Delinquent ISPs

I am a first class spam fighter and have been for a decade.

I am a small web/mail hosting provider - I have written many defence systems and is now as comprehensive as it is possible to be without throwing out the baby with the bathwater.

My system is almost fully automatic now - last few *years* worth of sendmail logs are stored in a mysql database and a history of 1.1 million ip addresses.

Attempts to send mail and other abuses by zombies are tracked and logged. If it violates some rules, spf failures, rbls, mail attacks, no reverse lookup etc, then the ip address is banned using iptables for 10 days times the number of bans, added to an RBL and a munged history log of the addresses activity is sent to the ISP that owns the netblock. If no abuse address is given, then all available addresses are mailed after checking a local learned blacklist of bad or delinquent ISPs. If they don't want my reports, I can't force them to accept them.

I have similar monitoriing and complaint systems with various rules for ftp, ssh, pop3 and web brute force attempts and probes.

Any messages that are accepted go through a lot of spam checks - high scoring spam gets quarantined and automatically fed into spamassassin's Bayesian filters, added to my RBL and sent to Spamcop. Unfortunately confirming these is still manual on their site.

Borderline scoring spam gets quarantined and goes to a special mail account for submitting to spamcop or unquarantining - manual I'm afraid, but there are very few false positives.

I send hundreds of complaints a day.

There appear to be no laws anywhere that force an ISP to look after their customers.

There appear to be no laws anywhere that force an ISP to halt abuse from their networks.

There is no way to fix users that are too stupid to realise they are too stupid to use the net.

Educating users is proving impossible. Even patching all known vulnerabilities and up to date virus scanners won't stop people from installing trojan software. Most spam is nowadays coming from Russia, Vietnam, South America, Ukraine, Belarus, Korea, Taiwan and increasingly Africa where many just aren't aware of the dangers, and most people use pirated and hence unpatched Windows XP.

Outlook does not show the real country of origin of a mail, which would help users think twice.

The linked-in mails were expertly put together, only the mail header and the false url gave them away, and even then had to look hard as the Received: field was forged to look as if linked-in had handled it first.

Not enough people use SPF and DKIM and use -all or enforce dkim discardable policies.

Even paypal doesn't use -all, but this still only useful if the receiver pays attention to SPF/DKIM and mail forwarding or mailing lists can break these.

The only way to influence an ISP is to hit their bottom line - if customers can realise their ISP is being blocked by not fixing zombies and admonishing hackers then they could go elsewhere, but many places don't have alternative ISPs.

Google, Yahoo, MSN, Badoo, Akamai, mail.ru et al are too chicken to blanket block delinquent ISPs because they need the clicks.

95% of reports fall on deaf ears.

However, I do have some successes in bringing compromised machines to an owners' attention and that makes it worthwhile.

Now, if I could just put my Heath Robinson system into a form that could be distributed for others to use, then we can overload ISPs abuse mailboxes and blacklist them more effectively and hopefully get more response, but this would just escalate the war. The big players need to do more to influence behaviour.