Is There Any Reason to Report Spammers to ISPs? 117
marko_ramius asks: "For years I've been a good netizen and reported spam that I get to the appropriate contacts at various ISPs. In the entire time that I've done this I've gotten (maybe) 5 or 6 responses from those ISPs informing me that they have taken action against the spammer. In recent years however, I haven't gotten any responses. Are the ISP's so overwhelmed with abuse reports that they aren't able to respond to the spam reports? Do they even bother acting on said reports? Is there any real reason to report spammers?"
Reporting helps, keep doing it (Score:5, Interesting)
Often, just counting against a mailhost for eventual blockage and upline reporting... but it helped block spam from other people (and more spam to yourself) at the least.
Re:Yes (Score:1, Interesting)
Not at all! (Score:5, Interesting)
Provided that there is a clear proof (and not just someone's report) that a customer is a spammer, they would have two options:
1. filter out their outgoing SMTP traffic or
2. shutting down the link
Spammers then would probably change ISP in a snap.
The real (technical) point should be: why spammers do exist? One answer could be "because SMTP has not been designed to cope with authentication and authorisation."
Maybe it's important to look at problems from the correct perspective.
Re:Dont bother - they're in on the racket (Score:5, Interesting)
ISPs could also install sniffers to watch the rate of outbound off-network port 25 SYN packets, and investigate unusual activity. Oh and don't go saying that this is difficult - just talk to AT&T and the government - they have been sniffing ALL traffic.
But it's VERY VERY rare to find an ISP that does ANYTHING AT ALL to stop outbound spam. Oh sure, they are perfectly willing to install blacklists and filters on inbound, but outbound? Nothing. They don't care. The only way to fix this is to make habitual offenders be financially liable. ISPs also need to make end users liable and start enforcing their TOS, disconnecting grannie and her POS windows box that has no firewall, anti-virus, and is running spambot software.
Re:Yes (Score:3, Interesting)
Re:Dont bother - they're in on the racket (Score:3, Interesting)
The problem with your situation is that the same customers that complain about the spam that come in rely on Port 25 to allow their users access to company servers. It's too much to ask of these people to change the mail server on the sending machine - they'll just scoff at you.
Some of the smarter ones use another Port to get around these type of issues but even then, it sometimes causes problems. Ignorance is bliss.
Re:Dont bother - they're in on the racket (Score:2, Interesting)
and Believe me they took spam seriosuly...
not just for reasons of stopping spam, and credibility, but for profit..
See, we'd give them 2 chances - they got reported for spamming we'd give them a call and tell them
what going on and ask them nicely to please fix it. if its a suspected botnet, get a pc tech - if its spammer (its happened)
then stop your freakin' spam.
if they got reported again, accounts get suspended. give them another call explain the situation again, and advise them that they need to
cease their spam immediately (for deliberate spamming) or get their PC checked by a PC Tech (BotNet style), the Account would NOT be unsuspended until they
could garuntee us they they had remedied the situation, at this point we'd advise them that if we get another spam report they would be charged $5 PER EMAIL
for spam sent.
If spam happens again, account is suspended again, an invoice generated and sent to the customer for the spam, and this - we'd wait for their call.
No, I strongly disagree... (Score:4, Interesting)
What ISPs should do is to identify nodes which have actually been infected by a botnet (or are otherwise sending spam/malware) and nuke them in accord with every ISP TOS out there. But, that would be more work, and cut into their revenues, so they don't want to do that.
I run a firewall (iptables), run up-to-date malware scanners, and take responsibilty for what leaves my network. If my security is ineffective, and one of my machines starts spewing spam, I should be cut off and held responsible. But, I should not be penalized or limited because of the actions of others.
Finally, it should be obvious that port blocking, refusing acceptance of smtp connections originating from dynamic IPs, etc. simply hasn't been effective against spam. Spam continues to increase, and will continue to do so until action is taken closer to the root causes - networks start going after originating machines, law enforcement start going after businesses using spam (and, of course, instituting a death penalty for anyone caught purchasing any product from a spammer).
Spammers from The Planet (Score:3, Interesting)
Only after doing an end-run around the abuse department did I see some *real* action taken on behalf of The Planet. Previously all they seem to have done was moved the customer to a different IP address, which would have been very counter-productive had I just kept blocking the original IP address.
Re:Not at all! (Score:3, Interesting)
Comment removed (Score:3, Interesting)
What about spam@uce.gov ? (Score:3, Interesting)
Reporting botnet spam (Score:2, Interesting)
I am reporting some of the spam I get, but not most of it. Mainly spam sent by advertisers in my country. Some of it is sent by spammers that tend to use the same ISP and I don't see that the ISPs are doing anything against these spammers. I use SpamCop to report, both because its easier for me, and because I believe it is better service to the receiving abuse desk that gets a reliable report. This is one thing I would like to hear more about: how helpful are spamcop reports, and do abuse desks use the tools spamcop provides for them.
Then there are botnet spammers. I am following one such spammer. Reporting seems pointless but I was glad to see the parent post and several others that indicate that sometimes the info is used to help a customaer clean their PC. However, I am interested in another aspect: I have a list of several hundred IP adresses this spammer has used to send email that are scattered all around the world. It seems to suggest use of a botnet, but I have no positive evidence that any of these IP addresses represents an infected PC. There might be anther explanation, such as they are using open relays/proxies, but it seems most of these IP addresses are not listed as open relays/proxies at the time of reporting, and they are almost all identifyable in consumer dynamic IP ranges. So I would really like to somehow get a positive reply from an ISP that can actually say "yes, we identified that this is a hijacked PC and we detected it spewing out tons of spam similar to the one you reported.". I have the spammer's cellphone number and list of clients, collection of hundreds of spam messages sent from different IP addresses and all with forged sender credentials, but the missing part is actually being able to tell that one of these hundreds of IP addresses have been positively detected to be hijacked and controlled by the spammer. I also tried several times to contact owners of domains forged in headers to get an actual response saying they did not agree for their identity being used and never got a response, but at least I know one blogger that complained about his own identity being forged by this spammer (and he complained to the police but AFAIK nothing much happenned).
Finally, I premissed in the first sentence that the best part would come in the end, and that is why I would want to follow this one spammer. Well, it looks like a botnet operator, but the real story is the sort of clients that hire the botnet operator to use a botnet to send spam with forged identities on their behalf. Almost none of them were close to what you would associate with spam, such as illegal pharmacies, gambling, porn etc. The sort of clients they do serve are companies selling real products or services. They also got several colleges (the sort that gives real bachelor's degree that is accepted by graduate schools). They got a stock broker and a financial investment company owned by a multi billion dollars corporation. They got a big telemarketter as a client, and interestingly at the same time they worked with this client they started offering "targetted mailings". And last week they finally got the biggest client: ME. Not that I ordered any jib by them. My government hired them. I pay taxes. So it's my money they got paid to use their botnet to send me spam offering me loans from my government if I am a small business. It's an Israeli spammer, operating openly in Israel, with even the government as a client, and selling the services of a network of hijacked PCs all around the world (USA, China, Germany, France, Spain, Russia, Argentina, Brazil, and many more countries that I have on record). This kind of thing must be stopped!