Spammer Bust

Russ Haynal wrote...

>I had two very similar incidents of PSI not knowing what was going on.
>I've gotten a lot of spam that originated from PSI dialup users but using
>Earthlink as a mail relay; for example, this one:

Recognize that Earthlink is a "national" provider by virtue of the fact
that its customers are allowed to connect through PSI and UUNEt POPs (and
other ISP's POPs?). Just last week I established an Earthlink dial-up
acount for one of my relatives. Many of the Earthlink POP phone numbers
turned out to be Phone numbers belonging to PSI, UUNET. It was interesting
that the PPP Dial-up logon user ID was of the form: "ELN/userid" The
"ELN/" in front of the userid stands for Earthlink Network, so that
PSI/UUNET knows to which ISP to route the particular dial-up user.

I would suggest that your particular Spammer IS an Earthlink User, (who
happens to dial-in through a PSI POP) In this instance, I guess PSI would
have to be considered "just an innocent carrier" like the local phone
company that also helps the Spammer reach his ISP (Earthlink)

PSI is not exactly an innocent carrier here. There are several reasons.

The reverse DNS identifies the port as PSI. If the port IP address is
exclusive to a reseller, then it should be delegated to the reseller.
If the address is overloaded and could be different resellers at different
times, then PSI forces themselves to be in the loop to identify who's
customer was using it at the time. They better be providing to the customer
(e.g. Earthlink) the list of which users connect when for tracking purposes.

PSI can choose who they do business with. If PSI was reselling to Cyberpromo
then I'd have no qualms about blocking the entirety of PSI. Earthlink may
well be elevated to near Cyberpromo if all of what I hear about continues.
In much the same way as any backbone is called on to drop a smaller ISP that
is regularly spamming, the presence facility provider can drop a presence
reseller if that reseller is causing them problems. So as long as PSI is in
the loop (and they are for overloaded ports or incorrectly delegated reverse
DNS) then it's a problem for PSI and PSI is the one that needs to deal with
at least some aspect of it (many solutions depending on their business

[One alternative thought, (and it's a messy one)... Most ISP's can restrict
their mail gateways to accept their customers only, but I wonder if
Earthlink would be able to configure its mail server to prohibit customers
of PSI's and UUNEt's Dial-up services from using Earthlink's mail server.]

If the addresses are overloaded, then they can't. If so, PSI (and UUNET)
would be introducing more problems. PSI is still in the loop. PSI still
needs to take some action somewhere. It's up to them.

Wouldn't it be easier if everyone quit targetting networks and started
targetting spammers? No...wait...I've a better idea. Let's abolish the
Internet. That'll put an end to these pesky internetworking problems.

Rick Horowitz
Network Administrator