[Copyright 2002,2003 Frank Durda IV, All Rights Reserved. Mirroring of any material on this site in any form is expressly prohibited. The official web site for this material is: http://nemesis.lonestar.org Contact this address for use clearances: clearance at nemesis.lonestar.org Comments and queries to this address: web_reference at nemesis.lonestar.org]
Many backbone providers are extremely guilty in this area, and they frequently use the incredibly feeble excuse that they are "common carriers" and that this means that they cannot disconnect service of an abusive customer (false) or even confirm abusive activity originating on their networks even after receiving a complaint (very false), all because of their "common carrier" status. This is a bogus argument.
These backbone providers really should contact their own staff attorneys, who will tell them that US law changed some years back, and no longer allows carriers to feign innocence or impotence, and in fact now requires the carriers to report to the authorities about illegal activity that the carrier discovers or that is reported to the carrier by third parties.
These backbone providers cannot hide behind the "common carrier" curtain anymore, although many continue to try because they think that it lowers their operating costs, and prevents them from losing revenue in the event that they had to disconnect some spammer or other abuser who was probably paying good money.
Any Internet customer (and that includes individuals and businesses who buy services from Internet Service Providers (ISPs) or other connectivity providers, and ISPs and other entities who in turn buy connectivity from or have peering with other ISPs or carriers/backbone providers), all of these entities should examine the Terms Of Service and Acceptable Use Policies of the companies that they are getting connectivity from. If these policies seem to lack strong enforcement against abuse of the network OR you have actually encountered this companies reluctance to deal with an abuse problem, terminate your connectivity purchases from this organization and get service from some other company who will take positive and aggressive action when there is abuse.
If you decide to terminate service because of spam problems, be sure to tell the provider why you are terminating service and what you feel that they need to change.
This may not sound like you are doing very much, but combined with other tactics, a sizable backbone provider called AGIS was almost driven out of business a few years ago, entirely because they not only refused to disconnect a spammer but actually helped the spammer to avoid the spam blocks established at other ISPs. Eventually AGIS relented and disposed of their liability (the spammer), but their lack of prompt enforcement cost AGIS dearly and there are still parts of the Internet that won't route traffic to and from AGIS because of that incident.
Don't wait for your provider to become an unreachable network, also known as "radioactive", because of their lack of aggressive response to spam problems coming from their own customers. If they are having abuse problems that they clearly won't address, leave now.
This is the most fundamental thing that an ISP should do, and for smaller ISPs, it is the thing least likely to have been done. To begin with, an ISP MUST review their own customer policies and ask themselves these questions:
If you can't answer "yes" to all of the above questions, then as an ISP you have left yourself open to having a spammer or hacker on your network that you can't quickly get rid of, or in some cases, getting sued by the spammer when you do try to terminate their service. In numerous cases, spammers have obtained court orders that allowed the spammer to stay on an ISPs network for months and continue spamming the entire time, while the ISP is forced to spend money on attorneys and try to convince a judge to allow the ISP to disconnect the spammers service.
Always make sure that you have sufficiently strong legal wording in your customer service agreement(s) that always allows the ISP to choose when and how a customer loses service in response to an abuse incident. A few hundred dollars spent now on legal advice to craft an Acceptable Use Policy and Terms of Service Policy can save your company tens or even hundreds of thousands of dollars later in legal and judgment or settlement costs or in costs when upstream providers disconnect your Internet connectivity.
In addition, when a potential customers requests an account via the Internet, assume that the connecting IP address tells you nothing about the customers identity, actual location or current provider. Many hackers and some spammers now use already-hacked computers or systems running open proxy software, and attempt to sign-up via these systems, which could leave the ISP with no confirmed location of this new customer, and frequently no valid e-mail or street address. The Internet Provider should consider confirming sign-ups by requiring a working e-mail (at a non-free address) or postal address where that person can be reached and where the access codes or some "click to accept" confirmation can be sent to. If the address is not valid or fails to be confirmed, the service should not be activated.
Although "profiling" is frequently taken to be an evil thing, watching for combinations of these activities can indicate the presence of spammer trying to set up shop on your ISP before they even get started:
If your ISP doesn't blacklist credit card numbers when people spam, you should start. Many spammers who get kicked-off an ISP will come back in three months or less and try to use the same credit card again. Some try again in as little as six hours after losing their account due to spamming.
If you see combinations of these activities, particularly if it is occurring on a group of accounts all created under the same payment plan (same cash payment, same money order or same credit card, then this is likely a spammer getting established and waiting for the best opportunity to exploit your systems, hopefully when the ISP staff is not looking. Sometimes, such accounts are set up twenty days (or longer) in advance of when they were actually used to spam.
Of course, not all spammers will try to use your system for sending spam. There will be some that will use your system to host the web site that the spam advertises, or the email address that appears in the spam where more information about the spammed product can be obtained.
This is where the ISP must have flexibility in the Terms Of Service and Acceptable Use Policy that allow the ISP to disconnect a spammer who didn't clearly send the spam from this ISP but is still benefiting by receiving web site accesses or email coming to the ISP as a result of the spam that the spammer or a spammers helper sent from some other place. An ISP faced with having a spam benefactor on their network should not hesitate to terminate web hosting, mail services and any DNS services that the ISP is providing, regardless of how the spam was distributed.
After dumping a spam benefactor, some responsible ISPs also re-point the spammers DNS (and set a very long expire time) to a special web page that announces that the spammer has lost their services, and the DNS stays that way long after the spammer tries to move the DNS elsewhere. The ISPs Terms of Service and the spammers original acceptance of the terms is the instrument that makes such a response possible.
ISPs must also be wary of fraud in payment, particularly when it is a hacker or spammer that is trying to gain a free account that they know they will lose in a day or so. Every possible verification test for credit card number validity must be used and any mismatch of information of any kind should result in human contact in order to obtain service. The CVV2 security code used on some credit cards has already proven insufficient or are being stolen in large numbers, so the ISP must also check for strict street address accuracy and be alert for anything else that suggests fraud. If not 100% certain of the potential customers identity, require a confirmation by telephone call to a live person to check things out, perhaps even request a different credit card number while offering to bill on either one. The idea here is to see if the person on the other end can come up with a different card with the same persons name printed on it, and perhaps the same or fewer verification problems. If any doubt still remains, require non-electronic payment for the first billing cycle.
I've heard just about every excuse from ISPs big and small for not doing anything to prevent or harden their networks against their own spam issues, ranging from "We are so big that such checking won't scale to our size", to "our customers don't spam" (not a lot anyway). The reluctance to check for outgoing spam seems to almost be a way to avoid admitting or noticing that there might be more abuse problems closer to home than the ISP is willing to admit to or deal with.
What these ISPs fail to realize is that local spammers (those on the ISPs network) are always more expensive than ones elsewhere on the Internet. First, an ISPs administrators or abuse department will get a lot of complaints when one of their customers spam (or their equipment gets used to relay spam), and that can burn payroll for days after the event even if the ISP staff does nothing but delete the complaints or only sends out a canned reply saying that something might be done about the alleged abuse.
Secondly, the ISP might actually have to cancel some customers account who was doing the spamming, and now ISP loses the revenue that this customer was bringing in, and if the ISP doesn't have a strong Terms Of Service agreement, that customer may sue the ISP, increasing the ISPs costs even further.
Third, the ISP may have to spend hours or days trying to contact other bigger ISPs, ISPs who have blocked the mail servers or even the entire network of the ISP who had the spammer. The smaller ISP now has to convince the other ISPs one by one that the spammer is now gone and would the bigger ISPs please allow your customers to be able to send mail to their customers once again. After having to do this a few times, the true cost of hosting a spammer should become quite obvious.
This restriction prevents spammers outside your network from scanning your customers IP addresses looking for badly configured customer computers that allow relaying, and also prevents any actual mail relaying through your customers computers and your network.
For customers in this category, a given customer is given a different IP address each time they connect, so there is no situation where they would be running a SMTP mail server (port 25) on their computer and be able to receive mail at it reliably, so why should the ISP give the spammers and hackers the opportunity to scan your network and come across some customers computer that is poorly-configured and be able to exploit it?
Some terminal servers and remote access servers can disable traffic headed towards these ports right at the modems (or for DSL or cable modems, at the protocol converters), which is even more effective.
Note that port 25 is the only port that receives SMTP traffic, but Windows-based computers have numerous vulnerabilities at ports 80, 109, 110, 139, 194, 443, 1080, 8000 and 8080 that can allow these systems to be accessed or operated remotely and then send spam (or perform other attacks) back out of your network. You might as well cover all of the bases now.
You must allow these ports to send traffic away from your dial-up and DHCP or PPP customers toward your network (and beyond), or these customers will not be able to send or read mail, or view web pages, or may experience other random problems.
Non-Spammer Customer impact: None or Very Low
(Sample Cisco Router configuration to implement this restriction can be found
in Section 6.)
These days, most Internet Providers no longer own all (or even any) of the modems that their customers connect to. Instead, various companies sell modem services to Internet Providers. This type of access is sold by the port, by the user or by hours of use. These arrangements are popular because Internet Providers can offer service in more geographical areas than the Internet Provider could serve if they had to buy and maintain modem equipment in all of those locations.
Spammers constantly scan the IP address space assigned to these virtual POPs, waiting for computers to connect that are badly configured, which can be used to relay spam. Even if such a computer is only connected for 30 minutes, that is more than enough time for a spammer to find the badly-configured computer and send hundreds or even thousands of spams through it. Getting such relaying computers disconnected from virtual POPs is frequently a slow process, since the Internet provider and the modem provider may have to both communicate with each other, and that just means more time for the spammer to hijack a vulnerable computer.
Subsequently, virtual POPs should always disable traffic on ports 25, 80, 109, 110, 139, 194, 443, 1080, 8000 and 8080 that is headed towards the modems. Blocking these ports virtually eliminates the ability to relay spam off any badly-configured computers that may connect, and helps protect the customers computers from hackers.
Internet providers who use virtual POP modem services should demand that these ports be protected in this fashion, and require it contractually.
Non-Spammer Customer impact: None or Very Low
(Sample Cisco Router configuration to implement this restriction can be found
in Section 6.)
Until just a year or so ago, most operating systems and virtually every mail server program out there came out of the box configured to allow third-party relaying, so unless the owner of each computer has done some work, these machines are still prime candidates for allowing open relaying. Spammers are constantly scanning the Internet looking for open relays. Spammers then use the open relays that they find to spam and try to hide their true location. They use open proxies that they find to scan for more proxies and open relays to further conceal their location.
Once spammers discover a given open relay, they may send hundreds of thousands of pieces of spam through them every hour until the relay is disabled one way or another. Some spammers actually report their open relay discoveries to other spammers, who will also start sending spam through the open relays that are found. Open relays or proxies found on higher speed lines (T1, DSL, cable modems) or servers at the ISPs facility are highly-prized by spammers, because millions of pieces of spam can be sent through these systems.
Once the open relay is reported to this ISP, the ISP typically shuts down all Internet service to that customer until the customer can fix the software settings on the customers computer, leaving that customer disconnected for some time. It is better to protect that customer so such an event won't occur.
For those few static IP customers that demand to be able to receive port 25 traffic, the ISP should allow only the ports the customer requires, and then the ISP should regularly scan those customers static IP addresses, looking for new open relays or proxies. This is necessary because a customer who has to re-install software may inadvertently cause their computer to start allowing third-party relaying again.
Non-Spammer Customer impact: Low to Medium
The higher impact rating due to having to check up on customer anti-relay
compliance regularly.
(Sample Cisco Router configuration to implement this restriction can be found
in Section 6.)
As with dial-up customers, the ISP may also want to disallow the sending of Internet traffic towards port 80, 109, 110, 139, 194, 443, 1080, 8000 or 8080 of any static IP address customer running a Windows operating system. If your ISP does not allow DSL or cable customers to run servers (a common practice for telephone company consumer DSL and consumer cable ISP services), then there is no reason to allow traffic to be sent to these ports on customer equipment in the first place.
If your ISP does allow some or all static IP customers to run servers, if possible, disable these ports by default, and turn the requested ports (typically port 80 and sometimes 443) for a given IP address only when requested by the user of that IP address, and only then when you are satisfied that these customers have secured their system against spammers and other attackers.
The fact is that the majority of static IP customers never run server software (apart from the occasional web server) on their computers at all and will never even notice that these ports have been blocked by the ISPs network. At the same time, those customers will probably appreciate seeing fewer port scans and probes of their computer(s) than what they would otherwise see, thanks to blocking this type of port traffic.
Non-Spammer Customer impact: None to Low
(Sample Cisco Router configuration to implement this restriction can be found
in Section 6.)
Any mail that your customers want to send should be required to be sent to a local mail server operated by the ISP that accepts SMTP traffic from those customers and then forwards it as needed, and that machine or machines are the only ones authorized to send mail to places outside your network. This means that these servers are the only ones that are allowed to send port 25 traffic to addresses outside of your network.
The purpose of this is that by sending all mail to the ISPs mail servers first, it ensures that the ISPs mail servers headers and logs will provide a path to follow should one of your customers spam. The professional spammers all realize that such a setup will quickly expose their activities, and frequently they won't spam from such a network at all and will quickly go elsewhere, looking for an ISP that doesn't force mail to be sent to the local ISPs mail servers first.
Forcing all customer mail through the ISPs mail servers is also beneficial to customer support as you can use your mail servers logs to debug delivery problems of customer mail to distant systems, rather than guessing based on bounce and time-out messages returned by customer client mail programs, messages that frequently lack enough information to find the actual problem.
It is important to note that customers who have not designated a mail server (or "smart-host"), will have to set one, but at the typical ISP, most customers are already set up to use the ISPs mail servers anyway.
There invariably will be a very small number of customers who want to send SMTP traffic directly from their computers to some remote server, such as a corporate mail server, so that the mail can have the companies name on it or for some other reason.
Note that for these customers who demand to send mail via some other server, they can do so, but only after sending it via your servers, and that might prevent them from doing something unusual. The system described will allow any piece of mail sent by a mail server operated by one of your customers to relay off the local ISPs mail servers, then be delivered either to the destination server, or a MX server at the destination which will then relay the mail to the correct server at the destination.
Any scenario involving a third-party relay (a mail server that is neither part of the sending ISPs network nor the destinations network) requires that this third relay must allow third-party relaying, usually a very bad thing for anyone to allow. The ISP contemplating this port restriction will have to consider if customers manage to demonstrate any genuinely legitimate situations where a third-party relay should be necessary to deliver mail on behalf of that customer.
As an ISP, you then have to make the judgment call as to whether you want risk losing this customer if no other accommodation can be found (like using a web-based mail service at the destination to access that companies mail server), or abandoning this valuable defense against spam that this filter rule would provide, and the resulting increased costs of dealing with the spam that could now flow out of your network undetected.
Non-Spammer Customer impact: Very Low to Low
(Sample Cisco Router configuration to implement this restriction can be found
in Section 6.)
Although this sounds simple and doesn't appear to have anything to do with mail, valid DNS can prevent other ISPs from blocking large swaths of your address space when some spammer eventually does spam from your network, particularly if you elect to not block all of the various ports described above.
Having DNS on every IP address on your network (particularly those used by your customers) can allow your customers to use the Internet in ways that they could not use it before. This is because some Internet sites refuse access to their services from IP addresses that do not have DNS.
The DNS that you add to IP addresses should avoid providing too much detail. For example, DNS should not disclose the equipment model numbers or the speed of interconnects between networks. Disclosing this information via DNS allows hackers to immediately know what type of attacks to use against your equipment and know how much bandwidth that they must muster to overload your network.
In providing DNS for all of your address space, be sure you don't overload DNS zones. Using a DNS naming system such as b5.49.0a5a.cidr.myisp.com for the IP address 10.90.73.181 allows the ISP to avoid overloading a DNS zone, and "cidr" can be replaced with any general functional category detail that the ISP cares to disclose.
For security reasons, avoid declaring the speed of links or the exact model of equipment in DNS naming schemes. Some ISPs love to state in the DNS that this or that pipe is an OC3 or disclose other details about how fast or big some network connection or server is, but you are just helping the hackers know exactly what it takes to overload your network, or what types of attacks your equipment are more likely to be vulnerable to. Quit telling the hackers where to throw the grenades.
Non-Spammer Customer impact: Improved Internet Usability and Reduced Abuse
Even if you put your ISPs contact information in each netblock declaration in each record (rather than disclosing the individual customers name, email and phone number), having the netblock divisions in your network visible still means that other ISPs who are trying to deflect spam or other abuse coming from your network can block the smallest part of your network that you indicate is assigned to the same offending end-customer. Would you rather have other ISPs block a featureless /18 of your address space, or just the /28 that you have assigned to some DSL customer with a hacked Windows box? The answer should be obvious.
You can document the network topography and divisions publicly without having to disclose personal (and probably confidential) details of the actual end-customers themselves. (Yes, there is an RFC that says that ISPs should be disclosing individual and confidential customer home phone numbers and street addresses, but that rule is clearly an insane and archaic thing to do in today's world.)
By just providing the network division detail with the ISPs abuse departments contact information in each record is what is really needed when a spam flood or other attack occurs, and doing this this will minimize how big a hammer other ISPs use to stop the abuse when they see it from your network.
Non-Spammer Customer impact: None
What legal tactics are most suitable vary by locality. In some places within the United States, state law actually allows civil penalties for sending spam to equipment or mailboxes residing in that state. Other states have computer crime laws that can be used for criminal prosecution on grounds of illegal entry or theft of service associated with relaying off equipment on your network. In states that have "computer crime" statutes, such activity is usually a felony, but getting any state or local law enforcement to pay any attention to your complaint will be the big obstacle. Even if the spammer was breaking in to spam and also stealing credit cards numbers, most local law enforcement agencies are not equipped for pursuing any criminal investigation involving the Internet, and agencies that are capable are frequently overloaded and have set criteria, like requiring that losses must exceed certain provable dollar amounts before they will go prosecute. Even if law enforcement is interested, if this is only a case of relaying spam, you probably won't get any priority.
Of course, if you can't get law enforcement to help, there is always the civil suit you bring directly against the spammer or the benefactor of the spam. Spammers frequently are contractors, spamming for several different benefactors. This can complicate matters, because going after one of the benefactors leaves the spam house operating with its remaining clients, and the spam house may be off-shore. Still, this may be the best way to start because the benefactor is likely to be able to identify the spam house that was used, something that may be difficult to discover directly.
There is ample court precedent for taking spammers to court, with or without getting law enforcement involved. The AOL and Compuserve cases of the 1990s consistently ruled against the spammers, even when the spammers attempted to claim First Amendment rights. Here are some of the court citations:
America Online, Inc. v. Cyber Promotions, Inc., No. 96-462 (E.D. Va. complaint filed Apr. 8, 1996) (subsequently consolidated with Cyber Promotions' action filed in E.D. Pa.). Cyber Promotions, Inc. v. America Online, Inc., C.A. No. 96-2486, 1996 WL 565818 (E.D. Pa. Sept. 5, 1996) (temporary restraining order), rev'd (3rd Circuit. Sept. 20, 1996), partial summary judgment granted, 948 F. Supp. 436 (E.D. Pa. Nov. 4, 1996) (on First Amendment issues), reconsideration denied, 948 F. Supp. 436, 447 (Dec. 20, 1996), temporary restraining order denied, 948 F. Supp. 456 (E.D. Pa. Nov. 26, 1996) (on antitrust claim), settlement entered (E.D. Pa. Feb. 4, 1997). CompuServe Inc. v. Cyber Promotions, Inc., No. C2-96-1070 (S.D. Ohio Oct. 24, 1996) (temporary restraining order), preliminary injunction entered, 962 F. Supp. 1015 (S.D. Ohio Feb. 3, 1997), final consent order filed (E.D. Pa. May 9, 1997). America Online, Inc. v. Over the Air Equipment, Inc. (E.D. Va. complaint filed Oct. 2, 1997), preliminary injunction entered (Oct. 31, 1997), settlement order entered (Dec. 18, 1997) America Online, Inc. v. Prime Data Worldnet Systems (E.D. Va. complaint filed Oct. 17, 1997)Unfortunately, legal action is rightly called "the sport of the rich", and even if you have staff counsel with spare time, using such action is likely to be a costly and slow activity. This eventually discourages many ISPs who may initially pursue spammers and win some cases only to discover that spammer sometimes disappears or files bankruptcy. Then the spammer creates a new company and starts the entire thing over again. The winning ISP can end up recovering none of the legal fees or damages that the judge awards.
ISPs who do go after spammers and win must attempt to get the court to permanently bar all the principals from using or employing others who will use the Internet for any business purpose, unless you want these people to be back in the spamming business in only a few days.
Still, sometimes just the threat of legal action is enough to get the spammer to not send stuff to your computers anymore, at least not from the servers that you identified in your complaint. However, the spammers frequently just start spamming you again from new locations overseas that they claim they know nothing about.
As always, contact licensed counsel who can advise as to which legal options exist in your locality for dealing with spammers who aren't your customers but are sending you and your customers spam or are exploiting your network and equipment for unauthorized purposes.
Combined, these changes create an environment that makes relaying by outsiders off your network virtually impossible, and makes concealed spamming by your own customers on your network extremely difficult to perform. Any spamming that one of your customers does do must pass through your official mail servers and that will leave lots of tracks that can be detected and stopped quickly, or might even be caught by any spam filtering that your mail servers perform.
Due to local technical issues, it may not be possible to implement all of these basic network filtering rules shown above immediately, while some filters may require some network changes before they can be implemented. Even if not all the rules can be implemented, the more of these filters that can be put in place, the more resilient an ISP's network is to being the source of spam or being exploited to relay spam.
Note that none of these items described in this section rely on changes to the mail server software or its configuration. Suggested changes for the mail servers are covered in Section 7.
This information is provided by the author and contributors "AS IS" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the author or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods of services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this information even if advised of the possibility of such damage. There is no obligation to provide any form of support, updates or assistance, and such queries may not receive any acknowledgment.
Section 6: Internet Provider Anti-Spam Network and Router Configuration
(HTML)
Examples of router and network configuration that will make your
network unsuitable to spam from or to relay spam through.
Section 7: Internet Provider Anti-Spam Mail Server Configuration
(HTML)
(NOT YET AVAILABLE)
The Anti-Spam Index (HTML)
[Copyright 2002,2003 Frank Durda IV, All Rights Reserved. Mirroring of any material on this site in any form is expressly prohibited. The official web site for this material is: http://nemesis.lonestar.org Contact this address for use clearances: clearance at nemesis.lonestar.org Comments and queries to this address: web_reference at nemesis.lonestar.org]
Visit the nemesis.lonestar.org home page and index