ISP Responsibility in Fight Against Spam 314
netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"
Not caring? (Score:4, Interesting)
Blacklisting them publically. (Score:5, Interesting)
Re:The problem (Score:5, Interesting)
In the end, they'll go somewhere else to spam and we'll lose the revenue.
How about "accountability" (Score:2, Interesting)
- don't want your mail servers to be blocked? Secure them so spammers can't use them.
- don't want to be considered a "spamvertising company"? choose a legitimate ad agency.
IMHO a multi-level effort is needed:
- ISP's need to have a blacklist of customers who are known spammers. They need to share info.
- Consumers need to have a website where they can check the legitimacy of a website, and see if it spams to advertise.
- Registrar's need to stop issuing a bazillion domains to known spammers. When a dozen of a person's domains are referred to as spam sites... no more registration. Share data among registrars.
The problem now is that there are no consequences for spamming. An extremely low chance of a lawsuit or jail. Extremely low.
Spam is cheap, and apparantly somewhat effective.
Until you make it not worth the time... people will do it.
Nobody holds the companies who advertise in spam responsible. Nobody holds ISP's who turn a blind eye to it responsible.
Sigh (Score:3, Interesting)
Spam from home users? (Score:4, Interesting)
(aside: we host a few websites, one of which we discovered was running an exploitable version of PHPNuke - but not before a spammer did and pumped ~20,000 emails into our queue. I noticed it pretty quickly and deleted them and blocked this webmail software across all these sites lest it happen again - but it was an interesting demonstration to me that spammers look for any and every leverage they can get. I keep a much closer eye on our mail queue statistics now!)
If they make enough money spamming... (Score:4, Interesting)
Re:Spam from home users? (Score:3, Interesting)
I've seen known compromised machines spewing for over a month after abuse@ was notified, so it's still an ISP issue.
Re:If they make enough money spamming... (Score:3, Interesting)
Gonna have to come from the top down... (Score:2, Interesting)
I used to be completely against ISPs blocking port 25 from non-MX machines to the outside world. Unfortunately, I've had to change my opinion. The vast majority of the spam that ends up in my spam mailbox (thanks, SpamAssassin and procmail!) and the mailboxes of my users comes from zombied/trojaned machines on residential, always-on internet connections (read, cable and DSL). Most of the e-mail gets tagged properly by SA, however if the ISPs themselves blocked outbound e-mail not relayed through the ISP's mail machines, things would work out much more nicely, the total volume of e-mail hitting other MTAs would drop, etc. There would be much rejoicing.
SPF is nifty, but it doesn't fix the underlying problem...It just allows for easier identification of mail that's coming from machines it shouldn't come from, etc. Actually getting lots of ISPs to adopt SPF is proving to be a slow process as well.
In short, ISPs aren't going to do anything to fix the problem unless they have to. Buying a few more boxes to handle the e-mail load (a huge generalization, but you get the idea) of the rampant spam is less of a problem for them than actually sorting out their mail systems to help fix the problem. A good place to start would be some method of making the top-tier connection providers responsible.
Re:Block port 25 outbound? (Score:1, Interesting)
And yet, having looked at the 2,000 BOUNCE messages I've gotten over the last 30 days, do you know how many came from AOL?
Approximately 400.
Oh yeah, the bounces come because a SPAMMER is using my spoofed email addresses in my domain.
AOL bounces SPAM from back to SPOOFED "From:" email addresses.
we block europe and asia... (Score:4, Interesting)
Just a thought (Score:2, Interesting)
A nation of zombies. (Score:3, Interesting)
If you own your own ISP, you're limited to the bandwidth that you're paying for (and you can be blocked easily).
With a bunch of zombie machines, you have TONS more bandwidth and you're not paying for it!
Plus - all those processors sending spam.
Just 10 zombies on 256K upload cable modems is 2.5Mb.
A regular T1 is only 1.54Mb.
oh really ? Have you tried to call AOL lately? (Score:3, Interesting)
here's a post i made in my blog about a situation that arived because of AOL's "system". Ever since that episode, i haven't been impressed at all by these people.
--------(start idiotic message from AOL)----------
Date: Mon, 5 Apr 2004 09:04:13 -0400 (EDT)
From: postmaster@aol.com
Subject: AOL email concerns for isp-where-i-work-abuse.net
To: abuse@isp-where-i-work-abuse.net
X-Scanned-By: MIMEDefang 2.39
Dear isp-where-i-work-abuse.net,
You are receiving this message via our automated "Report Card" process (which helps analyze AOL's Internet inbound mail) because our available data indicate that isp-where-i-work-abuse has risen above the acceptable threshold for complaints:
Total number of AOL member complaints: 186
AOL takes proactive steps to contact owners of mail servers whose e-mail transmissions are impairing the functioning of AOL's proprietary e-mail system, or causing significant levels of AOL customer complaints.
AOL requests that you take immediate steps to resolve the issues identified in this AOL Report Card. In the absence of a satisfactory resolution, AOL reserves the right to take measures to protect its email network and its member goodwill from any possible damage. These measures may include declining to accept e-mail transmissions from isp-where-i-work-abuse.net through AOL's proprietary e-mail network.
AOL strives to provide the best online experience possible for our members, and we pride ourselves on being intensely focused on consumers and their needs. Email is a core feature of the AOL service, and the proper functioning of AOL's e-mail system is vital to our members' goodwill.
Please review AOL's e-mail policies and guidelines, as well as other technical details concerning e-mail on the AOL network, at http://postmaster.info.aol.com
------------(end message)--------------
Ooohhh, AOL's proprietary e-mail network. No information that is gonna be any use in determining WHY people are complaining at all. I guess this should not be a surprise, considering this crap is coming in from AOL! So i do the next available thing , i go to the website. Result : No information that is gonna be any use in determining WHY people are complaining at all. But there's a phone number.
Result of calling 1-888-212-5537:
*dials phone*
"The holding time for the next available consultant will be more than ten minutes."
"Thank you for calling America online
*spits water all over desk, workdesk and papers*
(musak)
(an hour later)
Hello, this is postmaster helpdesk, can i help you?
REP:"oh, that's because you don't currently have a feedback loop with us."
ME : "huh? but we received your report cards in the abusemail box."
REP:"Yes, but you don't have a feedback loop with us"
ME
REP:"Yes, but we made our own database"
ME
REP:"I cannot comment on that"
REP: So what are your mail server's IP adresses.
ME : We have several : we're an ISP.
REP: Alright, then give em to me.
ME : That's why we use DNS names for our mail servers : if one breaks, we change the IP to another server while we fix the previous one.
REP: So you can't give me the IPs?
Re:ISPs need to do more to stop spam zombies (Score:3, Interesting)
When his honey pot receives mail it tracks down the mail to the sending machine, works back to the ISP and mails a report to the ISP admins in realtime. If the PC is own3d then the admins usually disconnect it from the net fairly soon until the owners have fixed it, so the machines can only be used for a short time.
Because the admins work in parallel on the problem worldwide, apparently it's making a noticeable dent in the DDOS population; he connected to IRC and listened to the spammers bemoaning the fact that their favourite toys are getting fixed too quickly. :-)
Re:Just a thought (Score:2, Interesting)
It's the same with mail servers, fix one problem and another appears, ad infinitum. Bottom line; SMTP is useless and should be relegated to the dark ages when only scientists and soldiers used email.
SMTP requires trust in others mail servers' good faith (a) adherence to RFCs and standard practices, and (b) prevention of malicious intent. Close an open relay and reinstalling W2K server with the default options opens another one at least for a bit. Shut down an ISP haven for hackers and some shmuck running an NT 3.51 server on a Commodore 64 down in Kenya will decide to try to setup a webserver without deselecting SMTP from the other Web services.
The whole system of SMTP is a mess of patches, fixes, and outright nonsense that requires less ingenuity to circumvent than it does to repair. As a matter of fact, the smarter you are the more you work around the rules such as using relays and Deny Lists to either fabricate your own information or else restrict communications on the Internet. Which is worse lying about something with good intentions or following the rules and violating the basic principle the Net was founded on?
Re:The problem (Score:2, Interesting)
Well I lost one two weeks ago for this very reason. The customer is a prominant business (one of the largest in one of the communities we service, in our area of about 1/4 of a state). They left for Qwest after a year of absolute refusal to address their IT disasters, leading up to the final "last straw" incident in December.
In typical "smaller business with bigger infrastructure requirements", this is a real estate office with several dozen workstations for agents. They have several NT4 servers (patchlevel zero - never been patched), running IIS, FTP, Telnet, Exchange, filesharing, etc. Internet access is critical for updating listings, and they had a dedicated connection through my network. Unfortunately, they inadvertantly became a hosting site for spammers. Not only does this consume network and server resources (and represents a significant security disaster), but this also invites retaliation. Three times during 2004, DDoS retailation caused significant impairment to my network and outages to their service.
Their response? Blame the ISP. Refusing to address their security nightmare, I had to rate shape them in order to restrict DDoS impact, filter countless port ranges and spend no less than 10 hours a month to dealing with their mess. Finally they solved it for us this month by replacing their dedicated service with a $50/month Qwest DSL line. I'm sure Qwest will give them the 24x7 on-call support we provided for this rate and allow them to exhaust Qwest's community network's capacity with DDoS attacks.
So yes, they will leave the ISP when security is taken seriously? I'd care only from the visibility this client has in their community, but fully recognize that if they continue to get hacked and ignore their responsibility for operating a reliable IT system, they will eventually suffer the consequences.
Now if we can get GAAP-like requirements for information security passed and make it a crime to run a neglected IT shop... but I digress!
"ISP" fronts for Spammers - Moving Target (Score:3, Interesting)
Scotty Richter's OptInRealBig gang had their big pet ISP, named something along the lines of "wholesale bandwidth". AFAIKT, they mostly did business for Scotty, but they also sold bandwidth to other people, and they normally dealt with problems by explaining how they were shocked, shocked! to discover that one of their customers was a spammer! and would take care of them right away, usually by having their "customer" list-wash the complainer's address (they really *were* scrupulous about taking complainer's addresses off the list, though I had no way of knowing if they also resold the lists of complainers to other spammers), or worst case, by "getting rid of" their "bad" customer (i.e. renaming herbal-fake-viagra.com as fake-herbal-viagra.com with a different IP address on a different virtual server in their /19 block, or sometimes even "getting rid of" a whole virtual server, and giving it a new IP address.) Because they were pretending to be an honest, CAN-SPAM-law-abiding whitehat spammer, using their own IP address space, it was easier to trace them than the usual zombie-burning spammer, and I helped out with one or two rounds of complaining to their upstream providers when they got kicked off of one and found another. It usually required a couple exchanges of "No, I wasn't complaining to you to get them to 'investigate' and take my email address off their list, I was complaining to you to get you to cut them off unless they stop spamming entirely, which they're still doing, and I won't give you the email address they spammed, just the headers, and by the way they appear to be abusing a supposedly-inactive BGP Autonomous System Number" until they were cut off. Companies that *are* trying to hide are much tougher to get rid of.
Re:The problem (Score:3, Interesting)
No, I don't send out UCE/Spam.
Now, my ISP is not lax about these issues. For example, many of my customers have received calls about them sending out mass mailers. If something seems amiss, they will certainly call about it first before they take any further action.
They will try to work with their customers to a) let them know there is a problem and b) give them a reasonable ability to solve it.
However, I am sure that if one abuses their network that they will pull the plug on the account. They just know that if they do this without making a good faith effort to make things work for the customer, they risk being sued by the customer (for lost business, etc). I have been relatively happy with their service.
Quite frankly, I think IANNA and the other IP provisioning authorities should start threatening guys like you with loss of your subnets if you don't start policing the traffic.
Hmmm.... I think that if there is a drought and you water your lawn, the city might be able to shut off your water if you want to set this sort of precident. Maybe they should. If you get heatstroke and require emergency medical attention, that is still *less than the monitary damage* that taking down my internet line would provide.
Guys like you would make it impossible for me to carry on my own operations and help my customers run their email servers on-site. This would have cost me hundreds of thousands of dollars too. So who wins? Furthermore, it would make it impossible for my customers to have third parties host their email because they need more accounts than their ISP gives them and this would cost each of them hundreds of thousands of dollars. Put simply, encouraging ISP's (using the means you suggest) to prevent their customers from running email servers will get everyone nowhere real fast including, I suspect, your business.
Look, the answer is to let the market work. We already have RBLs which help this happen. I have seen at least one ISP go out of business because they were blacklisted after spammers took over their email servers. That seems fair enough.
Re:He seems to miss.. (Score:2, Interesting)