[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] ISP class egress anti-spam filtering

To: Neil Neely <neil@frii.com>
Subject: Re: [SAGE] ISP class egress anti-spam filtering
From: Gene Rackow <rackow@mcs.anl.gov>
Date: Sun, 18 Nov 2007 11:06:35 -0600
cc: sage-members@sage.org, rackow@mcs.anl.gov
In-reply-to: Your message of "Fri, 16 Nov 2007 08:25:18 MST." <453D0D02-C28F-4291-917B-DD93FC6E91C5@frii.com>
Sender: owner-sage-members@usenix.org

Neil Neely made the following keystrokes:
 >Last night at the LISA anti-spam bof I brought up a discussion that I  
 >would like to move to this list:
 >

After sitting in on that bof, and from a couple of other meetings I've attended
in the past year, it's pretty clear that many of the ISPs really don't care to
find a solution to this problem.  I think the tech people will give it some
passing thought, but when it gets to the sales force, they kill the process.

I think it was best summarized by one of the other attendees that worked for
an ISP.  He brought the financial issue of this from their side.  If the ISP
was to implement a block on outgoing port 25, they could expect 1000's of
calls to their support center.  They figured the average call to cost $40.
So you are looking at something thats going to hit the bottom line.

The problem for these companies is that they didn't implement this kind
of filtering to start with.  Their contracts have the wording in it
that state you can't do this, at least mine does.  The only acceptable way
is to send mail through the ISP servers.  Since they didn't restrict it
before, many of their users did things the way they wanted/needed to make
them work properly for the customer.  Also, now if the user can't do what
they have been doing for years, they are going to shop for a new ISP.

I've seen where some ISP's will implement an outgoing block on 25 after the
spamfest has occurred and someone has complained.  While this is a step in the
right direction, the problem is that most of the botnets only use and infected
machine once from what I can tell.  Therefore this kind of blocking isn't
really impacting the spammers, but may be hurting the customer in the same
way the ISP indicates is the reason they don't want to do this up front.  The
customer can no longer send outgoing mail the way they used to.

I'd really like to see that ISP's put in blocks on most of their net
unless clients have a need for sending outgoing mail.  How difficult
it is to implement is an unknown.  How do you request it?  I don't expect
it to happen.  Putting in an egress filter, no matter what it really does,
is a major change in the way the ISP operates.  That is going to cost both
in equipment, and in support calls.  The ISP really wants to reduce the
support calls.

Maybe the real way to get the ISP's to change their mind on how important
it is to reduce the outbound spam from their network is for all of us to
start calling their support centers for any spam we get from their networks.
When the cost of support calls from angry recipients starts making a noticable
impact on their call list, maybe they will do something.  The thing is most
of us do not find it worth our time to complain because 1. the isp isn't going
to do anything anyway, 2. the infected pc probably isn't going to spam us again
either.


--Gene

References:
- [SAGE] ISP class egress anti-spam filtering
  - From: Neil Neely <neil@frii.com>

Prev by Date: Re: [SAGE] ISP class egress anti-spam filtering
Next by Date: Re: [SAGE] Log collection and analysis solutions
Prev by thread: Re: [SAGE] ISP class egress anti-spam filtering
Next by thread: Re: [SAGE] ISP class egress anti-spam filtering
Index(es):
- Date
- Thread