Re: [tlug] giving up on email

[Jonathan Byrne <jq@example.com>]

On Fri, Apr 16, 2004 at 01:13:40AM +0200, David Santinoli wrote:

>BTW, I'm curious to know which Italian networks you filter, if
>it's not classified info. :-)

I could tell you, but then I'd have to kill you ;-)

Seriously, I can't say a lot about what we do and how we do it, because
pretty much the whole lot is considered a trade secret, so I leave
statements of how and what to those whose job it is to talk about those
things.  Mine is just to do those things :-)

I can say that we do not filter any entire networks and do not use any
blacklists other than our own, because:

1) The buck stops with us; if a false positive at the 550 level should
occur, we can't really say "Well, it happened because we were using 
XYZ RBL" and they a bit zealous in their blacklisting."  We have to
have direct and immediate control over every IP address in our blacklists,
and the only way to do that is to have our own internal systems for
that;

2) If a rogue ISP rents out 2/3 of its IP space to a spam ring, we will
not filter the other 1/3 that is used by legit customers.  I can think
of at least one such operation, in a mountainous area of the western
United States, well-known for skiing, pro football, a military 
academy, and air defense command and control under a nuke-proof mountain,
that does about that.  This provider has, as far as I can tell, only one
legit downstream, a local DSL provider.  I pity anyone using that DSL
network, because the entire netblock is likely in SPEWS and many other
blacklists.  Every other customer of their upstream is a spammer, and
they take up at least half the IP addresses.

I would like to filter that entire network, but we just filter all the
known bad parts (which are, fortunately, contiguous :-)

I am happy to see that AOL has become very tough in what they will
accept these days.  The spammers must be really hating it.  I remember
how they were five years ago, not only liberal in what they would accept,
but liberal in what they would permit to get out.  Specifically, huge
masses of spam joe-jobbing addresses at my then-employer.  This went
on for months on end, most of a year.  We believe it to be spammer
retaliation because we were highly aggressive at blocking spam even in the
late nineties when that was less common than now.

We tried all kinds of things, even blocking all AOL mail for 24 hours once.
We also had the legal department of our parent company involved, but they
didn't seem to have made much headway either.  The spam just kept getting
pumped out of AOL, and none of it was ever sent to any of our customers;
we only knew it existed because of the often hundreds of joe job spam
complaints we received every day.  The ones from WebTV users were the worst
of all :-p  I eventually concluded that it had to be an inside job by
some rogue AOL staff.  After all, who else could keep sending out
spam like that with such impunity for so long?  We were redirecting
all of the complaints over to abuse@example.com and their answer to that, rather
than get rid of the spammers, was to just refuse mail from us at their
abuse address.  Way to go.  Don't fix the problem, just ignore the
messenger.  That was one of the things that helped me conclude that it had
to be an inside job.

Then, amazingly, one day it just stopped.  The spammers disappeared off the
face of the net.  We never saw another job-job spam with our domain name
on it.  It was like someone turned a valve.  Or, as I suspected, someone
got fired or arrested, or maybe shot by an irate spam victim :-)

Jonathan
-- 
gpg --keyserver pgp.mit.edu --recv-keys ACC46EF9
Key fingerprint = E52E 8153 8F37 74AF C04D  0714 364F 540E ACC4 6EF9
"Talkin' 'bout my baby, she's some kind of wonderful"

Attachment: signature.asc
Description: Digital signature