Please create an account to participate in the Slashdot moderation system


Forgot your password?

A Day with an ISP Spam Investigator 167

scumbucket writes "Network World Fusion has an interesting article about an abuse investigator for ISP Earthlink and his job of tracking down spammers. It's nice to see that major ISP's are making an effort to shut spammers down and kick them off of their networks."
This discussion has been archived. No new comments can be posted.

A Day with an ISP Spam Investigator

Comments Filter:
  • A yawner (Score:5, Insightful)

    by SYFer ( 617415 ) <> on Saturday September 18, 2004 @09:28AM (#10284412) Homepage
    Not that interesting really. No specifics, not much technique. He calls offenders, cancels accounts, etc. Phishing is another department. He doesn't take action on pedophiles and refers them to cops.

    Where's the beef?

    • Re:A yawner (Score:5, Insightful)

      by Antique Geekmeister ( 740220 ) on Saturday September 18, 2004 @10:39AM (#10284612)
      Read it again. He "takes orders from the FBI", etc., regarding child pornography, he doesn't contact them.

      What the article describes is entirely re-active. In no way is it pro-active: pro-active costs money, and keeps the spammers from signing up in the first place to send the spam. This is typical Earthlink, whose focus is on making the weekly progress reports their departments favor as taught by the "WISE" management techniques so favored by their Scientology educated president and his top staff.

      It's not evil, but given their history of blowing off complaints for months or even years until faced with real consequences such as a Usenet Death Penalty where all posts from Earthlink would be actively cancelled, it's not topnotch.
      • Scientologist Reed Slatkin is not Earthlink's Prez anymore. Hasn't been for a long time.
        • Reed Slatkin, for those who don't know, never was their president. Sky Dayton, an active and fairly sizable Scientology contributor, is and has been the president since their start.

          Reed was one of their founders and got arrested for running a pyramid scheme. Given the financing misbehaviors of many start-up ISP's, it's not real surprising that one of their early managers also ran pyramid schemes, but that seems to be extremely common for the upper level Scientology members. They had a bunch of their upper
      • Having worked on a program that was sending (legitimate, opt-in with the ability to cancel - I'm serious! :)) bulk mail, earthlink, yahoo, AOL and hotmail are not only proactive, but super-anal.

        Failing to honor any SMTP code (and sometimes then some more, as the case was with AOL) as intended will get you a temporary ban. I can't remember if it's 2 or 3 strikes, but after that your only recourse generally is a call to their headquarters.

        I too am familiar with the UDP escapades - but what I am describing w
        • What you describe is merely re-active, not pro-active. Pro-active would be joining the ISP's using SPF, refusing to sell "pink" contracts to spammers which contractually permit them to send unsolicited bulk advertising, etc. What you describe is over-"re"acting, where doubtful is dirty and any question of proprietary behavior is dealt with harshly. It's understandable: spammers lie so much and pretend so much that their behavior is all "opt-in" that it colors our responses to companies and mailing lists li
    • Something to think on, perhaps it is a yawner for us. We've been hunting spammers for years, either on our own networks, against our own machines, or simply as fun for friends. You did missed some points in the article which was pointed out by other people in following posts.

      Most of what was said is really good for the non-geeks in our midst. You know as well as I do that nearly everyone hates spam, hates those who commit fraud, etc. This is showing that someone behind the scenes is doing work on t
  • Self interest (Score:4, Insightful)

    by ZenBased ( 593709 ) on Saturday September 18, 2004 @09:29AM (#10284414) Homepage
    Well they dont do it because they wont to help the world. But spam means extra bandwidth, so extra cost. And maybe customers blame the ISP, so that might mean less customers. So it is the ISP's best interest to do something about spam.
    • Re:Self interest (Score:2, Insightful)

      by Spad ( 470073 )
      Do their motives matter if they result in fewer spammers?
    • by G4from128k ( 686170 ) on Saturday September 18, 2004 @09:53AM (#10284496)
      Well they don't do it because they wont to help the world. But spam means extra bandwidth, so extra cost.

      I've heard many a system admin complain about the "cost of spam" to their networks, but have not seen a quantification of that cost. Given that spams are so small (the ones that I get average 4kB/spam), the storage costs of saving every spam (at 1$/GB) are about only 4 micro$/spam and the transfer costs (at $3/GB of transfer to pick a Google figure) are only 12 micro$/spam. Even CPU time is cheap. If a $2000 server CPU can handle only 10 messages per second (an underestimate?) then the cost in CPU time is only about 6 micro$/spam. In total, a million spams would cost an ISP maybe $20 or $30 which is far less that the burdened labor cost of one hour of a technician's time.

      What am I missing here? Can any admins tell me the true dollar cost per spam? The only other reason, that I can think of, is that Earthlink fights spam to avoid blacklisting because blacklisting would drive up support costs when a million customers call at ask why their emails aren't getting through.
      • by Anonymous Coward
        And how many spam messages pass trough a serious isp's network? I think you'd be surprised...

        Part of the cost is also due to filtering and to the extra admin costs for implementing enough capacity to hold the extra spam..
      • by Detritus ( 11846 ) on Saturday September 18, 2004 @10:07AM (#10284530) Homepage
        You are neglecting the admin time and cost of keeping the server running. Monitoring it for problems, keeping the software up-to-date, making configuration changes, keeping it backed up, documenting the configuration so that disaster recovery is relatively painless and quick.
        • by Tim C ( 15259 ) on Saturday September 18, 2004 @10:25AM (#10284570)
          All of which has to be performed whether the machine is handling spam or not, unless you're laying on extra hardware to take the extra load caused by the spam...
          • Running GroupWise at work. I had to dedicate a machine to running Guinevere and SpamAssassin and McAfee anti-virus.

            And I have to make sure it is patched.

            And I had to adjust the email server's threads (default set to either 2 or 4) for handling incoming email (increased to 50).

            And tuning of SpamAssassin.
        • Typical, one person asks for cost, meaning marginal cost (how much more does one email cost) and the answer given is average cost (total expenses divided by the total number). If a networks trafic is 1 million an hour, and they spend $1K to process it the each message has an average cost of .001, assume that the trafic is 80% spam and that is then eliminated then the costs become .005 per message because the overhead expenses don't change much because they still need the capacity to meet peak demands.
      • Most viruses go over 40 kb and can go to about 200 kb (that's what I get). Most annoying are the mailer daemon failures that i get for viruses that i did not (or anybody else from my domain) send.
      • by 4nd3r5 ( 732488 ) on Saturday September 18, 2004 @10:12AM (#10284541) Journal
        im no sysadmin or anything.

        but if its 30 $ per day, its 10k per year.

        further more you have to spend time and energy you have to spend sorting the mail. this is, ive heard, quite expensive in CPU time.

        The best filters catch 99.9% of spam and only make 1 mistake in a thousand. ( i don't even think that they are that good).

        1000 emplyoees gets 5 mails aday for a year thats 1.8 million mails, thats 1800 mails per year that goes down the drain. im not sure what that costs, but some of the are prolly quite expensive.

        This is not absolute facts nor close, but my point is that the price of spam is more than the price of reciving spam.
      • The 'cost of spam' is not the cost of spam filters, extra storage, etc. The cost of spam is the cost to the end user of having to figure out which mail is real and which is spam.

        Let's assume it takes a user only 1 second to determine if a piece of mail is spam, and deal with it, and let's assume the average user's time is worth $20 per hour. A million spams then cost the users:

        $5555 = 1 second * 1 million / 3600 seconds in an hour * $20

        You're right, the ISPs scared of being blacklisted. But they also
      • by Saint Aardvark ( 159009 ) * on Saturday September 18, 2004 @10:30AM (#10284581) Homepage Journal
        Okay, here's a quantification of that cost.

        I used to work at a small ISP -- lets say 5000 customers. We were getting lots of complaints [] about spam, so we decided to put in better spam filtering. That required a bigger server. Then the mail server went down for half an hour [] because of the volume of incoming spam, and there was a suddenly a big rush on getting the new server up and running.

        The server was the cheap part: let's say $2000 (all figures Canadian) for the box, rackmount, hard drives, yadda blah. Thank God for Free software, because FreeBSD and SpamAssassin saved our asses. It took me, conservatively, three full days to set up and get it more or less right; I was doing a lot of learning on the job, and the regular sysadmin was away.

        Now, don't forget that we were down for half an hour. This was from roughly 9am to 9:30am on that day, so that's a busy fucking time for us. There were tons of calls and only three people to handle them; fortunately, I was pressed into service trying to fix things, and wasn't on the phones. We probably lost a couple customers then, but most people were pretty understanding, especially when they were told it was fuckwad spammers who were causing the problem.

        Complaints were a huge deal, both before and after the filtering was put in place; I was dealing with most of them, because I was doing abuse duties, and it wasn't fun. Complaints before the new server was installed went, "Why am I getting all this spam? Why can't you stop it?" Complaints afterward went, "Why am I still getting all this spam? Why isn't your filtering working? What do you mean, I have to set up my mail program to do more work?" (We set the threshold rather high, thinking that customers could use filtering in their mail client to set their own tolerance level. Ha! It is to laugh. Ever tried filtering on random headers in Outlook Express 5.0?)

        Plus, there was maintenance of the server and software; upgrades were never fun; false positives happened and were dealt with; and now, my sources tell me, they've graduated to buying dual-fucking-xeon processors in order to handle spam filtering. Fuck me!

        But hey, we were after a dollar cost, and I did get sidetracked. We already said $2k for the server. Three days of my time, $400 (deal!). Half an hour when everything in the company came to a halt because no one could send mail or do anything but answer the phones: $500, and that's probably very conservative. Two customers' worth of lost revenue for a year: say another $500. Spam complaints before took, oh, probably a good five solid days of my time: $650. Afterward was probably the same, so another $650. I know of at least one customer we lost afterward when the spam filtering wasn't the magic bullet I kept trying to tell them didn't exist, so $250. Bandwidth for all the spam we were accepting but kept from reaching the customers: let's say $50, for a nice round total of $5000.

        Now this is very, very rough back-of-the-envelope calculations for a small dialup ISP I no longer work at; the managers there could probably tell you more about lost good will and so on. More importantly, it doesn't tell you about ongoing costs; that's just a snapshot from when I worked there. But that was $5000 spent by an ISP that was going down the tubes (true story), just to keep up (barely) with a denial-of-service attack that was slowly grinding us into the floor. I can't even imagine what it's like for AOL or Hotmail. Nor will we ever know what that time and effort and money might have done if it wasn't being spent on spam.

        Goddamn fuckwad spammers piss me off.

        • I'm going to make some assumptions here, but your solution was part of the problem.

          Anyone who uses SA for high-volume traffic knows that it is slow and a hog - perl, while being useful, is not known for it's speed.

          DNSBL + Caching DNS server (such as dnscache, but if you're an ISP you probably have better solutions) will block a heckuva lot of email. Solutions like messagewall take this even further - filtering on headers, attachment extensions, content types and virus checking *while the message is in tra
          • DNSBL + Caching DNS server -- Check. Once we got Sendmail to stop checking for IPv6 addresses, everything was fine. We were doing this long before we had SA.

            As far as Perl and speed goes, from what I remember it wasn't much of an issue; we used the spamd c-based daemon to pass email to just-the-one copy of SpamAssassin, and it wasn't that bad. There was a bit of delay, but it was nothing like before when we were using Procmail. One bad entry in Procmail could bring the whole thing grinding to a halt.

      • Upwards of 80% of our network traffic is mail. Of that, 70 - 80% of that is inbound spam, trojans and viruses. If we could eliminate them entirely from outside our network, we wouldn't require so much bandwidth and bandwidth is a major portion of our fixed operating costs. Office space is cheap compared to bandwidth.

        Its not just the total number of received messages that affect cost. Delivery rate causes problems with network availability. Because of distributed attacks and mail bombs, we have to be a
        • If you're in the business of providing people email service, as opposed to generic ISP connectivity services, then yes, spam is a major fraction of your bandwidth. But if you're a connectivity-type ISP, like the traditional dial ISP or a DSL ISP, usually most of your bandwidth is web browsing these days, or P2P file sharing traffic, and email is a much smaller fraction of the total bits. Spam may be 80% of your email, depending on how much you blacklist at the SMTP layer rather than accepting and discardi
      • Working as a sysadmin for a national ISP, I can tell you the cost of spam is not in the storage. Doubling the amount of MTAs that you have to handle spam is a big cost. Purchasing Ironports to cut down on spam is a bog cost. Buying all the associated software and licenses (cluster software, SAN storage licenses, anti-spam licenses, etc...) is a big cost. Adding backup solutions for these new servers is an additional cost. And paying the sysadmins to administer those systems is a big cost. When the ISP recei
      • by LoadWB ( 592248 ) * on Saturday September 18, 2004 @11:49AM (#10284900) Journal
        Several years back the local ISP for which I worked had a spammer force us to take our mail server down because his advertising bomb went off in our spool drive and completely filled it. It took a number of hours to manually clean it up, sift through logs to find and block the offender, and bring the server back on-line. Ask our business clients how much not having email available for several hours cost them. Just for illustration, that email was also only about 3k in size, but once it multiplied in the queue it consumed all 2GB of the spool.

        More recently, the local ISP for which I often do admin work had to build three new incoming mail servers and purchase spam and virus filter software for each machine at the rate of at least $6000 ea. plus subscription. Without these machines, user mail spools were filling up with spam and viruses; the older the account the worse off it was. Ask these folks how much it costs.

        I have seen spam perform the equivalent of DoS floods: causing servers to crash, filling up T1s, causing CPU loads on older but otherwise working machines to hit 98%, and more. I host a domain which sees 28,000 spams per week on average. We employ RBLs in our fight against spam, as well as blocking a number of countries known for delivering nothing legitimate to our servers.

        We see the shit come from all directions. In one night I observed a spam run against a hosted domain attempt to deliver 5,821 messages -- all forensically identical -- in less than 100 seconds from roughly 15 sources.

        Why should it be the burden of the ISP to provide extra bandwidth, CPU processing power, memory, and storage space just to accomodate what it clearly a theft of services? The dual 66MHz SPARC system that was running an ISP back in 1995 is still running, and in a normal environment handles incoming and outgoing email just fine. Without the introduction of a front-end server, or replacement altogether (money spent no matter how you look at it) the machine often ran at 75% load or more during times when historically it ran no more than 30%.

        The attitude of "well, it's going to happen anyway, might as well deal with it" is garbage. Adopting such an attitude in the face of a hurricane, the forces of which cannot be stopped, is fully acceptable. But in the face of spam which should not exist in the first place, this attitude is comparable to rolling over and taking it right up the rectum rather than dealing with the source.
        • Why is it the ISP's burden to accommodate this theft of services? Because it's only theft if it's stolen from _somebody_, and as an ISP in a competitive market, you'd rather spend the money to provide better quality services than lose customers to other ISPs, so that means it's stolen from _you_.

          It's also because tracing spammers sufficiently well that you can haul them into court and force them to pay is usually a lot more expensive, has a low probability of success, and if they're in the US where yo

          • "Why is it the ISP's burden to accommodate this theft of services? Because it's only theft if it's stolen from _somebody_, and as an ISP in a competitive market, you'd rather spend the money to provide better quality services than lose customers to other ISPs, so that means it's stolen from _you_. "

            Horseshit. That is along the same lines as the police department telling a hotel manager that he should bullet-proof the glass and walls in his establishment to help with the onslaught of drive-by shootings.

            • Obviously the world would be a better place if we could just issue AK47s and small thermonuclear devices to spam hunters, instead of wimpy tools like blacklists and Bayesian filters, and make the spammers an offer they can't refuse. However, that's not realistic, and the economics of the world are such that many spammers make money spamming, and wanabee spammers send out lots of spam attempting to make money even if they're not successful, fleeing the country virtually (whether or not you do it physically)
      • Google Archive in HTML []
        Powerpoint format []
        Steve Atkins presentation to the ASRG: Google cache as HTML []

        Same as powerpoint []

        A graph [] of a random minute at a large email provider.
        Each point is one host.

        Those numbers are all very very real.
  • by YetAnotherName ( 168064 ) on Saturday September 18, 2004 @09:31AM (#10284419) Homepage
    FTFA: One notorious spammer, whom EarthLink helped put behind bars, repeatedly used the names of sports such as baseball and football as his password.

    Spammers are stupider than I realized.
    • Never underestimate rule #3 [] of spam.
    • One notorious spammer, whom EarthLink helped put behind bars, repeatedly used the names of sports such as baseball and football as his password.

      Did anyone else see the implications of that? It says, "Earthlink admins know your password." Every security system I know stores passwords using a one-way hash. It is supposed to be impossible for an administrator to discover the password from the stored data. But this admin just admitted he is that checking the cleartext passwords. Make certain you use a d
  • by SimianOverlord ( 727643 ) on Saturday September 18, 2004 @09:32AM (#10284420) Homepage Journal
    This si interesting, but you have to say this guy is fighting a losing battle. You have to fight Spam at its source. Look at the Spamhaus statistics []: it might sound trollish, but spam is evidently an American problem, which must be combated in America. The Spamhaus stats prove it. 90% of the spam you see is from 200 individuals, of whom 96% are Americans, operating out of america.

    Clean up your act guys. When you're costing the world this much money, it just isn't funny anymore.
    • I agree it is an American problem. Most of the statistics says so.

      For those who say it comes from outside the US, like China or Korea, please thing about it for a moment: What are they advertizing?

      Even if the messages are coming from overseas IP Addresses, the content advertizes US-centric products, for example, cheap mortgage will not help somebody in France, or Egypt or India, even if they wanted to. Yet, they have to pay to get SPAM because unlike North America, their slow dialup connections are m

  • "While sending spam is not against the law in most cases, it does violate EarthLink's use policy; not only can Rush terminate the account of a spammer, but he can also charge a $200 cleanup fee."
    "Serial spammers who have been kicked off the EarthLink network once will often jump back on, creating as many as four or five fraudulent accounts per day using stolen credit cards

    So - Earhtlink are fining victims of stolen credit cards, in other words!. Possibly a more long-lasting approach would be to geo-
    • (Replying to myself for convenience)
      Why can't Earthlink ban certain MAC addresses from its network? Surely the way to stop a repeat offender re-registering is to use MAC addresses (which are each unique to the unit) to ban his computer or router.

      Sure, a technically minded user can change a MAC address but its a delay, and not always easy. Spammers aren't the brightest bunch.. hell, most of 'em can't even spell viagra! :-p
      • Don't ban them, honeypot them. If you ban them, they know they have to be sneakier. Instead, allow them to stay on, and fake acknowledgements to all their spamming. To them, it will look as if spamming has dried up... the response rate was close to 0% anyway.
        • That might entail the ISP having to break their own terms of service with regard to email traffic, or prevent "infected but unaware" users (spam relays) getting technical help.. but it's a very interesting idea nonetheless.
          So is your Sig, actually, I've bookmarked it to read at length later)
      • Banning MAC addresses is not that useful. First, it costs a lot of extra effort in building up a monitoring tool suite and switch configurations to ban them, unless they happen to be already using forced DHCP. Second, a lot of Earthlink clients use actual Points of Presence (POPs) that are on other companies' networks. Third, almost any modern network card will let you code in a different MAC address to deal with exactly that kind of situation where you switch machines and there's some MAC-based permission.
    • But at which cost? (Score:2, Interesting)

      by c0p0n ( 770852 )
      They seem to monitor their user's passwords...

      (Page 2)...One notorious spammer, whom EarthLink helped put behind bars, repeatedly used the names of sports such as baseball and football as his password...

      I thought that passwords SHOULD not be easily unencrypted... or do they monitor them before encryption?
      • When I worked there, we had access to all user's passwords (how else could we tell a user what their password was if/when they forgot it?)

        The only passwords we did not have access to were employee accounts, who we *could* have access to, they'd just be notified instantly.
    • Okay, shouldn't Earthlink have the phone number in their records?

      So, Earthlink finds a spammer using a stolen credit card. Wouldn't they send the phone number and the credit card info to the FBI? Wouldn't the FBI trace that phone number to a physical location and arrest the spammer for fraud?
  • This is a great man.
  • Just like the USPO (Score:5, Insightful)

    by Orien ( 720204 ) on Saturday September 18, 2004 @09:33AM (#10284425)
    This is a dumb statement:
    It's nice to see that major ISP's are making an effort to shut spammers down and kick them off of their networks.
    That's just like having an article about someone at the Patent office who investigates prior art for tech patents and saying "at least the patent office is making an effort". What good does it do if it is still completely and tragically uneffective?
    • Job security? :) (Score:3, Insightful)

      by khasim ( 1285 )
      "What good does it do if it is still completely and tragically uneffective?"

      Gotta agree with you there. Particularly at an ISP.

      If you KNOW your actions are ineffective, wouldn't you re-evaluate your approach and look for more effective actions?

      Say ...... like limiting outbound email traffic on all new accounts. New accounts that hit your ceiling will be flagged for you to investigate, yet you will still be limiting the spam they can send and being a nice ISP.

      From the article: "Yet canceling a spammer's
      • Major spammers don't send from the ISPs mail server. Implementing throttling won't affect them a bit.
        • The major spammers have agreements with the ISP's so they can use major amounts of bandwidth.

          I'm guessing the article was about dial-up accounts because I don't see anyone opening 4 or 5 dsl accounts a day.

          So, the easy solution is to block port 25 from your dial up accounts. Or, at the very least, limit the out-bound connections on port 25 from those accounts. Either by number of connections (limit the number of spam messages sent) or by a fixed number of destinations (a lot of spam can be sent to a few a
          • I don't understand why all the focus on ISPs. You call the phone company (any phone company) and say you want a data T1 connection. They give it to you and give you some IP addresses. They do not process email for you, they do not give you web space and they do not respond to complaints about what you are doing with your T1. If you are on a "burstable" plan, you need to hold your aggregate usage within those limits, but if you have a "full T1" and are paying for non-burstable service you can send 1.5Mb
            • by khasim ( 1285 ) <> on Saturday September 18, 2004 @12:56PM (#10285252)
              "I don't understand why all the focus on ISPs."

              Because, unless you have a peering agreement, you are connecting to an ISP.

              "You call the phone company (any phone company) and say you want a data T1 connection."

              Okay. That's a chunk of money and it has a physical connection point that is recorded. It is completely different than a dial-up account.

              "They give it to you and give you some IP addresses."

              From their block. That means that they are your upstream provider. If someone complains about your behaviour, they will complain to your upstream provider who will then cut you off (or not).

              "They do not process email for you, they do not give you web space and they do not respond to complaints about what you are doing with your T1."

              They do respond to complaints about what you are doing.

              "I expect this holds true for any sort of data connection from a telecommunications provider that is not providing any additional services, which means if you call SBC to get an OC48 they aren't going to ask you what you plan to do with it."

              That is correct. They will not. But you ARE plugged into THEIR network.

              One end of the line terminates at your location, the other end terminates at the phone company's location.

              So, traffic coming from your line goes through the phone company's network. And people can see who licensed that IP range to you. They will complain to your upstream provider.
              • From their block. That means that they are your upstream provider. If someone complains about your behaviour, they will complain to your upstream provider who will then cut you off (or not).

                Not. Not ever. We went through a long period where some folks at SpamCop decided we were spammers because of a subscribe-to newsletter that they didn't remember or appreciate. So, we were spammers. Lots of complaints were received here. Lots of complaints were sent to McLeod USA (who we had a T1 from at the time).

            • ISP accounts are cheap.

              Now, there are legitimate uses for these ports (I use a commercial ISP myself and I like to send mail through my TLS-enabled SMTP server).

              There's a solution to this problem that's much easier than any major tech solution.

              Block anything at the border in and out destined for ports under 1024, except tcp/ftp, tcp/http-ssl and tcp/http. If the user wants other ports open, they can CALL and elevate their account - no web-based ordering.

              This solves a few problems:

              1) Open relays cannot
    • What good does it do if it is still completely and tragically uneffective?

      How do you know that it's completely uneffective? Spam might be bad now, but without ISPs shutting spammers down, it could be even worse.

  • Abuse (Score:5, Interesting)

    by Michael Hunt ( 585391 ) on Saturday September 18, 2004 @09:35AM (#10284434) Homepage
    What's needed is every ISP having a consistently responsive abuse department. From what i've seen, everbody except the largest tier-1 ISPs do, with most of them having a substantive presence on abuse and anti-spam lists, and responsive to complaints.

    It's the major .us tier-1 ISPs and most of .cn/.kr that are seriously culpable these days; from what I've seen working in the anti-spam arena these last six months, and their peers don't give a shit because, well, nobody's going to refuse to peer with them if they host spammers. Same thing in .cn/.kr, their broadband industries net the larger .us providers large $ over the longer term, and it's not in their best interests to be overly proactive.

    Which is a shame; KISA (.kr equivalent of the FCC/ACA/etc) have got a great early-warning system set up, which shows transit traffic between .kr ASs in real time; we were given a demo at AusCERT 2004. The fact that they won't use this more proactively is depressing.

    About 40% of my current spam corpus is from korea, the other 60% is about 30/30/40% china,, and comcast/verizon open proxies.
    • Re:Abuse (Score:4, Informative)

      by quelrods ( 521005 ) * < minus math_god> on Saturday September 18, 2004 @09:49AM (#10284483) Homepage
      I think you have your %'s off a tad. I've consistantly seen stats that put spam of US origin at 70% or higher!
      • Um, I note that the grandparent poster's home page is at a .au address -- I have no trouble believing that 70%+ (some figures put it at 90%+) of spam worldwide is American in origin, but that Pacific Rim users see a lower percentage of spam originating in America and a higher percentage from other PR locations.
      • I'll reiterate at this point that I was talking about the spam that I receive (at my .au address, which wasn't explicitly mentioned.)

        Additionally, whilst the US is sitting around 70%, the majority of US sourced spam is sent through bogus proxies, many of which are in .kr.
        • Many are in .kr, true. But both the sender and the target audience for most of those spams is in fact the US, because the senders have the bandwidth to do the sending and because the suckers in the US have more money to pay for the primarily fraudulent or porn spam that makes up so much of it
  • by CliffEmAll ( 794568 ) on Saturday September 18, 2004 @09:37AM (#10284443) Homepage
    Often suspected spammers are clueless of the network abuse they're committing. Maybe a virus took over a customer's PC and secretly started blasting spam, or perhaps a computer-addicted teenager holed up in his bedroom is sending out bulk e-mail, unbeknown to his parents. "I usually ask if there's a young male in the house," Rush says.

    Yes, the typical spammer is a slashdot-reading geek who lives with his parents. ... Reminds me of a thing I read earlier warning parents about signs of their child engaging in dangerous hacking, such as use of Linux or requests for better hardware.

    Just what a geek needs, another reason for parents to be suspicious of his computer usage. Help! I'm a computer addicted teenager who can't stop sending spam, and this is really a cry for help!

  • by SillyWilly ( 692755 ) on Saturday September 18, 2004 @09:37AM (#10284447) Homepage

    "He only reads the content of an e-mail in extreme cases, he says."

    I've always found it safest to avoid reading email, unless I'm feeling really daring...

  • by iamatlas ( 597477 ) on Saturday September 18, 2004 @09:40AM (#10284457) Homepage
    As this article [] from Satire Wire [] shows, spam can be a work of art or literature.
    • by AndroidCat ( 229562 ) on Saturday September 18, 2004 @09:59AM (#10284510) Homepage
      No, spam can be turned into a work of art or literature. But then, so can any other kind of turd.

      Oh, and it's not censorship. He's not a government or publisher. The spammer can find other places to publish his work other than my mailbox. (Just like wannabe painters can't exhibit in my living room.)

      • (Just like wannabe painters can't exhibit in my living room.)

        Oh, real nice for you to tell me that now! I was all packed and ready to go.

        And how did I get modded insightful? The site I linked to is SatireWire. I'm beginning to thing that some people don't RTFA I link to!

  • by sinner0423 ( 687266 ) <(moc.liamg) (ta) (3240rennis)> on Saturday September 18, 2004 @09:58AM (#10284508)
    Well, with these [] kind of statistics, he'll be gainfully employed for years to come.

    While he believes his job is important, Rush doesn't take the role of Internet cop too seriously. But he admits with a chuckle that his favorite computer game at the moment is called City of Heroes.

    I'd sit back all day and play CoH, and tell my boss "Sure, I killed off 800 spammers today. But 30,000 more popped up. Guess I'll be seeing you monday."

    I need me one of those gigs. Anyone offering?
  • by Saint Aardvark ( 159009 ) * on Saturday September 18, 2004 @10:06AM (#10284529) Homepage Journal
    ...though it would be interesting to know the volume that comes out of willful spammers (as opposed to zombie pcs) operating from throwaway ISP accounts, as opposed to people with pink contracts [] and truckloads of bandwidth.

    Incidentally, this bit:

    ...a judge...complained that a man with a criminal record who landed in his courtroom was sending malicious e-mail. The harasser was complaining to the judge about such minutia as the fringe on the American flag hanging in his courtroom.

    was interesting to me. This sounds like the oft []-repeated [] assertion that a US flag with a fringe in a courtroom means that you're under Admiralty law [], not the law of the United States, and that anyone who appears before that court has lost most of their rights. Of course, They [] don't want you to know this...or that England still owns the US [], or that there is a subtle yet vitally important difference [] between the United States and the United States of America that means you are 0wn3d by the government...

    I tell you, there are worlds upon worlds of free entertainment out there on the Internet.

    • There's a real admirality law problem, and it revolves around civil forfeiture, which some law enforcement agencies interpret as a license to steal. Forfeiture law derives from admiralty law, and was intended to apply to ships, which, for historical reasons, are considered legal entities of a kind. Under Reagan, forfeiture proceedings were expanded to the "War on Drugs", and a whole multibillion forfeiture industry was created. It's not limited to drugs any more. Forfeiture now crops up in many non-drug
    • Wow...some people really read a lot into the US/UK tax treart :-) Still I learned some history (like the fact that George III was briefly also king of France)...but people believe this junk?
  • The ISP's are not really serious about fighting spam. It does not cost them that much and they are probalby making money due to spam. So the only incentive they have to do anything about it is when the level of spaming gets to the point they are about to be blacklisted then they take action.

    If they were really serious about curbing spam they would implement greylisting and greet_pause features in their MTAs. Both of these would block 99% of the spam being sent. The remaining spammers would then be mu
    • How do you think that spam doesn't cost ISPs money? If you think about the numbers for a moment, it's obvious that spam chews up lots and lots of bandwidth and server resources. For example: take a small local ISP, with 5000 customers. On average, each user gets 20 spams/day, with each spam being about 10k each. This works out to 1 gigabyte of spam every day, with fairly conservative numbers. Of course, large ISPs will be hit harder, and could easily see tens or hundreds of gigabytes of spam per day.
  • memory lane (Score:4, Insightful)

    by enilnomi ( 797821 ) on Saturday September 18, 2004 @11:15AM (#10284761)
    Fun article for me. 25 years ago or so, I was the original "cable cop" in Michigan, USA (the job title was "system auditor"). This was before it was illegal to "steal" cable services, and the overall thrust of my work was to build a case for legislators.

    About 50% of my time was indoors, pulling street-by-street printouts off our Tandem system and cleaning up/verifying account info by going back to original install paperwork. The rest of my time was spent climbing poles, verifying hookups and disconnecting the "non-subscribers." After a year of that, we had enough info to deliver numbers to the statehouse: 4% of all cable viewers weren't paying us for the service. That was enough for the legislators, and cable theft became a mid-range misdemeanor.

    So then I started going after the midnight installers offering people "free HBO forever" at the low low price of $100 (or whatever). That was kinda fun...serveral times I was just hours behind these guys, removing service drops while the resident stood by watching, moaning eulogies for their recently departed 100 bucks.

    I'm surprised that more ISPs don't have employees like the guy in TFA (or perhaps I'm surprised that we don't hear more about them)...losses due to spam are real, no? [In the case of cable, the "losses" were 99% paper; there was no extra drain on bandwidth, no guarentee these folks would have been paying us otherwise, and no real loss on the converters they were using (our collections folks did just fine charging 4X the cost for unreturned equipment). The only true "loss" was in tech-time, for the rare hookup that caused interference on a distribution line or radiated enough signal to breach FCC rules.]

    Is the reason for this apparent lack of interest on the part of ISPs similar to that of the credit card companies during the early online days? Rather than appear inept at providing decent system integrity (easily spoofed card numbers, pitiful account verification, etc.), fraud and abuse were handled quietly, with costs taken off the bottom line. Or is the apparent less-than-vigorous investigation of spammers just part of the "?" step in the profit! formula...where bandwidth lost = cost of investigatory personnel, so screw the inconvenience to customers?
  • Passwords? (Score:4, Insightful)

    by jnguy ( 683993 ) on Saturday September 18, 2004 @11:20AM (#10284777) Homepage
    Rush mentions that in one case he realized that the suspect was using a sports password scheme, does that mean that these people working at the ISPs can view our passwords? I happen to use maybe a set of 6 different passwords, but if someone can get one of them, they can access many things that are password protected for me. Its unreasonable to have a different password for every net logon you have, but I always thought that passwords were hashed so that even the system admin in most cases can't read them.
    • Re:Passwords? (Score:3, Informative)

      by evslin ( 612024 )
      Earthlink's accounting database (Midas) allows all the agents a clear view of account passwords. Unless the QA guidelines have changed since I worked there, the password is acceptable as confirmation that the person calling in is actually the account holder and is allowed to make changes or obtain information about the account in question. And I believe that's the main reason why. There's also secret words and the last four digits of credit card information, but there were plenty of times where the perso
      • Is it clearly stated when you sign up for an earthlink account that your password will be in clearview of earthlink agents? I think its quite a security risk, especially if people aren't aware of the fact that anyone with access to Midas can view it. Thanks for the reply.
        • I actually went and looked at the service agreement for the first time just now. Just by skimming through, I did not see anything that clearly states that agents have access to your password, however I found this little nugget:

          Usernames, passwords, email addresses and IP addresses are EarthLink's property and EarthLink may alter or replace them at any time.

          So they could probably claim ownership over your password (as it exists within Midas, not over the password itself) and could justify allowing empl
    • Re:Passwords? (Score:4, Informative)

      by Antique Geekmeister ( 740220 ) on Saturday September 18, 2004 @12:19PM (#10285060)
      At Earthlink, absolutely. Earthlink's commitment to user security is absolutely non-existent. It's easier for them to manage with un-encrypted passwords: it's much faster and cheaper in tech time to tell someone their old password on the phone, or give it to the nice FBI man who asks for it, than to have to deal with encrypted passwords and reset passwords for people and send them the *new* password safely. Earthlink will take ease of management over genuine security any day: that kind of behavior is built into the WISE management guidelines they follow, although after all the complaints about the Scientology management techniques they don't call them WISE anymore. If you think I'm kidding, look into the background of Sky Dayton and their original CTO, who jumped out of a building on L. Ron Hubbard's birthday when he went back to college.
    • Re:Passwords? (Score:3, Informative)

      by Phroggy ( 441 ) *
      Rush mentions that in one case he realized that the suspect was using a sports password scheme, does that mean that these people working at the ISPs can view our passwords?

      It depends entirely upon the ISP, but yes, at most large ISPs, employees can view your password. It makes tech support MUCH easier when dealing with stupid people. If this bothers you, call your ISP and ask them, and if they don't encrypt their passwords, switch to an ISP that does.
  • Earthlink (Score:2, Informative)

    by CaptainZapp ( 182233 ) *
    Maybe one should note that Earth Link was founded by Sky Daton, a long time Scientologist.

    Now Zapp, you may ask: "What has that to do with anything?"

    If you really don't know what staunch dfenders of free speech the Scientolgy[tm] "Church" is you might find some interesting reading at this link [].

    If you want to dig deeper then Xenu [] can guide you.

    • Re:Earthlink (Score:3, Insightful)

      by Phroggy ( 441 ) *
      Now Zapp, you may ask: "What has that to do with anything?"

      Precisely. I worked at Earthlink for over a year, and the only time I heard anybody mention anything related to Scientology while I worked there was a couple of crazy nutball customers.
  • I'd really like to see real investigators in action like those of Spamhaus (for example) who have entire biographies and histories of spammers. Guys who are geeks, not paper pushers (so to speak).

    This was pedantic in the extreme.
  • I'm continually getting empty-body emails. I assume they are testing my address to see if it's alive. _Please_ could ISPs set up the MTAs to bounce empty messages.

"Plastic gun. Ingenious. More coffee, please." -- The Phantom comics