Is There Any Reason to Report Spammers to ISPs?

marko_ramius asks: "For years I've been a good netizen and reported spam that I get to the appropriate contacts at various ISPs. In the entire time that I've done this I've gotten (maybe) 5 or 6 responses from those ISPs informing me that they have taken action against the spammer. In recent years however, I haven't gotten any responses. Are the ISP's so overwhelmed with abuse reports that they aren't able to respond to the spam reports? Do they even bother acting on said reports? Is there any real reason to report spammers?"

Reporting helps, keep doing it

[TheSkyIsPurple]

I've worked for a very large ISP, and we never responded to them, but we took action on every single report.

Often, just counting against a mailhost for eventual blockage and upline reporting... but it helped block spam from other people (and more spam to yourself) at the least.

Re:Yes

[Varun Soundararajan]

One big reason these days ISPs don't look seriously much into such "tip" about spammers is that, they end up troubling naive users. Remember for the past 5-6 years, spammers use Spam Bot to send spams. The international rates for an ad ware/spy ware victim computer is even $10 (ie., you can command a computer to send spam for $10). If you are an average Joe six pack, I m sure you would have been attacked by spy ware several times. Your system in most such cases would be a spam transmitter, doing the rudimentary job of sending spam, attacking other vulnerable computers..yada yada...

Not at all!

[VincenzoRomano]

Spammers run their own MTA or MTAs other than those by the ISP.
Provided that there is a clear proof (and not just someone's report) that a customer is a spammer, they would have two options:
1. filter out their outgoing SMTP traffic or
2. shutting down the link

Spammers then would probably change ISP in a snap.
The real (technical) point should be: why spammers do exist? One answer could be "because SMTP has not been designed to cope with authentication and authorisation."
Maybe it's important to look at problems from the correct perspective.

Re:Dont bother - they're in on the racket

[walt-sjc]

That may have been back when you worked there, but it's quite obvious that it's not the case now. If ISPs gave a shit, they would block outbound port 25 by default for dynamic IP clients (and maybe ALL IPs). That would stop at LEAST 95% of the spam botnets. This works best with a tool to allow you to open the port if needed (running a mail server.) Running a mail server on a dynamic address at this point is futile as a good portion of servers will block you anyway. MUA's should all be configured to use port 587 for authenticated submission.

ISPs could also install sniffers to watch the rate of outbound off-network port 25 SYN packets, and investigate unusual activity. Oh and don't go saying that this is difficult - just talk to AT&T and the government - they have been sniffing ALL traffic.

But it's VERY VERY rare to find an ISP that does ANYTHING AT ALL to stop outbound spam. Oh sure, they are perfectly willing to install blacklists and filters on inbound, but outbound? Nothing. They don't care. The only way to fix this is to make habitual offenders be financially liable. ISPs also need to make end users liable and start enforcing their TOS, disconnecting grannie and her POS windows box that has no firewall, anti-virus, and is running spambot software.

Re:Yes

[walt-sjc]

Simple. Pass a law that says that those people are "a danger to national security" and REQUIRE that ISPs take them offline until the problem has been corrected. If they are running a spambot, most likely they are also on someone's DDOS / portscanning network too. Allow (require?) the ISP to charge a service fee for reconnection and verification that their machine is no longer vulnerable (penetration testing.)

Re:Dont bother - they're in on the racket

[WebCrapper]

I worked for a smaller National ISP (MindSpring) and our engineers tried this one day without telling anyone. 2 hours later, Technical Support was being killed by customers complaining that they couldn't send mail to other required sources. After our NOC figured it out, the engineers had to turn things back the way they where and the call Q cleared up.

The problem with your situation is that the same customers that complain about the spam that come in rely on Port 25 to allow their users access to company servers. It's too much to ask of these people to change the mail server on the sending machine - they'll just scoff at you.

Some of the smarter ones use another Port to get around these type of issues but even then, it sometimes causes problems. Ignorance is bliss.

Re:Dont bother - they're in on the racket

[.tekrox]

I used to work for an Australian ISP,

and Believe me they took spam seriosuly...
not just for reasons of stopping spam, and credibility, but for profit..

See, we'd give them 2 chances - they got reported for spamming we'd give them a call and tell them
what going on and ask them nicely to please fix it. if its a suspected botnet, get a pc tech - if its spammer (its happened)
then stop your freakin' spam.

if they got reported again, accounts get suspended. give them another call explain the situation again, and advise them that they need to
cease their spam immediately (for deliberate spamming) or get their PC checked by a PC Tech (BotNet style), the Account would NOT be unsuspended until they
could garuntee us they they had remedied the situation, at this point we'd advise them that if we get another spam report they would be charged $5 PER EMAIL
for spam sent.

If spam happens again, account is suspended again, an invoice generated and sent to the customer for the spam, and this - we'd wait for their call.

No, I strongly disagree...

[msauve]

with any sort of port blocking, either inbound or outbound. Unless free and open communications are allowed, they're not an ISP, they're a "web browsing service provider," and they are damaging, not helping, the Internet. Port blocking is anathematic to the purpose of the Internet, it interferes with open peer to peer communications. Port blocking is the equivalent of governmental prior restraint.

What ISPs should do is to identify nodes which have actually been infected by a botnet (or are otherwise sending spam/malware) and nuke them in accord with every ISP TOS out there. But, that would be more work, and cut into their revenues, so they don't want to do that.

I run a firewall (iptables), run up-to-date malware scanners, and take responsibilty for what leaves my network. If my security is ineffective, and one of my machines starts spewing spam, I should be cut off and held responsible. But, I should not be penalized or limited because of the actions of others.

Finally, it should be obvious that port blocking, refusing acceptance of smtp connections originating from dynamic IPs, etc. simply hasn't been effective against spam. Spam continues to increase, and will continue to do so until action is taken closer to the root causes - networks start going after originating machines, law enforcement start going after businesses using spam (and, of course, instituting a death penalty for anyone caught purchasing any product from a spammer).

Spammers from The Planet

[Tinfoil]

Abouta year or two ago, I was having serious problems with comment spam, with hundreds a day coming from a single IP address. I banned the IP for 7 days and put various protection schemes in place to prevent further abuse. Once the 7 days was up, there were literally thousands of attempts, but now each one was stopped and logged in an easier to understand format. With this in hand, I looked up the address to find it originated from one of The Planet's customers. Even after sending reports with links to the logfiles, months (and tens of thousands of attempts to spam my comments) went before I received any response whatsoever. That response was as a direct result of speaking to one of The Planet's higher profile customers who I've worked with in the past to try to get some help in the situation.

Only after doing an end-run around the abuse department did I see some *real* action taken on behalf of The Planet. Previously all they seem to have done was moved the customer to a different IP address, which would have been very counter-productive had I just kept blocking the original IP address.

Re:Not at all!

[tepples]

There is no need for ANY MUA to use port 25 anymore. ISP's should be blocking port 25 for everyone except mail servers or others that have used the ISP's tool to request that port 25 be open for outbound.

So what should a residential user do if the only ISP in town that offers anywhere the bandwidth he wants (that is, it's this or dial-up) has an unreliable MSA? Should all customers in that town have to subscribe both to Internet access (with a bundled unreliable MSA) and a third-party smarthost?

Comment removed

[account_deleted]

Comment removed based on user account deletion

What about spam@uce.gov ?

[mbone]

I forward spams to spam@uce.gov . I know that someone looks at at least some of these; does anyone know if it actually does any good ?

Reporting botnet spam

[hadaso]

The most interesting facts are in the end of this post. Keep reading...

I am reporting some of the spam I get, but not most of it. Mainly spam sent by advertisers in my country. Some of it is sent by spammers that tend to use the same ISP and I don't see that the ISPs are doing anything against these spammers. I use SpamCop to report, both because its easier for me, and because I believe it is better service to the receiving abuse desk that gets a reliable report. This is one thing I would like to hear more about: how helpful are spamcop reports, and do abuse desks use the tools spamcop provides for them.

Then there are botnet spammers. I am following one such spammer. Reporting seems pointless but I was glad to see the parent post and several others that indicate that sometimes the info is used to help a customaer clean their PC. However, I am interested in another aspect: I have a list of several hundred IP adresses this spammer has used to send email that are scattered all around the world. It seems to suggest use of a botnet, but I have no positive evidence that any of these IP addresses represents an infected PC. There might be anther explanation, such as they are using open relays/proxies, but it seems most of these IP addresses are not listed as open relays/proxies at the time of reporting, and they are almost all identifyable in consumer dynamic IP ranges. So I would really like to somehow get a positive reply from an ISP that can actually say "yes, we identified that this is a hijacked PC and we detected it spewing out tons of spam similar to the one you reported.". I have the spammer's cellphone number and list of clients, collection of hundreds of spam messages sent from different IP addresses and all with forged sender credentials, but the missing part is actually being able to tell that one of these hundreds of IP addresses have been positively detected to be hijacked and controlled by the spammer. I also tried several times to contact owners of domains forged in headers to get an actual response saying they did not agree for their identity being used and never got a response, but at least I know one blogger that complained about his own identity being forged by this spammer (and he complained to the police but AFAIK nothing much happenned).

Finally, I premissed in the first sentence that the best part would come in the end, and that is why I would want to follow this one spammer. Well, it looks like a botnet operator, but the real story is the sort of clients that hire the botnet operator to use a botnet to send spam with forged identities on their behalf. Almost none of them were close to what you would associate with spam, such as illegal pharmacies, gambling, porn etc. The sort of clients they do serve are companies selling real products or services. They also got several colleges (the sort that gives real bachelor's degree that is accepted by graduate schools). They got a stock broker and a financial investment company owned by a multi billion dollars corporation. They got a big telemarketter as a client, and interestingly at the same time they worked with this client they started offering "targetted mailings". And last week they finally got the biggest client: ME. Not that I ordered any jib by them. My government hired them. I pay taxes. So it's my money they got paid to use their botnet to send me spam offering me loans from my government if I am a small business. It's an Israeli spammer, operating openly in Israel, with even the government as a client, and selling the services of a network of hijacked PCs all around the world (USA, China, Germany, France, Spain, Russia, Argentina, Brazil, and many more countries that I have on record). This kind of thing must be stopped!