Is There Any Reason to Report Spammers to ISPs?

marko_ramius asks: "For years I've been a good netizen and reported spam that I get to the appropriate contacts at various ISPs. In the entire time that I've done this I've gotten (maybe) 5 or 6 responses from those ISPs informing me that they have taken action against the spammer. In recent years however, I haven't gotten any responses. Are the ISP's so overwhelmed with abuse reports that they aren't able to respond to the spam reports? Do they even bother acting on said reports? Is there any real reason to report spammers?"

Yes

[YGingras (605709)]

... but it's rarely worth the effort. Just repport to your favorite real time block list and we'll thank you.

Too Many Electrons

[slarrg (931336)]

Every time a spammer sends an email to your computer its electrons collect in your inbox. If you don't send another email out those electrons will build-up and short out your machine. Send a report, containing these electrons, to the ISP so they can properly purge the excess electrons and allow other internet users to use them.

Re:

[YGingras (605709)]

I usually keep a few torrent seeds up just to be sure that I use all those excess electrons. Why upload boring emails when you can upload pr0n^W ubuntu isos?

I might report, if my ISP would let me...

[msauve (701917)]

the clueless admins at Charter have their outbound spam filters set so it is next to impossible to report spam. When attempting to forward a spam to the originating ISP, Charter will bounce it back as if the report itself were spam. Even trying to forward the bounced report to Charter results in a bounce. A direct email resulted in no response. Of course, since Charter also blocks outbound port 25 (smtp), I have no choice but to send through their misconfigured relay agent.

Re:

[walt-sjc (145127)]

Simple. Pass a law that says that those people are "a danger to national security" and REQUIRE that ISPs take them offline until the problem has been corrected. If they are running a spambot, most likely they are also on someone's DDOS / portscanning network too. Allow (require?) the ISP to charge a service fee for reconnection and verification that their machine is no longer vulnerable (penetration testing.)

Reporting helps, keep doing it

[TheSkyIsPurple (901118)]

I've worked for a very large ISP, and we never responded to them, but we took action on every single report.

Often, just counting against a mailhost for eventual blockage and upline reporting... but it helped block spam from other people (and more spam to yourself) at the least.

Re:

[Reaperducer (871695)]

I had an ISP in Texas (EV1, I think) tell me that they were taking action on my report, but due to privacy concerns they couldn't tell me what action was being taken.

yep

[gregm (61553)]

If nothing else just report the spammers to irritate your ISP. If enough of us eat up our ISP's time complaining, those spammer clients of their's will seem less valuable. Also as was said before, please for the love of god report them to the block lists.

Re:yep

[Secrity (742221)]

PROPERLY reporting spam to the PROPER ISP is not a problem and is productive. The problems are when idiots report spam to the wrong ISP and when abusive comments are added to spam reports. For spam email it is only necessary to forward the spam email with FULL headers, and with a SHORT explanation (such as "abc.com" is on your network") if the headers do not indicate why the report is being sent to a particular ISP.

I provided tier 3 abuse support to a large ISP and set up the abuse desk for the now defunct dialup offering of the ISP, my advice to the abuse desk people was to shitcan any abuse report that contained contained abusive comments added by the person reporting the spam. Adding abusive comments is not reporting abuse, it IS abuse.

Re:

[Reaperducer (871695)]

I ... set up the abuse desk for the now defunct dialup offering of the ISP

Followed by

my advice to the abuse desk people was to shitcan any abuse report

Cause and effect?

Definitely report if you have clue

[Peter Cooper (660482)]

The sad thing is that most people who report spam are the idiots of the Internet who don't understand things like joe-jobbing, etc, and assume that because it says "jkrwejkrweq@yourdomain.com" in the From field, it's not necessarily anything to do with "yourdomain.com". SPF is, supposedly, a solution to this but the penetration seems pretty low. Certainly in my experience it's not usually Hotmail or Gmail customers who send the all-caps "STOP SENDING ME E-MAIL" to joe-job victims, but people on various .com domain names most likely hosted at hundreds of different budget web hosts who have poor anti-spam tools (or none at all).

Re:

[TheSkyIsPurple (901118)]

> The sad thing is that most people who report spam are the idiots of the Internet who don't understand things like joe-jobbing, etc

How is this a sad thing?

As long as the reports go to someone who is smart enough to understand those things, the reports can help.

The only downside I can think of is that they may believe that AOL is actually sending out these messages, and AOL is a bad company to deal with... I can see how that's sad for AOL, but I didn't realize there were alot of AOL supported on slashdo

Re:

[Mister J (113414)]

As long as the reports go to someone who is smart enough to understand those things, the reports can help.

If they go to the wrong person, all that serves to do is annoy someone who has absolutely nothing to do with the spam and can't do anything to fix it. Such emails are usually the most inflammatory, so hackles are already up before you waste time verifying that the original spam was indeed nothing to do with us. Plus, like the boy who cried wolf, every one of these makes you that little bit less inclin

Re:

[paitre (32242)]

Exactly.
When I ran the abuse desk at Alabanza (google it, I did my job, and the community loves me to this day for it), abusive complaints ("Why the fuck won't you do anything about your fucking spammers?!") were automatically round-filed. POLITE complaints received action.

I very rarely personally replied to a complainant. Usually the ones I -did- reply to were people I either knew, or who were common complainants that I saw a couple from a day. Everyone got my auto-responder. I also posted in NANAE, and pa

Re:

[Deorus (811828)]

> SPF is, supposedly, a solution to this but the penetration seems pretty low.

SPF is part of Microsoft's SenderID patent and its license is incompatible with the GPL [imc.org], therefore I will personally never republish an SPF record again.

Please continue!

[J. T. MacLeod (111094)]

I work for a regional ISP.

We frequently receive notifications of spam email as well as virus-laden email that has originated from our network. We only respond to the sender if they request that we do (and even then, if it's not necessary and the request isn't polite, we may not).

That means we almost never send a reply to the person who notified us. However, we DO take care of every single notification we receive. If we aren't able to immediately contact the customer and fix the issue (generally a home user with a virus doing the spamming), then we either shut off their service or, more frequently, block outgoing connections from their IP to port 25 anywhere.

Please don't let the silence discourage you. We're hard at work and appreciate the notices that help us keep our networks and services running smoothly for our customers.

Re:Please continue!

[mqduck (232646)]

Please don't let the silence discourage you. We're hard at work and appreciate the notices that help us keep our networks and services running smoothly for our customers.

Here's a thought: Might giving some sort of reply, even a thank-you form letter, not keep people like Mr. marko_ramius from being discouraged? Maybe that's something you and your ilk should consider.

(P.S. there was no hostility in the above)

It may be a policy matter

[arivanov (12034)]

Many ISPs have a policy not to notify you what they have done and some are not allowed by law (data protection and privacy legislations). So the lack of responce does not mean a thing. Personally I would have preferred that all hook it up into their ticketing system so users get a reply, but some of them still run ticketing on primitive crap that does not have an Email interface (like one well known "best ISP for 200X" in the UK).

Not at all!

[VincenzoRomano (881055)]

Spammers run their own MTA or MTAs other than those by the ISP.
Provided that there is a clear proof (and not just someone's report) that a customer is a spammer, they would have two options:
1. filter out their outgoing SMTP traffic or
2. shutting down the link

Spammers then would probably change ISP in a snap.
The real (technical) point should be: why spammers do exist? One answer could be "because SMTP has not been designed to cope with authentication and authorisation."
Maybe it's important to look at problems from the correct perspective.

Re:

[Kjella (173770)]

The real (technical) point should be: why spammers do exist? One answer could be "because SMTP has not been designed to cope with authentication and authorisation." Maybe it's important to look at problems from the correct perspective.

Well, it might be part of a solution but it's nowhere near it. Even if I had perfect verification that this was sent from $foo LLC., Pacific Islands somewhere, what good would it do? Taking them to the local court would do exactly nothing, whereas any loser with a credit card

Re:

[walt-sjc (145127)]

because SMTP has not been designed to cope with authentication and authorization.

That is true, which is why back in 1998 ago they came up with the MSA port (RFC 2476.) There is no need for ANY MUA to use port 25 anymore. ISP's should be blocking port 25 for everyone except mail servers or others that have used the ISP's tool to request that port 25 be open for outbound.

Re:

[tepples (727027)]

There is no need for ANY MUA to use port 25 anymore. ISP's should be blocking port 25 for everyone except mail servers or others that have used the ISP's tool to request that port 25 be open for outbound.

So what should a residential user do if the only ISP in town that offers anywhere the bandwidth he wants (that is, it's this or dial-up) has an unreliable MSA? Should all customers in that town have to subscribe both to Internet access (with a bundled unreliable MSA) and a third-party smarthost?

Yes

[crossmr (957846)]

My friend works for a local ISP here in town. He was telling me about their system, which will automatically shut people down. If they send a certain number of e-mails in a certain period, a flag goes on their account and their access to the mail server is blocked for 24 hours (the first time).
When their access is restored, if it continues to happen they get longer and longer blocks. He told me a story about a woman who called in who just didn't seem to understand this concept and her access was currently b

Keep reporting

[azander (786903)]

Greetings,
Please keep reporting. I handle the abuse complaints for a regional ISP. We have never had an actual spammer on our network, but the reports have helped us clean up some very badly infested machines of our users. Since I receive about 50 of these complaints a week, with maybe 1 in 1000 being from our IP space, I have to agree that it is frustrating when people report to me, but the only mention of my IP or domain space is an obviously forged header. At least it is obvious to any

Please Report Spam

[giafly (926567)]

Does the spam look legitimate?

• Yes - please report it. I work for a large email company and we always act on spam complaints, to ourselves or to our ISP. I hate spammers too, because they are not why we wrote the system and they cost us money, so we'll kick them out.
• No - e.g image spam - why bother? It's probably from an illegal botnet, criminals are not noted for customer service, and any server will be on a short-term contract.

Spammers from The Planet

[Tinfoil (109794)]

Abouta year or two ago, I was having serious problems with comment spam, with hundreds a day coming from a single IP address. I banned the IP for 7 days and put various protection schemes in place to prevent further abuse. Once the 7 days was up, there were literally thousands of attempts, but now each one was stopped and logged in an easier to understand format. With this in hand, I looked up the address to find it originated from one of The Planet's customers. Even after sending reports with links to the logfiles, months (and tens of thousands of attempts to spam my comments) went before I received any response whatsoever. That response was as a direct result of speaking to one of The Planet's higher profile customers who I've worked with in the past to try to get some help in the situation.

Only after doing an end-run around the abuse department did I see some *real* action taken on behalf of The Planet. Previously all they seem to have done was moved the customer to a different IP address, which would have been very counter-productive had I just kept blocking the original IP address.

Stength in numbers

[secolactico (519805)]

By all means, send your complaint.

If enough people complain, they will take action. The "legitimate" ISPs at least (as opposed to the "bulletproof" ISP).

Include the ip address / spamvertized URL on the subject. Makes it easier for the poor lackey they have tasked with reading the abuse mail and opening tickets/reports/whatever.

Or use a service like spamcop or mynetwatchman (for portscanning attacks). Usually, the postmaster and abuse accounts are not filtered in any way so they get a HUGE amount of spam

What about spam@uce.gov ?

[mbone (558574)]

I forward spams to spam@uce.gov . I know that someone looks at at least some of these; does anyone know if it actually does any good ?

Re:

[TheSkyIsPurple (901118)]

"They"?

A few may actually behave like this, but I'd be willing to bet that the majority aren't.
I've worked for a large ISP, and we worked with others to fight this stuff. Spam represented a great waste of our resources, and a great distraction to actually providing an actual product for our customers.

Re:Dont bother - they're in on the racket

[walt-sjc (145127)]

That may have been back when you worked there, but it's quite obvious that it's not the case now. If ISPs gave a shit, they would block outbound port 25 by default for dynamic IP clients (and maybe ALL IPs). That would stop at LEAST 95% of the spam botnets. This works best with a tool to allow you to open the port if needed (running a mail server.) Running a mail server on a dynamic address at this point is futile as a good portion of servers will block you anyway. MUA's should all be configured to use port 587 for authenticated submission.

ISPs could also install sniffers to watch the rate of outbound off-network port 25 SYN packets, and investigate unusual activity. Oh and don't go saying that this is difficult - just talk to AT&T and the government - they have been sniffing ALL traffic.

But it's VERY VERY rare to find an ISP that does ANYTHING AT ALL to stop outbound spam. Oh sure, they are perfectly willing to install blacklists and filters on inbound, but outbound? Nothing. They don't care. The only way to fix this is to make habitual offenders be financially liable. ISPs also need to make end users liable and start enforcing their TOS, disconnecting grannie and her POS windows box that has no firewall, anti-virus, and is running spambot software.

Re:

[WebCrapper (667046)]

I worked for a smaller National ISP (MindSpring) and our engineers tried this one day without telling anyone. 2 hours later, Technical Support was being killed by customers complaining that they couldn't send mail to other required sources. After our NOC figured it out, the engineers had to turn things back the way they where and the call Q cleared up.

The problem with your situation is that the same customers that complain about the spam that come in rely on Port 25 to allow their users access to company se

Re:

[walt-sjc (145127)]

Obviously trying it without telling anyone is stupid. Tell customers ahead of time, give them the info they need such as "use port 587, 465 (for broken MS clients) or your VPN dammit", etc. Doing nothing does not solve the problem. Just because Mindspring engineers are morons doesn't mean that the idea is bad.

Re:

[WebCrapper (667046)]

I agree that not telling anyone was a bad mistake...

While I'm not in the middle of the US IT situation, I don't think it's used as much as it should be.

Re:

[WebCrapper (667046)]

Late 1998. After a few months, it was turned back on. I think the engineers figured out most that where using remote port 25's and automated a message about updating SMTPs.

Re:

[.tekrox (858002)]

I used to work for an Australian ISP,

and Believe me they took spam seriosuly...
not just for reasons of stopping spam, and credibility, but for profit..

See, we'd give them 2 chances - they got reported for spamming we'd give them a call and tell them
what going on and ask them nicely to please fix it. if its a suspected botnet, get a pc tech - if its spammer (its happened)
then stop your freakin' spam.

if they got reported again, accounts get suspended. give them another call explain the situation again, and ad

No, I strongly disagree...

[msauve (701917)]

with any sort of port blocking, either inbound or outbound. Unless free and open communications are allowed, they're not an ISP, they're a "web browsing service provider," and they are damaging, not helping, the Internet. Port blocking is anathematic to the purpose of the Internet, it interferes with open peer to peer communications. Port blocking is the equivalent of governmental prior restraint.

What ISPs should do is to identify nodes which have actually been infected by a botnet (or are otherwise sending spam/malware) and nuke them in accord with every ISP TOS out there. But, that would be more work, and cut into their revenues, so they don't want to do that.

I run a firewall (iptables), run up-to-date malware scanners, and take responsibilty for what leaves my network. If my security is ineffective, and one of my machines starts spewing spam, I should be cut off and held responsible. But, I should not be penalized or limited because of the actions of others.

Finally, it should be obvious that port blocking, refusing acceptance of smtp connections originating from dynamic IPs, etc. simply hasn't been effective against spam. Spam continues to increase, and will continue to do so until action is taken closer to the root causes - networks start going after originating machines, law enforcement start going after businesses using spam (and, of course, instituting a death penalty for anyone caught purchasing any product from a spammer).

Re:

[walt-sjc (145127)]

YOU are not the problem. Grannie and Aunt Mathilda are. Port blocking by default with a way for savvy users to unblock solves the problem with such a MINOR inconvenience that it's a non-problem. Doing nothing will not solve the problem.

As for you assertion that blocking inbound from dynamics is not effective, I, and MANY other ISP's disagree with you. The mail server logs don't lie. Blocked mail from dynamic space (which is ALL spam) is 75% of ALL connections to our mail servers, with other blacklists cutti

Re:

[walt-sjc (145127)]

No, because legitimate users on dynamic IPs use their ISP's or other mail service provider's mail servers. Been down that road. As I stated in a previous comment, people on dynamic IPs are ALREADY doomed as many major ISPs already block them. Sorry if you don't like it, it's a fact of life. If you want to send mail without going through a smarthost, get a static IP. Yeah it cost extra. Deal.

Re:

[MightyMartian (840721)]

with any sort of port blocking, either inbound or outbound. Unless free and open communications are allowed, they're not an ISP, they're a "web browsing service provider," and they are damaging, not helping, the Internet. Port blocking is anathematic to the purpose of the Internet, it interferes with open peer to peer communications. Port blocking is the equivalent of governmental prior restraint.

Yeah, if the block MS file sharing ports and leave open relays in place, they're not really ISPs.

Give me

Yeah...

[msauve (701917)]

and how many customers did you cut off for sending spam (intentional or unintentional) in violation of your TOS? How may peers did you sever because they weren't policing their users, and were therefore sending spam your way?

I have little sympathy for lazy ISPs, who've created the bed they are now forced to lie in.

ISPs allow spam because they make more money putting up with it than by dealing with it properly.

Re:

[MightyMartian (840721)]

We were a pretty small ISP. We only caught two people spamming in all the time I was there, and warnings were enough to stop it. We got on RBLs once because our old mail server was an open relay, and we had no desire to let any of our customers get us back there again. The majority of spam coming from our local customers were due to worms on their computers. That is where blocking port 25 at the gateway was so damn effective.

I have this feeling that you don't know a lot about spam and how it is propa

Re:

[walt-sjc (145127)]

ISP's did not create the un-authenticated, anonymous SMTP protocol that was designed back in the kinder and gentler early days of the net.

Now I will blame ISP's and other mail server operators for not taking a very strong stance and mandate that mail servers behave correctly, such as working forward and reverse DNS, correct HELO/EHLO arguments, etc. Hell, just rejecting mail from poorly setup mail servers alone would go a LONG way towards cutting spam down with ZERO impact on server load, and legit mail.

Re:

[kchrist (938224)]

You obviously have no idea what the reality of this is like but I'll try anyway.

We absolutely did shut down the users sending the spam, but the largest offenders didn't care, because they weren't legitimate customers; they were large-scale spammers creating literally dozens of spam accounts daily, using stolen credit cards. Surely you've heard the expression "whack-a-mole"? That's what we were playing and the deck is stacked against us in a situation like this. These particular spammers were almost exclusiv

Re:

[TheSkyIsPurple (901118)]

> That may have been back when you worked there, but it's quite obvious that it's not the case now.

You just say they don't do the blocking... you don't assert in any fashion how they benefit from it.
There's a vast difference between an ISP who can't be bothered to block traffic, and one who is in collusion with the spammers.

I personally hate that my ISP blocks port 25 outbound. I wish they did something more intelligent like tracking spam complaints back to the subscriber and blocking port 25 for those

Re:

[walt-sjc (145127)]

Yeah, I used to subscribe to that belief, but the spam problem needs drastic action to deal with. The FACT is that many ISPs already block port 25 and "manage" traffic to a certain extent already, and are still "common carrier's."

Re:

[1u3hr (530656)]

If you start to ask them to filter one specific thing then it means they are taking away their impartiality.

ISPs have terms of service. Many will take your site down if you host MP3s, warez, or porn (obviously, others are quite happy for you to do so). Many have broad language saying you're basically not allowed to be a "server". Which if strictly enforced, would stop you doing almost everything.

Re:

[Anonymous Coward]

ISP's are not common carriers and never have been. When will this myth die!?!

Re:

[dagoalieman (198402)]

Interesting.. not that many comments, and three responses saying "I'm a decent sized ISP employee, and while we don't respond, we at least look into each complaint." I can only hope so.

While reading over this article and thinking, I came up with another interesting idea. I have recently registered a domain which I'm sure is ripe for joe jobs [wikipedia.org]. It is basically a private image hosting service. Flickr-esque in nature, but... just for my friends to upload, world to see.

Because of this privilege, and other

Re:

[MollyB (162595)]

If you look at the new doo-hickey at the top of the comments (where you can move sliders for full, abbreviated, and hidden message preference) you'll see a low contrast (blue on gray on my plain vanilla Firefox/Ubuntu setup) menu. Reply (to article) is on the far right side. HTH.

Re:

[AlHunt (982887)]

>and I doubt the people who are complaining about no response are going to look any more favorably on an automatic response.

Sure they would - at least it's an acknowledgment. Send the auto reply.

Personally, I use a whitelisted acct for people I really want to hear from. The rest I let yahoo or hotmail filter out the spam and change the address if it starts to get spammy.