Spammers hapless fate = ISP toil and sweat

Hello,

I normally just lurk around this mailing list, but I think I'll 
contribute my two cents this time...

Spamming is a serious problem. Here at Esoterica where I am, 
unsolicited email was about one half of total email traffic -
which is quite a lot. Thus, our postmaster has dedicated
all his available time to implement anti-spamming measures.

What he found out is this:

Firstly, far from being "mindless robots", the companies in the
spamming business are cold-hearted professionals. They have teams
of professional programmers spending all their time just to develop
new and more effective ways of illegally sending out unsolicited email -
using several clever relaying mechanisms. They work full-time on the
job. They are a strong force which will easily overthrow any basic
measures taken against spamming - like simply filtering up domains,
or blocking traffic from relaying machines.

Secondly, they are vindictive and protect their own jobs. This means that
if an ISP tries to agressively implement anti-spamming mechanisms,
they will fight back! And how they do this? For instance, they send out
forged emails with these ISP's addresses. What happens? Entities receiving
the forged emails will complain to the ISP in question. The ISP replies
telling that the emails are forged, trying to make them understand that
this is the "spammer's revenge". Most of these entities either don't care
or don't believe, so they just shut the ISP off their firewall (especially
if on the next day they get a new lot of unsolicited email apparently coming
from the same forged addresses...). This forces the ISP to open up themselves
to spamming from this particular company, hoping that they won't forge
spamming attempts in the future...

As you see, they're quite clever. Their businesses and jobs depend on their
cleverness.

How can ISP's successfully "fight back"? First, and foremost, they need to 
assume that the "threat" is serious. Secondly, allocate resources to the job -
this means a *lot* of time. But thirdly, and I think that's the major issue
here, by sticking together. While a single postmaster probably won't be able
to do much work single-handedly, having a group to coordenate the work is
helpful. Some free time taken from a group of postmasters adds quickly up
to a "task force" of some magnitude...

Basically, what our postmaster found out is that denying access is not a good 
measure - spamming companies will try every trick of the trade to get through
or else they will try to hurt the blocking ISP in some way. UUNet, for instance,
has publicly announced their "zero tolerance" towards spammers - it's no wonder
that perhaps half of the spammers use now forged emails (and dial-up accounts)
coming from UUNet to spam the net. Their hope is getting enough ISPs blocking
UUNet's traffic so that UUNet is "forced" to "open" their machines to spamming
again... (in our case, as a transit customer of UUNet I obviously can't block 
traffic through them :-) )

Better is just to difficult their action. Remember that their jobs depend on
getting as many messages through as possible (using third-party relayers).
If a sendmail configuration just lets a few messages through, or selectively
blocks some domain for a while, this means that this machine will only
deliver a few messages - when spammers rely on tens of thousands to be
delivered. This is uninteresting to them. They will thus use other machines as 
relays. Of course, this also means that your own users will see a delay on
the sending of their own, legitimate messages. It's a tradeoff.

By using a combination of these tricks one can try to keep the spammers away for
a while - until they develop a new creative method for spamming again. We have
seen all sorts of very clever and ingenious methods to get through. Who knows
what else they will invent next?

By keeping a mailing list with several postmasters' contacts it's possible not
only to exchange domains from where the spammers usually attack, but 
anti-spamming techniques and tricks. There are some steps being taken at
a national base here in Portugal (from where I'm writing :-) ) but, as shown by 
the traffic generated on this list on this topic of spamming, I'm going to make
the suggestion again, at this level...

Do you think that there is some interest in mantaining a mailing list for
all postmasters from the LRs for the sole purpose of discussing anti-spam
techniques and listing spamming domains and relay machines?

Would RIPE be interested in "sponsoring" this mailing list?

BTW, searching through the RIPE's Web site, the only mention to spam is on 
RIPE-162, chapter C2.1. This basically states the commitment of RIPE to mantain
the mailing lists spam-free. I wonder if there is already a "task force" in
place for anti-spamming measures. We're aware of some efforts on an 
international basis - mostly some Web sites with interesting information and
data on anti-spamming measures, with associated mailing lists - but to my
personal knowledge, there is no such coordinated effort at RIPE (so far :-) ).

There is also an issue of local laws. Filtering out spam *could* be illegal
on some countries (it violates freedom of speech). In Portugal, spamming is
actually illegal - it's "unsolicited email", and this is an abuse of a third
party's infrastructure, ie. using computational (and telecommunications)
resources that you aren't allowed to. This makes it a crime according to
Portuguese law. There is a case of mail bombing (a particular kind of
spamming...) brought to court - it will take ages to be ruled and probably the
offender will get away with some community work :) but it will be judged in
court. Of course, on other countries, freedom of speech may be more important
than using others' telecommunications resources. I wonder if local laws will
actually work *against* a RIPE-based global effort across Europe.


On 12-Sep-97 "Scott A. Marlin" wrote:
>Which basically means that any customer is free to spam. The ISP is
>there to take the rap and clean up afterward. I think for such matters,
>the "spammer" should be held responsable ... like being charged a flat
>or hourly rate for the cleanup job.

This is the case around here. Of course, catching the spammer and actually
condemning him/her in court in order to charge him/her that rate is
another story, especially if we're talking about an international
incident.

Better to prevent him/her to spam on the first place.


>Incidently, in the cited case, I sent a mail to an address mentioned in
>the ad asking them to stop sending the ads. What I got back was another
>mail from another source (obviously from a blind mail-robot) with *lots*
>of info about their services.
>
>At the bottom of the e-mail was an URL address for those who wished to
>stop the ads from being sent. Waaaay down at the bottom of this web site
>plugged full of promotional information was the opportunity to
>"register" my name in the database of those who didn't want to receive
>any more spam (the name of the link was a baby crying "mommy ... they
>thpammed me again".) Really !

One of the major issues about spamming customers is knowing how many people
were actually reached by a spamming effort. Spamming companies have found
out that these two tricks - "send email here to be deleted from our database"
and "click here to remove yourself from our database online" - are the best
to know if you're reaching people. Also, many postmasters will contact the
spamming company in order to complain. Based on all this feedback, spamming 
companies can determine a "success rate" for their spamming efforts. This keeps 
their own customers happy...

A better way to deal with this is simply ignore the message, and make sure that 
all your users ignore the spam, too. In the long end, this means a lower 
"success rate" for a particular domain/spamming technique, so the spamming 
companies will probably try somewhere else.


>The entire operation took about 30 minutes. I haven't heard from them
>since. But I have recieved at least 10 unsollicited e-mails since then. 

My bet is, they will try again and again and again. The problem is, each
time your address is found on a Usenet post, on a subscription web site or
on a mailing list, there is a high probability of someone "selling" your
email address to a spamming company. For instance, I'm receiving spam to
addresses that have been disconnected 2 and 3 years ago... DejaNews and
other public sites with lots and lots of addresses are a perfect place
to get all those addresses for the spamming lists...

        - Luis Sequeira

____
\       Esoterica - Novas Tecnologias de Informacao, SA
:-)     Luis Miguel Sequeira
/___,   lms at esoterica.pt         http://www.esoterica.pt/