (Score:2, Insightful)
Really?
How do you know this? I'd love to see the stats that support this. I'm not trying to be facetious, I'd really like to get hard data like that.
I agree 100% with Carl. Forcing admins to get a clue about the state of their outbound mail is key. And as he says, there are ways to control all this stuff. Even trojaned PCs can be controlled, by limiting the number of outbound messages from that machine to something reasonably low (like 5/hour). If the machine goes over that, you have (most likely) found a trojaned machine.
Of course, there are going to be significant costs to this approach in the beginning, because of the (presumably) large number of pwned PCs in the world. However, the ongoing cost of keeping up with spam complaints, storage requirements, and bandwidth costs should exceed the price of handling a large load of complaints over a relatively short term (giving a quick ROI), which all PHBs (including myself) like to use to sell it to higher-ups.
Re:The problem (Score:2, Insightful)
Usually at this point, someone in management gets an angry email from the account threatening to quit and I get the directive to re-enable the account and I can't convince them other wise. Rinse, repeat.
What exactly would you have me do differently? We've discussed the ability to block outgoing port 25, but nobody in the front office wants to go for it. I for one welcome a law that finally allows me to enforce some filtering without getting fired for it.
Re:a touch of psychology, a brickbat of capitalism (Score:2, Insightful)
In my tenure as a network administrator at various locations I've seen the full scope of offenses, from those which are blatant violations of the AUP to those which are users complaining about emails they requested. I've seen one offender result in the blacklisting of an entire
RBLs with no oversight provide no real value to their subscribers. Again, it comes back to the issue of validation - who validates the complaints, and then who validates that the behavior of the ISP has changed, or that they've removed the offending party? This is no more than vigilantism, and the argument is that the RBL isn't doing anything other than providng something that their users have asked for.
In the same line as users being stupid and admins implementing mail systems with no real security, many people will subscribe to an RBL because they think it will solve a problem, failing to understand the ramifications and negative repurcussions associated with its use.
If the system generates a single false positive, then the system itself has failed.
Re:The problem (Score:3, Insightful)
ISP's over-sell their lines, use that knowledge. (Score:5, Insightful)
Suppose you are an ISP with a single T1.
You don't just sell the available bandwidth. You over-sell it. You might sell 2x your bandwith or 3x or 4x or 5x.
You do that because you know that each of your customers will not be using their entire bandwidth all the time.
But spammers use up a lot more bandwidth than the average customer. You don't do that. You show your boss how that idiot is using 10x the average bandwidth but only paying 1x the average fee.
That should be easy to do. There isn't one government. I get a ton of crap from
The key here is money. The people who behave irresponsibly use more bandwidth than the responsible people (yet pay the same monthly fees).
If you want to clean your own house, that's the way to do it.
That's the carrot. The stick is when your entire block is blacklisted because you did NOT deal with the problem that you knew about.
Re:The problem (Score:5, Insightful)
Look, you have your IP block, and it's your damn responsibility to make sure that it isn't being abused.
Actually, the more attention you pay to what your customers' customers are sending over your network, the more legally liable you might be held for anything that slips through. The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).
As soon as you start controling what your users can put out on the net, you lose common carrier protections.
Keep in mind that the same tactics that help you clamp down on spam will keep you from playing dumb when the Scientologists or others want to SLAPP your customers.
Other things that hinder spam prevention include pointy headed morons who report legitamate mails as spam because they can't be bothered to unsubscribe to double opt-in lists that they DID subscribe to, blackhole lists that carpet bomb large groups of people everytime one unrelated abuser sends a spam (even if that abuser is null routed), or who include sites that somehow offend their political or social values, or might have said something bad about them. There's a reason spamasassin doesn't just take any blackhole list's word for it. Anyone who can't be bothered to check if the From: field is forged before badgering half the world's postmasters, etc.
The last thing we need is to make sure the above foolishness becomes fatal to all but AOL and Earthlink.
Ultimatly, spam will go away when people stop buying things from spammers. Nothing else will likely manage it.
The natural extension to your argument is that automakers are liable for drunk drivers, the phone company is liable for telemarket scams, and of course, the post office is liable for mail fraud.
Re:How about "accountability" (Score:2, Insightful)
Re:The problem (Score:5, Insightful)
So it's better for you to profit from the spammer than for someone else to, since someone is going to?
Congratulations, you are part of the problem.
Re:Block port 25 outbound? (Score:1, Insightful)
They periodically send a spam "report" to ISP's telling of a certian threshold the ISP has reached on their spam radar. But there is no way what so ever of finding headers of spam originating from an ISP's network from this "report".
That and the abuse "report" is not always sent to the Whois lookup abuse contact for the IP range in question (which would lead anyone to believe they do not perform proper reverse lookups to begin with).
The ISP I work for shuts down ALL users who show up in a ~legitimate~ spam/abuse complaint, a ticket is filed so we can track repeat violators, the TSS staff contacts the user and walks them through cleaning their systems before they are let back on the network.
Come on AOL, if you are serious about spam, then play the game like every knowledgable ISP does. File a PROPER abuse complaint with the Whois listed abuse or tech address for the IP block, send the complete headers with the abuse complaint. Don't give us this " if the rest of the ISP's.." crap.
Throw me a bone AOL, and I'll shut a zombied machine down within 5 minutes of recieving your email.
Corner pay phones don't accept incoming calls. (Score:3, Insightful)
The same methodology can be used to fight spam.
You don't care what is in the email the customers send, they just have to send it via your email server. This will stop almost every zombie spammer out there.
And that's how spam will be fixed. By looking at each characteristic of spam and dealing with each one, individually. I've had users specifically request info from a site and then dump the email with that info into the spam folder.
Fortunately, Spamassassin handles enough so that I only have to confirm 10 - 15 of those a day. If so, that day is very far away. People do buy things like penis pills and they do it online because they feel better not having to face another human being while doing it. Sad, but true.
a serious problem (Score:2, Insightful)
Re:The problem (Score:2, Insightful)