Petemoss has a
Spam
page that includes
complaint addreses
(Formerly at
Concordia
)
- e-mail addresses that you can send your complaints to
about SPAM that you have recieved from their systems.
It also ranks them as "GoodGuys" (actively fight SPAM and
will assist you), "Unresponsive" (ones who don't seem to
respond to complaints), and "Foe" (sites that are dedicated
to SPAMming).
Abuse Net
has resources that you can use to look up where to
report SPAMming to, and they have some services that
you can sign up for.
SPAM FAQ
is an FAQ on tracing SPAM with forged headers.
Antispam
is an organization that is against unsolicited e-mail.
They have tips on how to remove yourself from mailing
lists. They used to run a global "remove" service,
but too many people suspected that they were in fact
using this to collect e-mail addresses to send
unsolicited e-mail. The manpower of answering e-mail
from skeptics (and how skeptical a person is is
directly proportional to how long they have been
on the internet, IMHO) put them out of the list
removal business. Now, unfortuantely, they have
come out with an Anti-spam product, and much of
the useful information has been replaced with
a "buy our product" advertisement.
Behind Enemy Lines
is an expos� on "Premier Services",
one of the worst spammers on the planet.
There are some common sense things that ISPs could do to cut
down on SPAMmers using them. Spammers, commonly I am told,
use canceled or expired credit cards to open accounts to SPAM
with. They are only going to use the account once as they will
surely be reported to the ISP, and this is long before the ISP
will find out that they have been cheated. SPAMers use the ISP's
resources, bother a whole bunch of people which gets the ISP a
bunch of e-mail complaints, and they they don't even pay and the
ISP can't even "fine" them for their activities. It is in the
ISP's best interest to discourage SPAMmers.
Use Caller ID. The people answering phones for new accounts at
various ISPs should be equipped with Caller ID. Those phone lines
should be setup to block calls for which Caller ID information is
being blocked (if you have a block on Caller ID, there is a number
you can dial to shut off this block for a given phone call - I am
told that toll free numbers [1-800, etc.] are always provided with
caller ID information, even if the caller has a block in place).
As the customer service representative is taking down information
from the customer, like their credit card number, they should also
note on the account the Caller ID information (phone number, name
that appears on the listing, etc.) If the telephone number that
they give you doesn't match the Caller ID information, ask the
caller about that. If this account is used to SPAM with, this
information should be flagged. You have their real phone number
(from Caller ID) to track them down to charge them for credit card
fraud if they don't pay up (as most SPAMmers don't). If someone calls
again from this same phone number to setup an account, it should
set off a red flag. It's possible that a legitimate user has
a phone number that was previously owned by a SPAMmer, so what
you do with that red flag depends, but you should have a policy.
Perhaps the account is closely monitored. Perhaps the credit
card information is validated *before* the account is opened?
Perhaps the user will be required to cough up a "deposit" to
cover costs should they SPAM with this account, a deposit that
will be refunded when they have proved themselves. Perhaps they
will be required to provide a little more stringent proof of
identification and asked to sign a contract that spells out in
no uncertain terms that they agree to pay a huge fine if their
account is used for SPAMming, etc. Caller ID is a very cheap
and easy way to keep SPAMmers from coming back.
Block access to TCP port 25 on all dial in (PPP) accounts.
Setup one machine (or if you have enough PPP customers, a bank
of machines) that is an e-mail server that TCP port 25 is not
blocked to. Commonly, ISPs have such machines anyway (customers
are just not forced to use them), and they call them smtp.xyz.com
or (better yet) mailhost.xyz.com, etc. This will force PPP
customers to route their e-mail through the ISP's box. This
will prevent SPAMmers from "bouncing" their e-mail off of an
unsuspecting 3rd party's e-mail server (commonly done in an
attempt to hide the source of the SPAM), which in and of itself
will discourage SPAMmers. This also allows the ISP to put into
place some form of monitoring on their e-mail server that would
check for signs of SPAMming and alert their staff to investigate.
This would allow the ISP to be proactive and shut down the SPAMmer
before too much SPAM makes it onto the internet. With DSL or
Cable Modem, you would not bother with enforcing this as you
physically installed the connection; you can track down the
SPAMmer. PPP is often signed up for by telephone.
Many ISP's offer the first month free, or start charging your
credit card at the end of the first month, as is tradtional
with service oriented companies (phone companies, utilities,
etc.). If ISPs were to, as part of the account setup process,
charge the credit card (even just a penny) and then turn right
around and refund this ammount to the credit card, then the
customer is out no money (they will see these 2 transactions
on their credit card, but you can warn them about that so that
it is not a supprise when they get their bill - if you explain
to them that it is a policy in response to people giving the
ISP bad credit cards, legitimate users will understand). What
this does for the ISP is that they can make sure that the credit
card is good. If it's not a valid credit card, you don't get an
account. Perhaps there are other, better ways to verify a credit
card, if so ISPs should use them. What might be even better is
if none of them offered the first month free, perhaps the 2nd
month, etc., but not the first. With all the competition out
there, the only way to get ISPs to do that is to make it a
regulation/law, etc.
SPAMmers must have a way of the recipients contacting them to buy
their products. Sometimes this is via e-mail (usually to one of
these web based free e-mail services, often ones that are not in
the same language as the SPAM's target audiance thus making it
difficult for a victom to go to that site's web page to report
them as they can't read the language to find the complaint
addresses), sometimes via a web page, sometimes this is via a
telephone number, but almost never do they give an actual address.
While there are services that almost anyone can sign up for on
the internet via an assumed identitiy (e-mail, some web servers),
many of the SPAMs use things that should be (IMHO) traceable.
Yet, I don't see ISPs tracing down SPAMmers and nailing them for
credit card fraud (or maybe it just doesn't make the news). I
suspect many ISPs just close the account and forget about it.
For these web based "read your e-mail" services, rather than just
close the account, they should look up in their web server's log
files where (in terms of IP address) the user accessed their web
mail account from and report the SPAMmer to the ISP that they
connected to them from.
Responsible ISPs make information about where to send SPAM
complaints to easy to find. On their front page (if you are
"xyz.com" then I am refering to http://www.xyz.com/ - this is
an example, don't bother the nice folks at
XYZ Consulting
),
they either have a link to their Acceptable Use Policy (AUP)
and on that policy they list their complaint address, or
they have a link on their front page to a "Contact Us" type
page that has an abuse address on it. It's important to
have a policy, but the policy is useless if it is not
enforced, and it is not enforced if it is even slightly
difficult for victoms of SPAMming to report that SPAMming
to you. I think that some ISPs make their information hard
to find (if they publish it at all) because they would just
as soon pretend that SPAMming didn't exist and don't want
to call attention to the idea that SPAMmers might actually
use them. This is foolish. We, as customers, need to
dispell this notion, with the only voice we have - our money.
If you are shopping for ISPs, and they don't have an easy to
find abuse address, don't buy from them and tell them why.
Going hand in hand with having an abuse address is
actually having someone read the abuse mail in a timely manor.
Some ISPs, for no apparent reason, think it's acceptable to have
an HTML form to report SPAMming to. This is stupid.
Almost always, SPAMming involves multiple ISPs, and if you have
an abuse e-mail address, then the victom can report the SPAM to
multiple ISPs all at the same time, by CC'ing multiple abuse
addresses. It is totally inefficent to make the victom go to
multiple HTML pages to complain. If you have an abuse reporting
HTML page, you are not serious about stopping SPAM; you should
be punished by loosing market share to your more reponsible
competition.
Set bait. Create addresses used to track SPAMmers. Put some
addresses on web pages ready for SPAMbots to pick them up. Post
a message or 2 to usenet with some of your bait addresses. Include
a few (different) bait addresses in mass mailing lists that you have
for your customers. If you keep customer e-mail addresses in a
database, seed a few (different from the above) addresses in that
database, in such a way that most searches aren't going to find them
- only someone (an insider) dumping all the addresses will find them.
If at all possible, log who queries what in the database, or at least
who queries these bait accounts. Of course,
a human isn't reading the incoming e-mail to these bait addresses, a
program is. For your SPAMbot addresses, it should immediately alert
you if it gets e-mail that is sent from your network (i.e. pick
through the received headers) so that you can close the offending
account and kick them off immediately. If the SPAM came from
elsewhere, just throw it away. For addresses that are bait in
customer mailing lists or in databases, alert someone immediately,
no matter what the source. Ideally, there is no way for these
addresses to have "gotten out" to a SPAMmer without it being an
"inside job". In the case of addresses that are mailing lists
to customers, you will want to change the address of the list.
In the case of the database, you will want to track down who
queried the database. An ISP's employees can make some serious
money selling valid e-mail addresses on the side to SPAMmers,
and you need a company policy against it, plus you need to do
something, like this, to attempt to enforce it and fire any
employee who breaks it. I've listed 4 different types of bait
addresses, and you should have 4 different addresses (perhaps
multiple address of these 4 types) for these 4 different purposes.
If you have only 1 bait address, and use it for all 4 purposes,
then you can't tell that the SPAMmer must have gotten the address
from an employee searching your database as they might have
gotten it from a SPAMbot, etc. You may want to experiement with
the addresses a bit. Having an address that starts out "aaa..."
or "zzz..." may get you to the beginning of the SPAMmer's list.
You want to be first because if they are using you as an ISP, you
want to shut them down before too much SPAM makes it out the
door.
"Blacklisting" generally has bad connotations associated with it,
but I see it as an effective means of stopping SPAMming. If ISPs
were to share with each other information about known SPAMmers
who have used them, then perhaps we could keep SPAMmers from
swinging from ISP to ISP like Tarzan. For example, above, I
suggested that ISPs make use of Caller ID to nail repeat
offenders. If ISPs were to share their datebase of "blacklisted"
Caller ID information with each other, then this would limit
a SPAMmer from just moving on to another ISP. As I stated before,
finding someone on a blacklist doesn't mean that you have to
assume that they are guilty, but perhaps you hold them to a
different standard until they have proven themselves.
Read your e-mail via your web browser web sites tend to be commonly
abused by SPAMmers, not so much for sending SPAMs from, but rather
for gathering responses (responses to their SPAM or a "remove" address,
which we all know doesn't remove you from anything but is just used
by the SPAMmer to validate your e-mail address for subsequent spammings)
I get the impression that most of them simply close the spammer's
address and walk away. A responsbile site will look through their
HTML logs and identify where the SPAMmer came from and report them
to the ISP who let them on the internet.
Let's see, SPAMmers use their resources, annoy a whole bunch of
people, generate e-mail to the ISP's abuse address, cause the
ISP to have to track down and close the SPAMmer's account.
It's a mystery to me why most ISP's take such a half-assed
approach to stopping spam.
Some ISPs seem to attract SPAMmers. For whatever reasons,
some companies so commonly are the source of UCEs, I've
decided to create
a table
so I don't have to keep looking
up their complaint addresses, Acceptable Use Policies, etc.
It is not intended to be a resource, like Petemoss above,
but rather it is for my own use.
Also, I have decided to list how many SPAMs I have gotten
associated with each of these ISP's customers. Not that
this is scientific, but if a given ISP has a large number of
SPAMs associated with their network, it is legtimate to
question that they might be a little too lax in their policies,
etc. It will take me a long time to compile these statistics,
so the figures you see today may not refect an accurate count
of all the SPAM's I have gotten. I am considering making links
to actual SPAM e-mails that I have gotten (edited to remove
my e-mail address so as to prevent future SPAMs, etc.) - it may
be useful to look for patterns, etc.
![[Best Viewed With Any Browser]](logoab8.gif){kind=small}
