ISP wants to stop outgoing web based spam
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is: Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution So I am trying once again. Hopefully someone has some magic dust this time around. Thanks, Hank Nussbacher http://www.interall.co.il
Hello Hank: On 8/9/06 3:28 AM, "Hank Nussbacher" <hank@efes.iucc.ac.il> wrote:
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is:
Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS
Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical
Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical
ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution
So I am trying once again. Hopefully someone has some magic dust this time around.
Thanks, Hank Nussbacher http://www.interall.co.il
My answer is based on the word "startup" so I'm assuming "no money" but I could be "wrong". :-) We use the standard SpamAssassin, ClamAV setup both on ingress and egress. On egress we set the detection levels and divert and save anything that is marked as Spam rather than sending it on with headers and subject modifications. We've found this to be very effective in reducing our scores with Comcast and AOL in particular and it's pretty much stopped our being blocked by those services, even using a fairly loose setting for SpamAssassin. As a service provider that forwards tons of mail to addresses on those networks (previously un-scanned so we forwarded everything, including Spam) we've found it essential to put these filters in place to guarantee (as much as anyone can) service for our email customers. Regards, Mike
On Wed, 2006-08-09 at 06:11 -0700, Michael K. Smith - Adhost wrote: [..]
My answer is based on the word "startup" so I'm assuming "no money" but I could be "wrong". :-) We use the standard SpamAssassin, ClamAV setup both on ingress and egress.
Currently the trend seems to be to send images containing the advert. Though there is a OCR plugin for SA, it doesn't seem to be very effective as one can rotate the text by 1% or use a silly font or some colors to easily evade it. Anybody has a better plugin to solve that part? Greets, Jeroen
Michael> We use the standard SpamAssassin, ClamAV setup both on Michael> ingress and egress. On egress we set the detection levels Michael> and divert and save anything that is marked as Spam rather Michael> than sending it on with headers and subject modifications. I would let any ISP I use make this mistake once. After that the individuals responsible would be up on ECPA charges.
I've had a a situation in the past that required this same application. I ended up using amavisd-new with custom views for incoming and outgoing mail. For spam originating from inside, it was dropped completely, for spam originating from the outside, subject was rewritten. Hope this helps. -Michael -- Michael Nicks Network Engineer KanREN e: mtnicks@kanren.net o: +1-785-856-9800 x221 m: +1-913-378-6516 Hank Nussbacher wrote:
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is:
Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS
Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical
Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical
ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution
So I am trying once again. Hopefully someone has some magic dust this time around.
Thanks, Hank Nussbacher http://www.interall.co.il
At 04:02 PM 09-08-06 -0500, Michael Nicks wrote:
I've had a a situation in the past that required this same application. I ended up using amavisd-new with custom views for incoming and outgoing mail. For spam originating from inside, it was dropped completely, for spam originating from the outside, subject was rewritten.
This is just an SMTP solution and has no applicability to the problem at hand. Thanks anyway, Hank Nussbacher http://www.interall.co.il
Hope this helps. -Michael
-- Michael Nicks Network Engineer KanREN e: mtnicks@kanren.net o: +1-785-856-9800 x221 m: +1-913-378-6516
Hank Nussbacher wrote:
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is: Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution So I am trying once again. Hopefully someone has some magic dust this time around. Thanks, Hank Nussbacher http://www.interall.co.il +++++++++++++++++++++++++++++++++++++++++++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
I've had a a situation in the past that required this same application. I ended up using amavisd-new with custom views for incoming and outgoing mail. For spam originating from inside, it was dropped completely, for spam originating from the outside, subject was rewritten.
Can you elaborate on the situation off-list? It seems to me that stopping outbound webmail spam is something that would not be profitable for an ISP. I am wondering what the ISP's motivation is to solve this problem. Regards, Ken
Hope this helps. -Michael
-- Michael Nicks Network Engineer KanREN e: mtnicks@kanren.net o: +1-785-856-9800 x221 m: +1-913-378-6516
Hank Nussbacher wrote:
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is:
Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS
Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical
Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical
ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution
So I am trying once again. Hopefully someone has some magic dust this time around.
Thanks, Hank Nussbacher http://www.interall.co.il
-- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
On Thu, 10 Aug 2006, Ken Simpson wrote:
I've had a a situation in the past that required this same application. I ended up using amavisd-new with custom views for incoming and outgoing mail. For spam originating from inside, it was dropped completely, for spam originating from the outside, subject was rewritten.
Can you elaborate on the situation off-list? It seems to me that stopping outbound webmail spam is something that would not be profitable for an ISP. I am wondering what the ISP's motivation is to solve this problem.
I'll answer on-list since this answer can benefit others. The primary reason that the ISP wants to block outbound webmail spam is because the 100s of BLs on the Internet end up blocking large segments of the IP space due to spam reporting by end users. The spammer can end up "burning" quite a few IPs before the feedback loop of user->spam report->BL->ISP->block is completed. Therefore the ISP wants to be proactive and shut off the spam before it even starts. Even if it means losing revenue. Hank Nussbacher http://www.interall.co.il
Regards, Ken
Hope this helps. -Michael
-- Michael Nicks Network Engineer KanREN e: mtnicks@kanren.net o: +1-785-856-9800 x221 m: +1-913-378-6516
Hank Nussbacher wrote:
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is:
Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS
Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical
Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical
ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution
So I am trying once again. Hopefully someone has some magic dust this time around.
Thanks, Hank Nussbacher http://www.interall.co.il
-- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com
-- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
+++++++++++++++++++++++++++++++++++++++++++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
On 10 Aug 2006, at 19:12, Hank Nussbacher wrote:
I'll answer on-list since this answer can benefit others. The primary reason that the ISP wants to block outbound webmail spam is because the 100s of BLs on the Internet end up blocking large segments of the IP space due to spam reporting by end users. The spammer can end up "burning" quite a few IPs before the feedback loop of user->spam report->BL->ISP->block is completed. Therefore the ISP wants to be proactive and shut off the spam before it even starts. Even if it means losing revenue.
This seems to imply that you're using dynamic addressing. The rather obvious solution would seem to be that you provide static addressing. It also makes it rather easier to identify the spammer when the complaints come in since you won't need to grovel through your RADIUS logs.
On Thu, 10 Aug 2006, Peter Corlett wrote:
On 10 Aug 2006, at 19:12, Hank Nussbacher wrote:
I'll answer on-list since this answer can benefit others. The primary reason that the ISP wants to block outbound webmail spam is because the 100s of BLs on the Internet end up blocking large segments of the IP space due to spam reporting by end users. The spammer can end up "burning" quite a few IPs before the feedback loop of user->spam report->BL->ISP->block is completed. Therefore the ISP wants to be proactive and shut off the spam before it even starts. Even if it means losing revenue.
This seems to imply that you're using dynamic addressing.
Not in the least. Every downstream customer is assigned a small range of static IPs. Some get 8 IPs. Over the course of a month, the spammer would walk into the cybercafe and "burn" a different IP each time until every PC in the small cybercafe would be non-functional. And we have gone through all the administrative ideas for combating this. No need to review that. Been there. Done that. Lots of times. If you have some technological solution - then please post so all can benefit. If you have nice ideas, or thoughts, please spare the N:I ratio and end this thread. -Hank Nussbacher http://www.interall.co.il
The rather obvious solution would seem to be that you provide static addressing. It also makes it rather easier to identify the spammer when the complaints come in since you won't need to grovel through your RADIUS logs.
That pretty much sums it up. Lose a little bit of revenue versus causing a service outage and losing a lot of revenue. -M -- Michael Nicks Network Engineer KanREN e: mtnicks@kanren.net o: +1-785-856-9800 x221 m: +1-913-378-6516 Hank Nussbacher wrote:
On Thu, 10 Aug 2006, Ken Simpson wrote:
I've had a a situation in the past that required this same application. I ended up using amavisd-new with custom views for incoming and outgoing mail. For spam originating from inside, it was dropped completely, for spam originating from the outside, subject was rewritten.
Can you elaborate on the situation off-list? It seems to me that stopping outbound webmail spam is something that would not be profitable for an ISP. I am wondering what the ISP's motivation is to solve this problem.
I'll answer on-list since this answer can benefit others. The primary reason that the ISP wants to block outbound webmail spam is because the 100s of BLs on the Internet end up blocking large segments of the IP space due to spam reporting by end users. The spammer can end up "burning" quite a few IPs before the feedback loop of user->spam report->BL->ISP->block is completed. Therefore the ISP wants to be proactive and shut off the spam before it even starts. Even if it means losing revenue.
Hank Nussbacher http://www.interall.co.il
Regards, Ken
Hope this helps. -Michael
-- Michael Nicks Network Engineer KanREN e: mtnicks@kanren.net o: +1-785-856-9800 x221 m: +1-913-378-6516
Hank Nussbacher wrote:
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have an ISP that *wants* to stop the outgoing spam on an automatic basis and be a good netizen. I would have hoped that 4 years later there would be some technical solution from some hungry startup. Perhaps I have missed it. What I have found so far is:
Detecting Outgoing Spam and Mail Bombing http://www.brettglass.com/spam/paper.html SMTP based mitigation - thing on HTTP/HTTPS
Stopping Outgoing Spam http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf Research paper - nothing practical
Throttling Outgoing SPAM for Webmail Services http://www.ceas.cc/papers-2005/164.pdf Research paper - nothing practical
ISPs look inward to stop spam - Network World http://www.networkworld.com/news/2004/071204carrispspam.html Bottom line - no solution
So I am trying once again. Hopefully someone has some magic dust this time around.
Thanks, Hank Nussbacher http://www.interall.co.il
-- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com
-- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
+++++++++++++++++++++++++++++++++++++++++++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
* Hank Nussbacher:
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam.
What is web-based spam? Comment spam? Wiki defacements? Or do you want to stop spam sent via web mailers? That's their job. They know more about their customers than you, and quite a few of them use HTTPS anyway. If Yahoo hasn't got rate limits on their "I've got a new email address" feature, for example, they need to fix it, not you or anybody else.
On Thu, 10 Aug 2006, Florian Weimer wrote:
Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam.
What is web-based spam? Comment spam? Wiki defacements? Or do you want to stop spam sent via web mailers? That's their job. They know more about their customers than you, and quite a few of them use HTTPS anyway.
If Yahoo hasn't got rate limits on their "I've got a new email address" feature, for example, they need to fix it, not you or anybody else.
The big boys know what to do. The smaller ones like walla.co.il, jumpy.it and mail.ru to name just 3 out of about 300 I have seen, do not have all those bells and whistles and therefore, in order to protect an ISPs IP address space from not getting burned by spammers, the ISP has to take proactive measures. -Hank Nussbacher http://www.interall.co.il
* Hank Nussbacher:
Please show me which virus scanner scans html pages for the words like V I A G R A, or Free M O R T G A G E, as it is going outbound.
I assumed your Internet cafe example was the concrete scenario you were trying to address. There are quite a few scaners which contain signatures for spam-sending software, but it might be necessary to roll your own stuff. In that scenario, it's simply more effective to look for the software (and accompanying anomalies) than for some web application traffic.
The big boys know what to do. The smaller ones like walla.co.il, jumpy.it and mail.ru to name just 3 out of about 300 I have seen, do not have all those bells and whistles and therefore, in order to protect an ISPs IP address space from not getting burned by spammers, the ISP has to take proactive measures.
I still don't understand why you think this has to be solved at the network level, specifically targeting web-based email services. There are hugely different two scenarios: 1. Spammers buy your Internet service and use it to send spam. 2. Regular customers catch some piece of malware and their computers send spam. In the first case, you get rid of the customers (possibly involving law enforcement because many of the advertised products and services are illegal). In the second case, you need a general anti-malware strategy, and webmailers are the least of your problems.
On Fri, 11 Aug 2006, Florian Weimer wrote:
I assumed your Internet cafe example was the concrete scenario you were trying to address. There are quite a few scaners which contain
Not only. Just used as an example so everyone can be on the same page.
There are hugely different two scenarios:
1. Spammers buy your Internet service and use it to send spam.
2. Regular customers catch some piece of malware and their computers send spam.
In the first case, you get rid of the customers (possibly involving law enforcement because many of the advertised products and services are illegal). In the second case, you need a general anti-malware strategy, and webmailers are the least of your problems.
From an anti-spam standpoint, the two cases above are one and the same. I want to BLOCK outgoing spam. For case #2, the regular customer will have their http blocked until they clean their computer in regards to malware-spitting-spam. For case #1, the spammer will be blocked from sending spam and will go elsewhere. Law enforcement is not an option since in many third world countries where this takes place, spam is the least of LEO worries.
-Hank Nussbacher http://www.interall.co.il
participants (8)
-
Allan Poindexter
-
Florian Weimer
-
Hank Nussbacher
-
Jeroen Massar
-
Ken Simpson
-
Michael K. Smith - Adhost
-
Michael Nicks
-
Peter Corlett