ISP wants to stop outgoing web based spam

Hank_Nussbacher1 · August 9, 2006, 10:28am

Back in 2002 I asked if anyone had a solution to block or rate limit
outgoing web based spam. Nothing came about from that thread. I have an
ISP that *wants* to stop the outgoing spam on an automatic basis and be
a good netizen. I would have hoped that 4 years later there would be
some technical solution from some hungry startup. Perhaps I have missed
it. What I have found so far is:

Detecting Outgoing Spam and Mail Bombing
http://www.brettglass.com/spam/paper.html
SMTP based mitigation - thing on HTTP/HTTPS

Stopping Outgoing Spam
http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf
Research paper - nothing practical

Throttling Outgoing SPAM for Webmail Services
http://www.ceas.cc/papers-2005/164.pdf
Research paper - nothing practical

ISPs look inward to stop spam - Network World
http://www.networkworld.com/news/2004/071204carrispspam.html
Bottom line - no solution

So I am trying once again. Hopefully someone has some magic dust
this time around.

Thanks,
Hank Nussbacher
http://www.interall.co.il

Michael_K_Smith · August 9, 2006, 1:11pm

Hello Hank:

Back in 2002 I asked if anyone had a solution to block or rate limit
outgoing web based spam. Nothing came about from that thread. I have an
ISP that wants to stop the outgoing spam on an automatic basis and be
a good netizen. I would have hoped that 4 years later there would be
some technical solution from some hungry startup. Perhaps I have missed
it. What I have found so far is:

Detecting Outgoing Spam and Mail Bombing
http://www.brettglass.com/spam/paper.html
SMTP based mitigation - thing on HTTP/HTTPS

Stopping Outgoing Spam
http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf
Research paper - nothing practical

Throttling Outgoing SPAM for Webmail Services
http://www.ceas.cc/papers-2005/164.pdf
Research paper - nothing practical

ISPs look inward to stop spam - Network World
http://www.networkworld.com/news/2004/071204carrispspam.html
Bottom line - no solution

So I am trying once again. Hopefully someone has some magic dust
this time around.

Thanks,
Hank Nussbacher
http://www.interall.co.il

My answer is based on the word “startup” so I’m assuming “no money” but I
could be “wrong”. We use the standard SpamAssassin, ClamAV setup both
on ingress and egress. On egress we set the detection levels and divert and
save anything that is marked as Spam rather than sending it on with headers
and subject modifications.

We’ve found this to be very effective in reducing our scores with Comcast
and AOL in particular and it’s pretty much stopped our being blocked by
those services, even using a fairly loose setting for SpamAssassin. As a
service provider that forwards tons of mail to addresses on those networks
(previously un-scanned so we forwarded everything, including Spam) we’ve
found it essential to put these filters in place to guarantee (as much as
anyone can) service for our email customers.

Regards,

Mike

Jeroen_Massar1 · August 9, 2006, 1:37pm

[..]

My answer is based on the word "startup" so I'm assuming "no money"
but I could be "wrong". We use the standard SpamAssassin, ClamAV
setup both on ingress and egress.

Currently the trend seems to be to send images containing the advert.
Though there is a OCR plugin for SA, it doesn't seem to be very
effective as one can rotate the text by 1% or use a silly font or some
colors to easily evade it. Anybody has a better plugin to solve that
part?

Greets,
Jeroen

Allan_Poindexter · August 9, 2006, 3:47pm

We use the standard SpamAssassin, ClamAV setup both on

  > ingress and egress. On egress we set the detection levels
  > and divert and save anything that is marked as Spam rather
  > than sending it on with headers and subject modifications.

I would let any ISP I use make this mistake once. After that the
individuals responsible would be up on ECPA charges.

Michael_Nicks · August 9, 2006, 9:02pm

I've had a a situation in the past that required this same application. I ended up using amavisd-new with custom views for incoming and outgoing mail. For spam originating from inside, it was dropped completely, for spam originating from the outside, subject was rewritten.

Hope this helps.
-Michael

Hank_Nussbacher1 · August 10, 2006, 8:20am

I've had a a situation in the past that required this same application. I ended up using amavisd-new with custom views for incoming and outgoing mail. For spam originating from inside, it was dropped completely, for spam originating from the outside, subject was rewritten.

This is just an SMTP solution and has no applicability to the problem at hand.

Thanks anyway,
Hank Nussbacher
http://www.interall.co.il

Ken_Simpson · August 10, 2006, 5:50pm

I've had a a situation in the past that required this same application.
I ended up using amavisd-new with custom views for incoming and outgoing
mail. For spam originating from inside, it was dropped completely, for
spam originating from the outside, subject was rewritten.

Can you elaborate on the situation off-list? It seems to me that
stopping outbound webmail spam is something that would not be
profitable for an ISP. I am wondering what the ISP's motivation is to
solve this problem.

Regards,
Ken

Hank_Nussbacher1 · August 10, 2006, 6:12pm

I've had a a situation in the past that required this same application.
I ended up using amavisd-new with custom views for incoming and outgoing
mail. For spam originating from inside, it was dropped completely, for
spam originating from the outside, subject was rewritten.

Can you elaborate on the situation off-list? It seems to me that
stopping outbound webmail spam is something that would not be
profitable for an ISP. I am wondering what the ISP's motivation is to
solve this problem.

I'll answer on-list since this answer can benefit others. The primary reason that the ISP wants to block outbound webmail spam is because the 100s of BLs on the Internet end up blocking large segments of the IP space due to spam reporting by end users. The spammer can end up "burning" quite a few IPs before the feedback loop of user->spam report->BL->ISP->block is completed. Therefore the ISP wants to be proactive and shut off the spam before it even starts. Even if it means losing revenue.

Hank Nussbacher
http://www.interall.co.il

Peter_Corlett · August 10, 2006, 6:31pm

This seems to imply that you're using dynamic addressing.

The rather obvious solution would seem to be that you provide static addressing. It also makes it rather easier to identify the spammer when the complaints come in since you won't need to grovel through your RADIUS logs.

Hank_Nussbacher1 · August 10, 2006, 7:50pm

I'll answer on-list since this answer can benefit others. The primary reason that the ISP wants to block outbound webmail spam is because the 100s of BLs on the Internet end up blocking large segments of the IP space due to spam reporting by end users. The spammer can end up "burning" quite a few IPs before the feedback loop of user->spam report->BL->ISP->block is completed. Therefore the ISP wants to be proactive and shut off the spam before it even starts. Even if it means losing revenue.

This seems to imply that you're using dynamic addressing.

Not in the least. Every downstream customer is assigned a small range of static IPs. Some get 8 IPs. Over the course of a month, the spammer would walk into the cybercafe and "burn" a different IP each time until every PC in the small cybercafe would be non-functional. And we have gone through all the administrative ideas for combating this. No need to review that. Been there. Done that. Lots of times. If you have some technological solution - then please post so all can benefit. If you have nice ideas, or thoughts, please spare the N:I ratio and end this thread.

-Hank Nussbacher
http://www.interall.co.il

Florian_Weimer · August 10, 2006, 8:22pm

* Hank Nussbacher:

Back in 2002 I asked if anyone had a solution to block or rate limit
outgoing web based spam.

What is web-based spam? Comment spam? Wiki defacements? Or do you
want to stop spam sent via web mailers? That's their job. They know
more about their customers than you, and quite a few of them use HTTPS
anyway.

If Yahoo hasn't got rate limits on their "I've got a new email
address" feature, for example, they need to fix it, not you or anybody
else.

Michael_Nicks · August 10, 2006, 8:23pm

That pretty much sums it up. Lose a little bit of revenue versus causing a service outage and losing a lot of revenue.

-M

Hank_Nussbacher1 · August 11, 2006, 4:20am

The big boys know what to do. The smaller ones like walla.co.il, jumpy.it and mail.ru to name just 3 out of about 300 I have seen, do not have all those bells and whistles and therefore, in order to protect an ISPs IP address space from not getting burned by spammers, the ISP has to take proactive measures.

-Hank Nussbacher
http://www.interall.co.il

Florian_Weimer · August 11, 2006, 5:40am

* Hank Nussbacher:

Please show me which virus scanner scans html pages for the words like
V I A G R A, or Free M O R T G A G E, as it is going outbound.

I assumed your Internet cafe example was the concrete scenario you
were trying to address. There are quite a few scaners which contain
signatures for spam-sending software, but it might be necessary to
roll your own stuff. In that scenario, it's simply more effective to
look for the software (and accompanying anomalies) than for some web
application traffic.

The big boys know what to do. The smaller ones like walla.co.il,
jumpy.it and mail.ru to name just 3 out of about 300 I have seen, do
not have all those bells and whistles and therefore, in order to
protect an ISPs IP address space from not getting burned by spammers,
the ISP has to take proactive measures.

I still don't understand why you think this has to be solved at the
network level, specifically targeting web-based email services.

There are hugely different two scenarios:

1. Spammers buy your Internet service and use it to send spam.

2. Regular customers catch some piece of malware and their computers
send spam.

In the first case, you get rid of the customers (possibly involving
law enforcement because many of the advertised products and services
are illegal). In the second case, you need a general anti-malware
strategy, and webmailers are the least of your problems.

Hank_Nussbacher1 · August 11, 2006, 7:50am

I assumed your Internet cafe example was the concrete scenario you
were trying to address. There are quite a few scaners which contain

Not only. Just used as an example so everyone can be on the same page.

There are hugely different two scenarios:

1. Spammers buy your Internet service and use it to send spam.

2. Regular customers catch some piece of malware and their computers
send spam.

In the first case, you get rid of the customers (possibly involving
law enforcement because many of the advertised products and services
are illegal). In the second case, you need a general anti-malware
strategy, and webmailers are the least of your problems.

From an anti-spam standpoint, the two cases above are one and the same.

I want to BLOCK outgoing spam. For case #2, the regular customer will have their http blocked until they clean their computer in regards to malware-spitting-spam. For case #1, the spammer will be blocked from sending spam and will go elsewhere. Law enforcement is not an option since in many third world countries where this takes place, spam is the least of LEO worries.

-Hank Nussbacher
http://www.interall.co.il