Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is There Any Reason to Report Spammers to ISPs?

Cliff posted more than 7 years ago | from the does-it-do-any-good dept.

Spam 117

marko_ramius asks: "For years I've been a good netizen and reported spam that I get to the appropriate contacts at various ISPs. In the entire time that I've done this I've gotten (maybe) 5 or 6 responses from those ISPs informing me that they have taken action against the spammer. In recent years however, I haven't gotten any responses. Are the ISP's so overwhelmed with abuse reports that they aren't able to respond to the spam reports? Do they even bother acting on said reports? Is there any real reason to report spammers?"

cancel ×

117 comments

Sorry! There are no comments related to the filter you selected.

Dont bother - they're in on the racket (0)

Gothmolly (148874) | more than 7 years ago | (#18916635)

They dont care if your MUA receives the email or not, they know that the spammer sent some bytes over their network to your MTA. And they charge a premium, its like protection money, to the spammers. Why would ISPs kill their golden geese?

Re:Dont bother - they're in on the racket (1)

TheSkyIsPurple (901118) | more than 7 years ago | (#18916811)

"They"?

A few may actually behave like this, but I'd be willing to bet that the majority aren't.
I've worked for a large ISP, and we worked with others to fight this stuff. Spam represented a great waste of our resources, and a great distraction to actually providing an actual product for our customers.

Re:Dont bother - they're in on the racket (5, Interesting)

walt-sjc (145127) | more than 7 years ago | (#18917575)

That may have been back when you worked there, but it's quite obvious that it's not the case now. If ISPs gave a shit, they would block outbound port 25 by default for dynamic IP clients (and maybe ALL IPs). That would stop at LEAST 95% of the spam botnets. This works best with a tool to allow you to open the port if needed (running a mail server.) Running a mail server on a dynamic address at this point is futile as a good portion of servers will block you anyway. MUA's should all be configured to use port 587 for authenticated submission.

ISPs could also install sniffers to watch the rate of outbound off-network port 25 SYN packets, and investigate unusual activity. Oh and don't go saying that this is difficult - just talk to AT&T and the government - they have been sniffing ALL traffic.

But it's VERY VERY rare to find an ISP that does ANYTHING AT ALL to stop outbound spam. Oh sure, they are perfectly willing to install blacklists and filters on inbound, but outbound? Nothing. They don't care. The only way to fix this is to make habitual offenders be financially liable. ISPs also need to make end users liable and start enforcing their TOS, disconnecting grannie and her POS windows box that has no firewall, anti-virus, and is running spambot software.

Re:Dont bother - they're in on the racket (1)

LiquidCoooled (634315) | more than 7 years ago | (#18917621)

If you start to ask them to filter one specific thing then it means they are taking away their impartiality.
wasn't Common carrier status meant to mean "If you start to manage the traffic of the customer, you start to become liable for it"?

Re:Dont bother - they're in on the racket (1)

walt-sjc (145127) | more than 7 years ago | (#18917665)

Yeah, I used to subscribe to that belief, but the spam problem needs drastic action to deal with. The FACT is that many ISPs already block port 25 and "manage" traffic to a certain extent already, and are still "common carrier's."

Re:Dont bother - they're in on the racket (1)

1u3hr (530656) | more than 7 years ago | (#18918171)

If you start to ask them to filter one specific thing then it means they are taking away their impartiality.

ISPs have terms of service. Many will take your site down if you host MP3s, warez, or porn (obviously, others are quite happy for you to do so). Many have broad language saying you're basically not allowed to be a "server". Which if strictly enforced, would stop you doing almost everything.

Re:Dont bother - they're in on the racket (3, Informative)

Anonymous Coward | more than 7 years ago | (#18918683)

ISP's are not common carriers and never have been. When will this myth die!?!

Re:Dont bother - they're in on the racket (2, Interesting)

WebCrapper (667046) | more than 7 years ago | (#18917889)

I worked for a smaller National ISP (MindSpring) and our engineers tried this one day without telling anyone. 2 hours later, Technical Support was being killed by customers complaining that they couldn't send mail to other required sources. After our NOC figured it out, the engineers had to turn things back the way they where and the call Q cleared up.

The problem with your situation is that the same customers that complain about the spam that come in rely on Port 25 to allow their users access to company servers. It's too much to ask of these people to change the mail server on the sending machine - they'll just scoff at you.

Some of the smarter ones use another Port to get around these type of issues but even then, it sometimes causes problems. Ignorance is bliss.

Re:Dont bother - they're in on the racket (1)

walt-sjc (145127) | more than 7 years ago | (#18918013)

Obviously trying it without telling anyone is stupid. Tell customers ahead of time, give them the info they need such as "use port 587, 465 (for broken MS clients) or your VPN dammit", etc. Doing nothing does not solve the problem. Just because Mindspring engineers are morons doesn't mean that the idea is bad.

Re:Dont bother - they're in on the racket (1)

WebCrapper (667046) | more than 7 years ago | (#18918445)

I agree that not telling anyone was a bad mistake...

While I'm not in the middle of the US IT situation, I don't think it's used as much as it should be.

Re:Dont bother - they're in on the racket (1)

kchrist (938224) | more than 7 years ago | (#18918935)

I don't know when your story occured, but it's worth pointing out that Earthlink/Mindspring was in fact among the first handful of major ISPs to implement outbound port 25 filtering across most of their dynamically assigned address ranges.

Yes, it was a support nightmare (and I wasn't even on the support floor) but the drop in outbound spam was astounding.

Re:Dont bother - they're in on the racket (1)

WebCrapper (667046) | more than 7 years ago | (#18919743)

Late 1998. After a few months, it was turned back on. I think the engineers figured out most that where using remote port 25's and automated a message about updating SMTPs.

Re:Dont bother - they're in on the racket (2, Interesting)

.tekrox (858002) | more than 7 years ago | (#18918125)

I used to work for an Australian ISP,

and Believe me they took spam seriosuly...
not just for reasons of stopping spam, and credibility, but for profit..

See, we'd give them 2 chances - they got reported for spamming we'd give them a call and tell them
what going on and ask them nicely to please fix it. if its a suspected botnet, get a pc tech - if its spammer (its happened)
then stop your freakin' spam.

if they got reported again, accounts get suspended. give them another call explain the situation again, and advise them that they need to
cease their spam immediately (for deliberate spamming) or get their PC checked by a PC Tech (BotNet style), the Account would NOT be unsuspended until they
could garuntee us they they had remedied the situation, at this point we'd advise them that if we get another spam report they would be charged $5 PER EMAIL
for spam sent.

If spam happens again, account is suspended again, an invoice generated and sent to the customer for the spam, and this - we'd wait for their call.

Re:Dont bother - they're in on the racket (1)

Not The Real Me (538784) | more than 7 years ago | (#18922571)

"...See, we'd give them 2 chances - they got reported for spamming we'd give them a call and tell them
what going on and ask them nicely to please fix it. if its a suspected botnet, get a pc tech..."


You're better than Pacific Bell (now AT&T) in California. One of their residential customers in Los Angeles had their computer hijacked by a botnet. I called PacBell's DSL customer service and tried to give them the IP address of the infected machine. Their response? PacBell: "Nothing we can do about it. Try blocking them on your end."

Since their residential customer is on DHCP, I have to periodically reblock the offending hijacked computer when people complain about the level of spam getting through. This single hijacked computer accounts for about 1/3 to 1/2 of the spam we receive.

No, I strongly disagree... (3, Interesting)

msauve (701917) | more than 7 years ago | (#18918425)

with any sort of port blocking, either inbound or outbound. Unless free and open communications are allowed, they're not an ISP, they're a "web browsing service provider," and they are damaging, not helping, the Internet. Port blocking is anathematic to the purpose of the Internet, it interferes with open peer to peer communications. Port blocking is the equivalent of governmental prior restraint.

What ISPs should do is to identify nodes which have actually been infected by a botnet (or are otherwise sending spam/malware) and nuke them in accord with every ISP TOS out there. But, that would be more work, and cut into their revenues, so they don't want to do that.

I run a firewall (iptables), run up-to-date malware scanners, and take responsibilty for what leaves my network. If my security is ineffective, and one of my machines starts spewing spam, I should be cut off and held responsible. But, I should not be penalized or limited because of the actions of others.

Finally, it should be obvious that port blocking, refusing acceptance of smtp connections originating from dynamic IPs, etc. simply hasn't been effective against spam. Spam continues to increase, and will continue to do so until action is taken closer to the root causes - networks start going after originating machines, law enforcement start going after businesses using spam (and, of course, instituting a death penalty for anyone caught purchasing any product from a spammer).

Re:No, I strongly disagree... (2, Insightful)

walt-sjc (145127) | more than 7 years ago | (#18918673)

YOU are not the problem. Grannie and Aunt Mathilda are. Port blocking by default with a way for savvy users to unblock solves the problem with such a MINOR inconvenience that it's a non-problem. Doing nothing will not solve the problem.

As for you assertion that blocking inbound from dynamics is not effective, I, and MANY other ISP's disagree with you. The mail server logs don't lie. Blocked mail from dynamic space (which is ALL spam) is 75% of ALL connections to our mail servers, with other blacklists cutting it down even further. That reduces load on spamassassin and other anti-spam analysis by a factor of 6. While it hasn't STOPPED spam, it sure as hell cuts it down to a manageable level.

I agree that ISP's need to be a lot more proactive and less reactive towards spam. Port blocking is proactive. Responding to spam complaints is closing the gate after the cows got out.

Re:No, I strongly disagree... (1)

BrokenHalo (565198) | more than 7 years ago | (#18919267)

The mail server logs don't lie. Blocked mail from dynamic space (which is ALL spam)

It's also nearly ALL mail from legitimate home users and a large majority of small businesses. Block those, and you might just as well shut down your mail servers altogether.

Re:No, I strongly disagree... (1)

walt-sjc (145127) | more than 7 years ago | (#18919579)

No, because legitimate users on dynamic IPs use their ISP's or other mail service provider's mail servers. Been down that road. As I stated in a previous comment, people on dynamic IPs are ALREADY doomed as many major ISPs already block them. Sorry if you don't like it, it's a fact of life. If you want to send mail without going through a smarthost, get a static IP. Yeah it cost extra. Deal.

Uhhhh... (1)

msauve (701917) | more than 7 years ago | (#18920977)

because legitimate users on dynamic IPs use their ISP's or other mail service provider's mail servers.
That might be a reasonable answer, if:

1. The ISP contractually commits, under severe penalty, to maintain full confidentiality and security for all email passing through their servers. That includes supporting encrypted sessions (from the customer and to the endpoint, including giving the customer control over associated certificates), allowing the customer to control when log events are deleted, guaranteeing ISP employees cannot view or intercept, not archiving or recording email, and completely ignoring any subpoena or other governmental demands for monitoring or maintaining records of email. Will you do that?
2. Gives the customer full control over email filtering/reject messages/retry frequency/fail timeouts, etc., plus full access to all log events related to that user's email. Can you do that?
3. Assumes full legal responsibility, including incidental and consequential damages, related to delivery of email. Will you do that?

Re:Uhhhh... (1)

walt-sjc (145127) | more than 7 years ago | (#18925477)

1. Do you REALLY think that you have full confidentiality and security for all mail traveling on an ISP's NETWORK? See AT&T for proof that you don't. If you are worried about confidentiality and security you need to use encryption no matter WHOSE servers you use.

2. As already stated, get a static IP if you want to run a mail server. Problem solved.

3. As already stated, get a static IP if you want to run a mail server. Problem solved.

Look, you can come up with all sorts of goofy requirements to attempt to justify your need to run a server you want. It won't change reality that dynamic addresses are ALREADY damaged goods, both from the fact that so many major ISPs already block mail from dynamic addresses and also the fact that it's very common that the TOS on dynamic IP accounts forbids it. Whining at me won't change these facts.

Re:No, I strongly disagree... (1)

Spacejock (727523) | more than 7 years ago | (#18925437)

What happens if the ISP you're with keeps getting their mail servers blocked for so-called spamming? That's why I use my own server on a dynamic IP - I occasionally get a returned mail from a couple of major US ISPs telling me my email didn't get through, but the alternative is NO mail getting through for several days at a time.

To help my users I've listed the ISPs I know won't accept mail from me on my contact page, and advised people trying to get in touch to set up a gmail or hotmail account instead. (They're usually after support for free software, so I have no concerns about driving away customers.)

Re:No, I strongly disagree... (2, Informative)

MightyMartian (840721) | more than 7 years ago | (#18918707)

with any sort of port blocking, either inbound or outbound. Unless free and open communications are allowed, they're not an ISP, they're a "web browsing service provider," and they are damaging, not helping, the Internet. Port blocking is anathematic to the purpose of the Internet, it interferes with open peer to peer communications. Port blocking is the equivalent of governmental prior restraint.
Yeah, if the block MS file sharing ports and leave open relays in place, they're not really ISPs.

Give me a break. I see nothing wrong with an ISP closing down ports that, through a lack of foresight or through simple bad security engineering, pose serious risks to client security and to the ISP's own network.

When I worked for an ISP, we closed down port 25 on all clients. If someone wanted to run a mail server, all they had to do was call us, and they almost inevitably would anyways to get the DNS entries set up. 99.9% of consumer Internet connections do not require file sharing and SMTP ports open. Actually, 99.9% of consumer connections don't require a whole shitload of those ports be open, and it's ludicrous to assert that Joe Average surfing the web, sending email through Yahoo, GMail or his Outlook Express client and doing some music sharing and video downloading somehow should be treated like servers.

At my old job, I spent about a quarter of my time directly or indirectly dealing with spam. We had to set up proxy servers to block distributed dictionary attacks that were literally bringing our mail server down. I had customers screaming about going away for three or four days and coming back to fifty spam messages. The customer and the stability of the network spoke loudly, and I took the action needed. Our SMTP server would only relay email coming from authenticated connections, we wouldn't let ordinary customers send out on port 25, which did a helluva lot to abrogate the effect of worms. Yeah, it meant customers sending to remote mail servers had to do some change to their MUA port settings, but the number of people that had to do that was pretty small. It didn't get rid of spam, but it sure took a bite of it.

Yeah... (1)

msauve (701917) | more than 7 years ago | (#18918909)

and how many customers did you cut off for sending spam (intentional or unintentional) in violation of your TOS? How may peers did you sever because they weren't policing their users, and were therefore sending spam your way?

I have little sympathy for lazy ISPs, who've created the bed they are now forced to lie in.

ISPs allow spam because they make more money putting up with it than by dealing with it properly.

Re:Yeah... (2, Insightful)

MightyMartian (840721) | more than 7 years ago | (#18920197)

We were a pretty small ISP. We only caught two people spamming in all the time I was there, and warnings were enough to stop it. We got on RBLs once because our old mail server was an open relay, and we had no desire to let any of our customers get us back there again. The majority of spam coming from our local customers were due to worms on their computers. That is where blocking port 25 at the gateway was so damn effective.

I have this feeling that you don't know a lot about spam and how it is propagated. There's a reason that everyone ran around blocking consumer IPs, weighting against IPs without MX records, and greylisting IPs that pumped in too many invalid addresses in a short period of time (indicating a distributed dictionary attack (it didn't help that our upstream provider was the source of a lot of these attacking addresses).

Re:Yeah... (1)

walt-sjc (145127) | more than 7 years ago | (#18920279)

ISP's did not create the un-authenticated, anonymous SMTP protocol that was designed back in the kinder and gentler early days of the net.

Now I will blame ISP's and other mail server operators for not taking a very strong stance and mandate that mail servers behave correctly, such as working forward and reverse DNS, correct HELO/EHLO arguments, etc. Hell, just rejecting mail from poorly setup mail servers alone would go a LONG way towards cutting spam down with ZERO impact on server load, and legit mail.

Re:No, I strongly disagree... (1)

kchrist (938224) | more than 7 years ago | (#18919097)

Well, first of all, congratulations on being responsible. Unfortunately, most people don't have the technical knowledge to be. That said, you shouldn't be running a mail server on a dynamic IP address anyway and if you are, you should smarthost your mail through a server that doesn't have one (eg, your ISP, a VPS somewhere, etc).

Finally, it should be obvious that port blocking, refusing acceptance of smtp connections originating from dynamic IPs, etc. simply hasn't been effective against spam.

I disagree. I used to work in the abuse department of a major US ISP and outbound port 25 filtering had an immediate and dramatic effect on the amount of spam that was going out via off-network open relays and allowed us to more efficiently track down the spammers that were using our own servers.

I'm sorry if this upsets you, but the benefit we (and by extension, the internet community as a whole) gained from this far outweighed the inconvenience to a tiny percentage of our customers who wouldn't work with it.

Re:No, I strongly disagree... (0)

msauve (701917) | more than 7 years ago | (#18919441)

I used to work in the abuse department of a major US ISP and outbound port 25 filtering had an immediate and dramatic effect on the amount of spam that was going out via off-network open relays
Proof that major ISPs don't have a clue. If, instead of blocking port 25, you simply shut down the users generating the spam, the exact same results would be achieved without affecting legitimate users.

Your claim you know that it was spam being blocked simply proves that that ISP had no desire to stop the source of spam - you knew it was spam, you knew the source, and instead of excising the cancer, you killed the patient. Instead of stopping the botnets, you merely blocked a single use for them, and left them in place to abuse the Internet in other ways. How irresponsible of you.

How about the legitimate email you were then blocking? Did you offer discounts and/or refunds to those users, who were no longer getting full Internet service?

Re:No, I strongly disagree... (3, Interesting)

kchrist (938224) | more than 7 years ago | (#18920131)

You obviously have no idea what the reality of this is like but I'll try anyway.

We absolutely did shut down the users sending the spam, but the largest offenders didn't care, because they weren't legitimate customers; they were large-scale spammers creating literally dozens of spam accounts daily, using stolen credit cards. Surely you've heard the expression "whack-a-mole"? That's what we were playing and the deck is stacked against us in a situation like this. These particular spammers were almost exclusively using overseas open relays to send spam from these fraudulent dialup accounts and implementing port 25 filtering got them almost entirely off our network in one fell swoop.

Once we reduced the load of that particular problem we were able to go after the smaller spammers, the ones spamming through our own mail servers. These were much easier to catch and we terminated the accounts on sight. We also charged a $200 "clean up" fee, but again, spamming and credit card fraud go hand-in-hand, so this had little effect as a deterrent.

We implemented port 25 filtering somewhere around 2000 or 2001. This was before the rise of the spam botnets we see today. Spam proxies are hard problems to solve because the vast majority of end users out there simple aren't able to understand what's happening, yet they are the ones who have to deal with it. Nonetheless, we gave them one warning, accompanied by loads of information on what software to download/buy or who to hire to fix the problem, and then terminated the accounts if they didn't fix it.

Tell me again how we left anyone alone to abuse the internet?

You're also talking about two different things here, I think. Outbound port 25 filtering does not result in mail being blocked. Anyone unable to send legitimate mail through other mail servers was given the available options: use our outbound mail servers or use the mail submission port (587) on their other server. Either of these are trivial and no mail was prevented from going out, ever.

If you're talking about blocking mail originating on dynamic IP address ranges, this is an entirely separate and unrelated thing. This can result in non-delivery of legit mail (obviously) but the senders got a helpful bounce telling them what the problem was. And again, mail servers running on dynamic IP address should smarthost their mail through another server. Problem solved.

I'm sorry if either of these things upsets your utopian vision of a free, wide open internet, but the reality is that there are very serious problems that cannot be dealt with without taking what may look to you like extreme measures. We had a small number of customers like you -- people who absolutely rejected the trivial changes required to work with our new policies -- and a business decision was made that we can't make 100% of the people happy 100% of the time, and we were ok with that. We had a far greater number of customers who made the changes they needed to, and then never thought of it again because in the end, it really wasn't a big deal to most people.

Re:Dont bother - they're in on the racket (1)

TheSkyIsPurple (901118) | more than 7 years ago | (#18920545)

> That may have been back when you worked there, but it's quite obvious that it's not the case now.

You just say they don't do the blocking... you don't assert in any fashion how they benefit from it.
There's a vast difference between an ISP who can't be bothered to block traffic, and one who is in collusion with the spammers.

I personally hate that my ISP blocks port 25 outbound. I wish they did something more intelligent like tracking spam complaints back to the subscriber and blocking port 25 for those subscribers, or issuing a warning or something...

Re:Dont bother - they're in on the racket (1)

tapehands (943962) | more than 7 years ago | (#18921263)

At the Large Corporate ISP of Doom that I work at, we actually do enforce the AUP, and I regularly get calls from Granny-I-Don't-Know-How-To-Right-Click saying (in a not-so-concise manner), "Your level 1 rep told me something about my computer has a virus and was sending out spam? But I only play Pogo! How could I get a virus?!"

I then need to go through the whole song and dance about "Yes, I understand you've not got the slightest idea on how to operate a computer. No, I'm not going to sit with you for an hour while you try to figure out what a virus is. Yes, you should power off or unhook your computer until you can get it fixed. No, don't unhook your modem because -click!- ...that's what gives you a dial tone through the Digital Phone service...."

Re:Dont bother - they're in on the racket (1)

stevey (64018) | more than 7 years ago | (#18920361)

Seconded.

I don't work for an ISP, just a small hosting company. But we respond to each and every incoming SPAM/abuse report. It eats up valuable time, but ignoring it just isn't something we should do.

Re:Dont bother - they're in on the racket (1)

dagoalieman (198402) | more than 7 years ago | (#18917019)

Interesting.. not that many comments, and three responses saying "I'm a decent sized ISP employee, and while we don't respond, we at least look into each complaint." I can only hope so.

While reading over this article and thinking, I came up with another interesting idea. I have recently registered a domain which I'm sure is ripe for joe jobs [wikipedia.org] . It is basically a private image hosting service. Flickr-esque in nature, but... just for my friends to upload, world to see.

Because of this privilege, and other semi-obvious reasons, I don't want anyone with an account on my domain sending an email with a jpg attachment. Why can't we set up an anti-spam utility which says "ok, the from: address is this domain. This domain uses ____ rules. This email [does|does not] follow the rules" and flag appropriately. If I had an email from my domain with a jpg attachment, it's obviously spam. Other similar rules applied appropriately could help filter spam.

Side note.. in the new discussion system, where is the respond to article button, instead of reply to post??? I gotta be missing something obvious here...

Re:Dont bother - they're in on the racket (1)

MollyB (162595) | more than 7 years ago | (#18917547)

If you look at the new doo-hickey at the top of the comments (where you can move sliders for full, abbreviated, and hidden message preference) you'll see a low contrast (blue on gray on my plain vanilla Firefox/Ubuntu setup) menu. Reply (to article) is on the far right side. HTH.

Re:Dont bother - they're in on the racket (1)

skyebluebill (854766) | more than 7 years ago | (#18925135)

Completely unrelated but can you post a link to the "Navajo and the snake" tale??

omg second post (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18916663)

do i fail it!?

Yes (4, Informative)

YGingras (605709) | more than 7 years ago | (#18916697)

... but it's rarely worth the effort. Just repport to your favorite real time block list and we'll thank you.

Re:Yes (1, Interesting)

Varun Soundararajan (744929) | more than 7 years ago | (#18916845)

One big reason these days ISPs don't look seriously much into such "tip" about spammers is that, they end up troubling naive users. Remember for the past 5-6 years, spammers use Spam Bot to send spams. The international rates for an ad ware/spy ware victim computer is even $10 (ie., you can command a computer to send spam for $10). If you are an average Joe six pack, I m sure you would have been attacked by spy ware several times. Your system in most such cases would be a spam transmitter, doing the rudimentary job of sending spam, attacking other vulnerable computers..yada yada...

Re:Yes (2, Interesting)

walt-sjc (145127) | more than 7 years ago | (#18917599)

Simple. Pass a law that says that those people are "a danger to national security" and REQUIRE that ISPs take them offline until the problem has been corrected. If they are running a spambot, most likely they are also on someone's DDOS / portscanning network too. Allow (require?) the ISP to charge a service fee for reconnection and verification that their machine is no longer vulnerable (penetration testing.)

Re:Yes (-1, Redundant)

Varun Soundararajan (744929) | more than 7 years ago | (#18916875)

One big reason these days ISPs don't look seriously much into such "tip" about spammers is that, they end up troubling naive users. Remember for the past 5-6 years, spammers use Spam Bot to send spams. The international rates for an ad ware/spy ware victim computer is even $10 (ie., you can command a computer to send spam for $10).

If you are an average Joe six pack, I m sure you would have been attacked by spy ware several times. Your system in most such cases would be a spam transmitter, doing the rudimentary job of sending spam, attacking other vulnerable computers..yada yada...
--
comment already exceeded Informative limit, hence no sig.

Re:Yes (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#18916905)

(you already posted it twice, so let's go for a third!)

One big reason these days ISPs don't look seriously much into such "tip" about spammers is that, they end up troubling naive users. Remember for the past 5-6 years, spammers use Spam Bot to send spams. The international rates for an ad ware/spy ware victim computer is even $10 (ie., you can command a computer to send spam for $10).

If you are an average Joe six pack, I m sure you would have been attacked by spy ware several times. Your system in most such cases would be a spam transmitter, doing the rudimentary job of sending spam, attacking other vulnerable computers..yada yada...
--
comment already exceeded Informative limit, hence no sig.

Re:Yes (0)

Anonymous Coward | more than 7 years ago | (#18917701)

One big reason these days ISPs don't look seriously much into such "tip" about spammers is that, they end up troubling naive users. Remember for the past 5-6 years, spammers use Spam Bot to send spams. The international rates for an ad ware/spy ware victim computer is even $10 (ie., you can command a computer to send spam for $10).

If you are an average Joe six pack, I m sure you would have been attacked by spy ware several times. Your system in most such cases would be a spam transmitter, doing the rudimentary job of sending spam, attacking other vulnerable computers..yada yada...

Re:Yes (0)

Anonymous Coward | more than 7 years ago | (#18919169)

One big reason these days ISPs don't look seriously much into such "tip" about spammers is that, they end up troubling naive users. Remember for the past 5-6 years, spammers use Spam Bot to send spams. The international rates for an ad ware/spy ware victim computer is even $10 (ie., you can command a computer to send spam for $10).

If you are an average Joe six pack, I m sure you would have been attacked by spy ware several times. Your system in most such cases would be a spam transmitter, doing the rudimentary job of sending spam, attacking other vulnerable computers..yada yada...

--
comment already exceeded Informative limit, hence no sig.

Too Many Electrons (4, Funny)

slarrg (931336) | more than 7 years ago | (#18917195)

Every time a spammer sends an email to your computer its electrons collect in your inbox. If you don't send another email out those electrons will build-up and short out your machine. Send a report, containing these electrons, to the ISP so they can properly purge the excess electrons and allow other internet users to use them.

Re:Too Many Electrons (1)

YGingras (605709) | more than 7 years ago | (#18917247)

I usually keep a few torrent seeds up just to be sure that I use all those excess electrons. Why upload boring emails when you can upload pr0n^W ubuntu isos?

I might report, if my ISP would let me... (1)

msauve (701917) | more than 7 years ago | (#18917569)

the clueless admins at Charter have their outbound spam filters set so it is next to impossible to report spam. When attempting to forward a spam to the originating ISP, Charter will bounce it back as if the report itself were spam. Even trying to forward the bounced report to Charter results in a bounce. A direct email resulted in no response. Of course, since Charter also blocks outbound port 25 (smtp), I have no choice but to send through their misconfigured relay agent.

Re:I might report, if my ISP would let me... (1)

tepples (727027) | more than 7 years ago | (#18918423)

When attempting to forward a spam to the originating ISP, Charter will bounce it back as if the report itself were spam. Even trying to forward the bounced report to Charter results in a bounce.
Have you tried putting the .eml files in a zip file, uploading the zip file to web hosting, and reporting the spam by sending the URL of the zip file?

Re:I might report, if my ISP would let me... (0)

Anonymous Coward | more than 7 years ago | (#18921205)

Charter also blocks outbound port 25
Wow, could have fooled me! I get a ton of spam from Charter IP addresses -- from lots of different cities. They must be inconsistent in how they are blocking their customers.

Reporting helps, keep doing it (4, Interesting)

TheSkyIsPurple (901118) | more than 7 years ago | (#18916759)

I've worked for a very large ISP, and we never responded to them, but we took action on every single report.

Often, just counting against a mailhost for eventual blockage and upline reporting... but it helped block spam from other people (and more spam to yourself) at the least.

Re:Reporting helps, keep doing it (1)

killa62 (828317) | more than 7 years ago | (#18916855)

Smaller isps take action also.
I was running an open proxy and forgot to turn off smtp

they sent me an email a day later

Greetings,

We have recently received a report of unsolicited emails originating from your Speakeasy circuit, which is in
violation of our Acceptable Use Policy. The computer in question is at the following IP address:

xxx.xxx.xxx.xxx

A copy of the original spam is included at the bottom of this mail.

Due to the subject and content of these unsolicited emails, we believe the computer at this IP address has been
exploited via an open proxy. An open proxy allows anyone on the Internet to access your broadband connection,
which enables them to mass distribute spam, eluding detection.

This open proxy can result in the blacklisting of portions of Speakeasy's network by various organizations,
adversely impacting the ability of other Speakeasy members to send legitimate emails.

It is vital for the security of your personal network and the Speakeasy network as a whole that you address this
issue immediately. If we continue to receive similar reports about your circuit, we will be forced to temporarily
suspend your broadband service until you have had time to resolve this issue. Please understand that we consider
an interruption in your service only when it is absolutely required to ensure both your security, and the overall
security of the entire Speakeasy network.

Included below is step-by-step information on how to secure your computer and network, along with How-To's on
securing open proxies, securing formmail, general network security and wireless network security.

PLEASE ALSO NOTE:
There will be an open Service Ticket on your account. To ensure that your service is not interrupted, it is
important that you update us once you have resolved this issue. Please call Speakeasy Support at 800.556.5829 or
login to MySpeakeasy (http://www.speakeasy.net/myspeak) and update the open Service Ticket referencing this issue.

We thank you for taking the time to address these Internet security concerns.

Network Security Department
Speakeasy, Inc.
abuse@speakeasy.net

- Speakeasy AUP/TOS
http://www.speakeasy.net/tos [speakeasy.net]

Re:Reporting helps, keep doing it (1)

Reaperducer (871695) | more than 7 years ago | (#18920353)

I had an ISP in Texas (EV1, I think) tell me that they were taking action on my report, but due to privacy concerns they couldn't tell me what action was being taken.

yep (3, Insightful)

gregm (61553) | more than 7 years ago | (#18916767)

If nothing else just report the spammers to irritate your ISP. If enough of us eat up our ISP's time complaining, those spammer clients of their's will seem less valuable. Also as was said before, please for the love of god report them to the block lists.

Re:yep (3, Insightful)

Secrity (742221) | more than 7 years ago | (#18917237)

PROPERLY reporting spam to the PROPER ISP is not a problem and is productive. The problems are when idiots report spam to the wrong ISP and when abusive comments are added to spam reports. For spam email it is only necessary to forward the spam email with FULL headers, and with a SHORT explanation (such as "abc.com" is on your network") if the headers do not indicate why the report is being sent to a particular ISP.

I provided tier 3 abuse support to a large ISP and set up the abuse desk for the now defunct dialup offering of the ISP, my advice to the abuse desk people was to shitcan any abuse report that contained contained abusive comments added by the person reporting the spam. Adding abusive comments is not reporting abuse, it IS abuse.

Re:yep (1)

Reaperducer (871695) | more than 7 years ago | (#18920585)

I ... set up the abuse desk for the now defunct dialup offering of the ISP
Followed by

my advice to the abuse desk people was to shitcan any abuse report
Cause and effect?

Re:yep (1)

Secrity (742221) | more than 7 years ago | (#18921143)

Your quote is taken out of context. Actually, no; it has to do with the fact that broadband has taken over the former dialup market. BTW, the ISP DOES take spam reports very seriously, as long as the sender isn't abusive in the reporting.

Re:yep (1)

RealGrouchy (943109) | more than 7 years ago | (#18918211)

If enough of us eat up our ISP's time complaining, those spammer clients of their's will seem less valuable.
...unless they use more powerful tools internally to filter out spam complaints.

- RG>

Telephone call (0)

Anonymous Coward | more than 7 years ago | (#18916775)

Call your ISP and ask them directly if there is any point in this.

Definitely report if you have clue (3, Insightful)

Peter Cooper (660482) | more than 7 years ago | (#18916789)

The sad thing is that most people who report spam are the idiots of the Internet who don't understand things like joe-jobbing, etc, and assume that because it says "jkrwejkrweq@yourdomain.com" in the From field, it's not necessarily anything to do with "yourdomain.com". SPF is, supposedly, a solution to this but the penetration seems pretty low. Certainly in my experience it's not usually Hotmail or Gmail customers who send the all-caps "STOP SENDING ME E-MAIL" to joe-job victims, but people on various .com domain names most likely hosted at hundreds of different budget web hosts who have poor anti-spam tools (or none at all).

Re:Definitely report if you have clue (1)

TheSkyIsPurple (901118) | more than 7 years ago | (#18916833)

> The sad thing is that most people who report spam are the idiots of the Internet who don't understand things like joe-jobbing, etc

How is this a sad thing?

As long as the reports go to someone who is smart enough to understand those things, the reports can help.

The only downside I can think of is that they may believe that AOL is actually sending out these messages, and AOL is a bad company to deal with... I can see how that's sad for AOL, but I didn't realize there were alot of AOL supported on slashdot =-) (or earthlink, or msn, or whoever...)

Re:Definitely report if you have clue (3, Informative)

Mister J (113414) | more than 7 years ago | (#18917227)

As long as the reports go to someone who is smart enough to understand those things, the reports can help.
If they go to the wrong person, all that serves to do is annoy someone who has absolutely nothing to do with the spam and can't do anything to fix it. Such emails are usually the most inflammatory, so hackles are already up before you waste time verifying that the original spam was indeed nothing to do with us. Plus, like the boy who cried wolf, every one of these makes you that little bit less inclined to care about the real spam reports that come in. Oh, and forget replying to such messages - I learned long ago that "It's nothing to do with us" is rarely an answer they're interested in hearing, no matter how politely you put it and how detailed your explanation of "this is why and here's who's really responsible" is.

Re:Definitely report if you have clue (0)

Anonymous Coward | more than 7 years ago | (#18917733)

You are blindly assuming that reports are always sent to the abuse handler associated with the (possibly faked) sender address.

I only send abuse messages to the abuse desk of the owner of the netblock from where the SMTP connection came. So, when some DSL is sending me mail "from hotmail", the abuse is going to the DSL ISP, not to hotmail. Only exception: when I get 419 spam, abuse messages go to the abuse desks of the mail addresses mentioned for reply (in the message body) as well.

However, some providers, most notably Microsoft Hotmail, have bots scanning your abuse message that completely fail at analyzing the report.
When a mail message is sent via their servers (possible, because they also provide personal domain registration and service) and you complain to their abusedesk, you just get an autoreply saying "it isn't hotmail so it isn't us". Now THAT I call frustrating.

Re:Definitely report if you have clue (1)

paitre (32242) | more than 7 years ago | (#18919619)

Exactly.
When I ran the abuse desk at Alabanza (google it, I did my job, and the community loves me to this day for it), abusive complaints ("Why the fuck won't you do anything about your fucking spammers?!") were automatically round-filed. POLITE complaints received action.

I very rarely personally replied to a complainant. Usually the ones I -did- reply to were people I either knew, or who were common complainants that I saw a couple from a day. Everyone got my auto-responder. I also posted in NANAE, and participated in a number of related mailling lists. The fact of the matter is, the volume of complaints at most ISPs really IS far too high for responses to be made any more than a small percentage of them.

Re:Definitely report if you have clue (1)

Deorus (811828) | more than 7 years ago | (#18918853)

> SPF is, supposedly, a solution to this but the penetration seems pretty low.

SPF is part of Microsoft's SenderID patent and its license is incompatible with the GPL [imc.org] , therefore I will personally never republish an SPF record again.

Re:Definitely report if you have clue (0)

Anonymous Coward | more than 7 years ago | (#18920027)

Your own link states that your assertion is incorrect. Only the Microsoft implementation is under restrictions making it Non-Free.

Use OpenSPF [openspf.org] in order to remain unemcumbered.

Re:Definitely report if you have clue (1)

Deorus (811828) | more than 7 years ago | (#18921157)

> Your own link states that your assertion is incorrect. Only the Microsoft implementation is under restrictions making it Non-Free.

No it's not. The MARID working group was terminated precisely because of Microsoft's SenderID patent [linuxelectrons.com] . The fact that they have such a patent basically means that they can sue anyone who develops SPF-aware software in the US.

3) On the issue of ignoring patent claims, the working group has at least rough consensus that the patent claims should not be ignored. Additionally, there is at least rough consensus that the participants of the working group cannot accurately describe the specific claims of the patent application. This stems from the fact that the patent application is not publicly available. Given this, it is the opinion of the co-chairs that MARID should not undertake work on alternate algorithms reasonably thought to be covered by the patent application. We do feel that future changes regarding the patent claim or its associated license could significantly change the consensus of the working group, and at such a time it would be appropriate to consider new work of this type.


And if the above isn't enough to convince you, here's another link with the Apache Software Foundation's position [apache.org] published at the MARID working group's mailing list.

This is why most free software MTAs developed in the US require third party modules or patches to be SPF-aware.

Wrong wrong wrong-tiddly-ong (1)

richi (74551) | more than 7 years ago | (#18925495)

Nope. The "Sender ID" patent covers the PRA algorithm, not SPF-classic. Yes, you should be aware that some recipients filter based on PRA (e.g. Hotmail/Live), but no Microsoft IP is infringed by publishing SPF records or filtering based on such records.

Simplistically, MARID died because it tried to achieve "broad consensus" amongst people who were OK with the PRA IP and those that weren't. Neither side could persuade the other to back down.

Re:Definitely report if you have clue (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#18921093)

Then you have Gmail, which doesn't bother to include an originating IP address for the e-mail which comes out of its depths. How is a discerning netizen supposed to properly investigate when the one piece of originating information is no longer included? Even spam which hops through several intermediate pwn'd machines can at least be tracked back to the closest pwned system by looking at the IP addresses.

The post office doesn't place a generic zip code stamp over return addresses--why does Gmail?

why? (1)

El Lobo (994537) | more than 7 years ago | (#18916885)

Very often the spammer don't even know that they are spamming... So. no. It won't help.

Re:why? (0)

Anonymous Coward | more than 7 years ago | (#18917171)

Of course the idea is that the abuse report will eventually result in the spammer knowing that they are spamming (i.e. the naive user at home running a Windows PC on an always-on Internet connection without ever applying updates and without any virusscanner and firewall).
They should receive a notice to comply within 48 hours or else face disconnection until they do.

When this would actually be done on a large scale, the topic would receive more attention in the media and more people would be making sure their system is clean without being reprimanded.

Please continue! (4, Informative)

J. T. MacLeod (111094) | more than 7 years ago | (#18916891)

I work for a regional ISP.

We frequently receive notifications of spam email as well as virus-laden email that has originated from our network. We only respond to the sender if they request that we do (and even then, if it's not necessary and the request isn't polite, we may not).

That means we almost never send a reply to the person who notified us. However, we DO take care of every single notification we receive. If we aren't able to immediately contact the customer and fix the issue (generally a home user with a virus doing the spamming), then we either shut off their service or, more frequently, block outgoing connections from their IP to port 25 anywhere.

Please don't let the silence discourage you. We're hard at work and appreciate the notices that help us keep our networks and services running smoothly for our customers.

Re:Please continue! (2, Insightful)

mqduck (232646) | more than 7 years ago | (#18917677)

Please don't let the silence discourage you. We're hard at work and appreciate the notices that help us keep our networks and services running smoothly for our customers.


Here's a thought: Might giving some sort of reply, even a thank-you form letter, not keep people like Mr. marko_ramius from being discouraged? Maybe that's something you and your ilk should consider.

(P.S. there was no hostility in the above)

It may be a policy matter (1)

arivanov (12034) | more than 7 years ago | (#18916937)

Many ISPs have a policy not to notify you what they have done and some are not allowed by law (data protection and privacy legislations). So the lack of responce does not mean a thing. Personally I would have preferred that all hook it up into their ticketing system so users get a reply, but some of them still run ticketing on primitive crap that does not have an Email interface (like one well known "best ISP for 200X" in the UK).

Not at all! (4, Interesting)

VincenzoRomano (881055) | more than 7 years ago | (#18917003)

Spammers run their own MTA or MTAs other than those by the ISP.
Provided that there is a clear proof (and not just someone's report) that a customer is a spammer, they would have two options:
1. filter out their outgoing SMTP traffic or
2. shutting down the link

Spammers then would probably change ISP in a snap.
The real (technical) point should be: why spammers do exist? One answer could be "because SMTP has not been designed to cope with authentication and authorisation."
Maybe it's important to look at problems from the correct perspective.

Re:Not at all! (1)

Kjella (173770) | more than 7 years ago | (#18917463)

The real (technical) point should be: why spammers do exist? One answer could be "because SMTP has not been designed to cope with authentication and authorisation." Maybe it's important to look at problems from the correct perspective.

Well, it might be part of a solution but it's nowhere near it. Even if I had perfect verification that this was sent from $foo LLC., Pacific Islands somewhere, what good would it do? Taking them to the local court would do exactly nothing, whereas any loser with a credit card can send them money from here. Remember that even if you fixed that perfectly, the only thing you'd get is their latest fly-by-night shell company

Re:Not at all! (0)

Anonymous Coward | more than 7 years ago | (#18918157)

Remember that even if you fixed that perfectly, the only thing you'd get is their latest fly-by-night shell company .. at which point the RBL knows exactly what to block without collateral damage.
Zombies are more likely than shell companies for that reason. (What good would it do you to know that someone's residential DSL line is pumping out spam by the millions?)

Re:Not at all! (1)

walt-sjc (145127) | more than 7 years ago | (#18917647)

because SMTP has not been designed to cope with authentication and authorization.

That is true, which is why back in 1998 ago they came up with the MSA port (RFC 2476.) There is no need for ANY MUA to use port 25 anymore. ISP's should be blocking port 25 for everyone except mail servers or others that have used the ISP's tool to request that port 25 be open for outbound.

Re:Not at all! (2, Interesting)

tepples (727027) | more than 7 years ago | (#18918759)

There is no need for ANY MUA to use port 25 anymore. ISP's should be blocking port 25 for everyone except mail servers or others that have used the ISP's tool to request that port 25 be open for outbound.
So what should a residential user do if the only ISP in town that offers anywhere the bandwidth he wants (that is, it's this or dial-up) has an unreliable MSA? Should all customers in that town have to subscribe both to Internet access (with a bundled unreliable MSA) and a third-party smarthost?

Zombies (0)

Anonymous Coward | more than 7 years ago | (#18917705)

Posting as AC as I'll quickly become -1 Troll.

(Ehem)
Is AOL still around? I'm surprised there's even an AOL to attack.

Re:Zombies (1)

Kynmore (861364) | more than 7 years ago | (#18918303)

amazingly enough, they're still around. And free! Provide your own connection, and use AOL for free. They finally moved form being a connection provider to a content provider. They still offer dial-up for $10/mo, which isn't bad. Smart move on their part.

Yes (1)

crossmr (957846) | more than 7 years ago | (#18918315)

My friend works for a local ISP here in town. He was telling me about their system, which will automatically shut people down. If they send a certain number of e-mails in a certain period, a flag goes on their account and their access to the mail server is blocked for 24 hours (the first time).
When their access is restored, if it continues to happen they get longer and longer blocks. He told me a story about a woman who called in who just didn't seem to understand this concept and her access was currently being blocked for something like 2 weeks, which was one of the longest blocks he'd seen.

Re:Yes (1)

WGR (32993) | more than 7 years ago | (#18921527)

So you are the kind of ISP that prevents people from creating an email list for their Little League team. What you describe is deliberate crippling og service for your customers becuase you are too lazy to find out if the messages sent are legitimate or not.

Re:Yes (1)

crossmr (957846) | more than 7 years ago | (#18921873)

I don't work for, or use the ISP.
Nor do I know what the exact threshold for triggering this system, nor is my friend likely allowed to tell me, he did describe it as taking "quite a bit".
I doubt this triggers at 50 or 100 e-mails. His description indicated it was something like 1000, and people can contact the ISP if they need to legitimately send more than that at once to have an exception made in their file.
The vast majority of people out there don't need to regularly fire off 1000 e-mail everyday.

Next time read a post thoroughly before shifting your knee to jerk.

Re:Yes (1)

dman123 (115218) | more than 7 years ago | (#18922687)

Speaking as one of those "Little League" list admins, I sent out 4 emails at 80 people a pop, then some others to smaller lists of people, then got banned for 24 hours because of a (previously unknown) cap at 400. in addition to this, I do have a transmit limit of x GB/month, but that's fairly high. So yes, WGR's knee may have blamed the wrong person (you, instead of your friend), but it was not a jerk. Your story about a limit was for surely for recipients, not emails... Yes, 400 emails is on the excessive side; 400 recipents is not excessive at all.

Calling an ISP that is staffed by more than one helpdesk grunt meants that they won't give a crap. It's the ISPs that are small enough that they only need one person that you have a chance to appeal to.

Re:Yes (1)

crossmr (957846) | more than 7 years ago | (#18923011)

He specifically told me that customers can have exceptions put on their accounts if its for legitimate use, they just have to call the ISP and tell them.
Why?
Because in this case the lady wasn't sending legitimate e-mails and it did exactly what it was supposed to. Her computer had become part of a spam sending bot-net through her own ignorance, she only noticed some time later when she went to send an e-mail and was rejected. The average person probably only sends at most a few dozen e-mails a day (under 100). Given that ISPs can't rely on people to protect their machines, I'd rather have people have to call in once and say "hey I need to send X e-mails at once", then have even more compromised machines out there sending spam.

Re:Yes (0)

Anonymous Coward | more than 7 years ago | (#18922661)

At one small-town ISP I formerly worked at, we did just that, with a relatively low number (25 recipients or so per half-hour, with the block getting 5 minutes longer for every further attempt to send mail after the user was already blocked.).

99% of users didn't bother - for the ones that did call, support asked them why they needed to send that many mails - if they were forwarding chain letters and hoaxes and the like, they were lectured. If they were running a legitimate mailing list, and it wasn't for a business or the like - church groups, little league, etc, we tried to get them set up onto a proper list server -- without charge.
If it was for a business, we reminded them of their terms of services, and offered them a business account ($10/month extra), which came with perks including a mailing list, email for their domain, and the option of a mailing list. Either way, the customer was happy, and we only had to go a little bit out of our way. Of course, the mailing list we gave them in either case enforced a confirmed opt-in policy :)

On the odd chance that someone could provide a reasonable level of explanation for why they needed to send that many mails, and why a mailing list wouldn't solve the issue, we relaxed the limits for that user, provided they'd been with us for more than a month or two. The limits were also disclosed upfront in the terms of service.

There was a little administrative overhead with this approach, but it stopped a lot of mass-mailing worms cold, we were better able to enforce responsible mailing practices, and we got the chance to lecture customers who really were abusing the service.

Yes, it absolutely helps (1)

pathological liar (659969) | more than 7 years ago | (#18918379)

I work for a small national ISP. We always take action on spam reports (we hate spam as much as you do, probably more...), but almost never respond to the people who make the reports. There are only two of us, and we're very busy -- and I doubt the people who are complaining about no response are going to look any more favorably on an automatic response.

Please though, keep reporting. It helps us weed out the spammers we haven't caught by other means.

Sometimes we just don't get enough information to take action though. If you're going to report spam, send in a copy of the ENTIRE email (useless without headers...), and make sure the timestamps are correct. If your clock is wrong, I'll do my best to figure it out, but I can't promise anything.

Re:Yes, it absolutely helps (1)

AlHunt (982887) | more than 7 years ago | (#18918495)

>and I doubt the people who are complaining about no response are going to look any more favorably on an automatic response.

Sure they would - at least it's an acknowledgment. Send the auto reply.

Personally, I use a whitelisted acct for people I really want to hear from. The rest I let yahoo or hotmail filter out the spam and change the address if it starts to get spammy.

Re:Yes, it absolutely helps (1)

pathological liar (659969) | more than 7 years ago | (#18918605)

It's not an acknowledgement, is no more of an automatic response than the lack of a bounce message. There's no indication or guarantee that anyone actually looked at the email.

I appreciate the reports, I just don't have time to thank and follow up with everyone who does it.

Actua (good)l response from ISP Sympatico today (1)

WGR (32993) | more than 7 years ago | (#18922121)



Greetings,

The situation you have brought to our attention has been investigated
and treated by a member of our staff. We have enforced our
AUP(Acceptable Use Policy) against the offending account.

Sympatico always enforces a strong anti-abuse policy; customers who
abuse the network risk having their service terminated. Should you
encounter any Internet Abuse originating within the Sympatico network,
please do not hesitate to contact us again at abuse@sympatico.ca.

Regards,

Steve
Internet Security Analyst
Bell Internet Management Services
http://security.sympatico.ca/ [sympatico.ca]
abuse@sympatico.ca

Original Message Follows:

Dear Sirs,

Please view the attached unsolicited e-mail received on Wed,
25 Apr 2007 14:57:02 -0400, apparently coming from IP 74.12.79.139
(bas1-toronto02-1242320779.dsl.bell.ca), inside a network owned by you.
Please check it out, and handle your user according to your TOS/AUP.
Thank you.

Comcast does not care even when it uses their name (0)

Anonymous Coward | more than 7 years ago | (#18918395)

I usually get a response, saying if it is not from a Comcast account they will do nothing. Odd since many times I am reporting scams to get Comcast account holders to reveal passwords, etc. I have had more luck with eBay and sometimes AOL where I do not have accounts. The banks are the worst case, since there is no easy way to contact them from easily found addresses.

Keep reporting (2, Informative)

azander (786903) | more than 7 years ago | (#18918557)

Greetings,
    Please keep reporting. I handle the abuse complaints for a regional ISP. We have never had an actual spammer on our network, but the reports have helped us clean up some very badly infested machines of our users. Since I receive about 50 of these complaints a week, with maybe 1 in 1000 being from our IP space, I have to agree that it is frustrating when people report to me, but the only mention of my IP or domain space is an obviously forged header. At least it is obvious to anyone who can read email headers. I will not respond to any report unless specificly asked, and even then it will be a short reply stating that it is either been dealt with, it is not our user, or that it is under investigation. No details are ever given out due to privacy.

    We do not (yet) block port 25 by default, however we do rate restrict it, and monitor usage on a per-IP bases. We have been in business for over 13 years and due to that, management is not happy with having to contact our customers to get them to update their email client settings. We are setting up all new clients to use SMTP authentication and all helpdesk tickets dealing with email get them switched over as well. We figure that in another 1 maybe 1.5 years we will have everyone switched over and then we can block all port 25 access without causing too much disruption (Management's bigged fear).

Please Report Spam (2, Informative)

giafly (926567) | more than 7 years ago | (#18918579)

Does the spam look legitimate?
  • Yes - please report it. I work for a large email company and we always act on spam complaints, to ourselves or to our ISP. I hate spammers too, because they are not why we wrote the system and they cost us money, so we'll kick them out.
  • No - e.g image spam - why bother? It's probably from an illegal botnet, criminals are not noted for customer service, and any server will be on a short-term contract.

Re:Please Report Spam (1)

WGR (32993) | more than 7 years ago | (#18921213)

There is a sourceforge project called spam-abuse [sourceforge.net] that analyzes spam to find the abuse address of the ISP that is on Received line just before your MTA. It then composes a polite reuqest to the ISP about the spam and sends the request plus the email source to the ISP.

I have been using it for about a year to complain about most of my spam and I get about a 10% response rate, with some ISPs much better than others. Smaller ISPs seem to be the best, since it really costs them in bandwith, while the bigger ones most often send a canned response.

But today, I got a real response message from Sympatico. the biggest Canadian DSL broadband supplier thanking me for the message and actually stating that they had investigated my complaint and acted on it

Spammers from The Planet (2, Interesting)

Tinfoil (109794) | more than 7 years ago | (#18918611)

Abouta year or two ago, I was having serious problems with comment spam, with hundreds a day coming from a single IP address. I banned the IP for 7 days and put various protection schemes in place to prevent further abuse. Once the 7 days was up, there were literally thousands of attempts, but now each one was stopped and logged in an easier to understand format. With this in hand, I looked up the address to find it originated from one of The Planet's customers. Even after sending reports with links to the logfiles, months (and tens of thousands of attempts to spam my comments) went before I received any response whatsoever. That response was as a direct result of speaking to one of The Planet's higher profile customers who I've worked with in the past to try to get some help in the situation.

Only after doing an end-run around the abuse department did I see some *real* action taken on behalf of The Planet. Previously all they seem to have done was moved the customer to a different IP address, which would have been very counter-productive had I just kept blocking the original IP address.

Stength in numbers (1)

secolactico (519805) | more than 7 years ago | (#18918615)

By all means, send your complaint.

If enough people complain, they will take action. The "legitimate" ISPs at least (as opposed to the "bulletproof" ISP).

Include the ip address / spamvertized URL on the subject. Makes it easier for the poor lackey they have tasked with reading the abuse mail and opening tickets/reports/whatever.

Or use a service like spamcop or mynetwatchman (for portscanning attacks). Usually, the postmaster and abuse accounts are not filtered in any way so they get a HUGE amount of spam and it easy for an email complaint from a random address to slip by unnoticed. But mail from predictable sources can be classified easily and acted upon.

Seldom useful ... try the registrars instead (0)

Anonymous Coward | more than 7 years ago | (#18919297)

I don't know your experience (obviously), but most of the spam I get comes by way of MTA's in foreign countries. I've reported the spam back to the registrars, who then usually respond with a form letter in a language that I cannot read. So I would say that the likelihood of anything being done is probably less than 10% in those cases. If you're lucky enough (?) that the spam you get comes by way of a MTA in a country that speaks English, then by all means, go for it.

However, I still say the fault lies with the domain registrars. Most of the spam I get comes on behalf of domains that are sold to a very short list of people, who themselves use a very short list of registrars. These registrars have to be aware of the fact that they are selling dozens, if not hundreds, of domains to these hooligans who then use said domains to scalp out (counterfeit) viagra and (pirated) software. Yet they continue to do this, because it continues to bring them money.

And at least the registrars are (in principle) obligated to follow a set of operational guidelines (as set by ICANN/internic). So if the registrars are keeping crap records, you can at least rat them out for doing so. ISPs usually report to nobody.

Please continue... (1)

jafo (11982) | more than 7 years ago | (#18920995)

I run a small ISP hosting mostly dedicated servers. These servers pretty much all expect to have the ability to send outbound e-mail. We monitor and maintain these servers pretty closely, but sometimes a mistake by a client allows a machine to be used for sending spam and doing remote SSH compromise attempts. Those are our two biggest problems.

For example, one client set up a "demo" account with an extremely easy to guess password. This was compromised by a remote SSH brute-force client, and the account was then used to run that same attack program. Another instance involved awstats. A year or two ago, attackers were searching google for "awstats $VERSION", looking for specific versions that were vulnerable. We had gone through our client machines a month or two earlier looking for installed versions of awstats that were vulnerable, but this client had installed a vulnerable version after we had done the sweep.

The biggest spam problem has been with web forms that aren't properly checking their input, and can then be used to send spam to a bunch of recipients.

We act on every one of the spam reports we get that does not come from AOL. Well, except for the spamcop ones that are so vague as to be useless. We're registered with both AOL and spamcop to get alerts about problems with our IP ranges. I'm just about ready to dump AOL, because something about the AOL user interface makes users report as spam messages almost interchangably with "delete". We have clients who run legitimate e-mail lists, with double opt-in, so I'm assuming that users who start reporting these messages as spam simply are too lazy to unsubscribe from the list when they decide they no longer want to read it. Or perhaps they just are reporting messages on the list that they aren't interested in. The AOL reports produce so much noise that it's almost impossible to make use of.

But, at least the AOL reports include the full (nearly unchanged) messages that the user is reporting. Some of the spamcop reports are "We received 2 messages from this host to one of our spamtraps in the last 12 hours." Actually, they are quite a lot more terse than this. I realize why they're being vague, and this worries me, but what can I do about this sort of report? I can't even tell if the problem is originating from a list on this client's server (they host a lot of discussion lists about their mission) or if it came from an open web form. A mailing list means that somebody intentionally subscribed a list of addresses including a spamcop spamtrap, a violation of the AUP with us. A broken web form means that someone else is using the server to send spam, in a way we can shut down. Finally, it may be just a bounce message from some spam that was sent externally with the return address of this spamtrap.

I can't tell with that sort of report.

So, in short, these reports, if accurate, *ARE* acted upon by ISPs.

Sean

from a DomainKeys account I will (2, Informative)

DuctTape (101304) | more than 7 years ago | (#18922681)

I've been reporting the Yahoo! accounts that have DomainKeys verification since those are, in theory, legitimate and not forged. And a few days after I send the abuse report (include the full headers), I get a note saying that the TOS issue has been resolved.

I would guess that in the meantime that if the account has pumped out a few million spams, then the traffic would have put up flags, but if that hasn't shut them down, perhaps my email did. Hopefully. Otherwise that DomainKeys thingie will be meaningless. If it already isn't.

DT

What about spam@uce.gov ? (2, Interesting)

mbone (558574) | more than 7 years ago | (#18923651)

I forward spams to spam@uce.gov . I know that someone looks at at least some of these; does anyone know if it actually does any good ?

Not really. (1)

edunbar93 (141167) | more than 7 years ago | (#18924367)

There's two reasons there's no reason to bother anymore.

#1: You probably have no clue where the e-mail actually originated. And even if you are educated enough to interpret the headers of your e-mail, #2 becomes the problem.
#2: These days, 99.9% of the IP addresses that send spam belong to retirees running Windows 98 on dialup connections who use less than 30 hours per month. As soon as I take the time to go through our dialup logs (or our ADSL logs) and track them down, I immediately recognize them (and/or their usage logs and tech support histories confirm it anyway) as being entirely harmless 3rd party victims. I send them a polite form e-mail about how their computer is infected with a virus, and to please go to free.grisoft.com to download a virus scanner. 98% of the time I never hear a response back, even if I know they check their e-mail on a regular basis. It remains the length and breadth of what I can do to fix the problem (If I had control over our ADSL network, I would have restricted outgoing SMTP to a few servers years ago).

Thank you (1)

argent (18001) | more than 7 years ago | (#18925875)

I'd like to thank all the folks at ISPs who've responded here.

I long since gave up reporting spammers, even ones who appeared to have a legitimate product (or one that would be legitimate if it wasn't spammed for), because the volume is just too high. I can't even afford the bandwidth to accept mail that's potentially spam: I drop connections from dialup addresses at HELO, and I have several countries blacklisted at that level.

The only spam I report any more is stuff that gets through my filters, doesn't seem to be sent from a botnet, *and* the product is something I'm potentially interested in. I won't buy from the spammer, and I take the effort to report them in an attempt to reduce the chance that the spammer will get a competitive advantage over legitimate businesses that I really care about. This may happen a couple of times a month, so it's not a great burden... and I wish I could do it more often.

I'm glad to hear that this might still have some impact.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>