Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Frustrations of ISP Abuse Handling

Published: 2009-12-19
Last Updated: 2009-12-19 16:21:14 UTC
by Deborah Hale (Version: 1)
13 comment(s)

I am the Abuse Coordinator for a small ISP in the Midwest and am very receptive and proactive when dealing with spam originating from our network.  I monitor log reports from servers and firewalls, have subscribed to all of the FBL's that I am aware of, participate in an abuse listserve, review our domain information on MS site, SenderBase and Trusted Source daily, and resolve to eliminate spam from our network as quickly as possible often times before we even receive the first official notification. We have been under a barrage of spam attacks from various ip addresses all over the world just like many others have reported and have felt the pain of email DOS first hand.  We recently implemented a Red Condor filtering system blocking over 24 million spam emails from just one of our domains in the first 3 weeks of December.  We know first hand the damage that can be done by spam.  We strive everyday to work with our customers to reduce the amount of spam coming from their home computers as well as with our business customers to ensure that they secure their mail servers to prevent abuse.  As soon as abuse is discovered it is handled.

So where am I going with this?  I am frustrated with organizations such as Trend Micro, Sorbs, etc that block IP's for NO reason whatsoever.  They simply don't like the "server name" that was chosen or the way the IP is identified in ARIN registration. One example of one of our business mail servers that was blocked because they didn't like the name....  da2.our.domain (real name masked).  They assumed that da2 stood for "dialup access" instead of "direct admin".  There had been absolutely no spam reported from the box but because they THOUGHT it was a dialup computer they blocked the IP.   We recently have been battling blocklists that are preventing email from being delivered simply because our ARIN listing does not indicate that the IP address is static.  Now these are legitimate mail servers on IP addresses that are statically assigned to our customers.  There has been absolutely no spam reports from any of the servers yet they are being blocked from sending legitimate email.  

The companies that are doing this have taken it upon themselves to act as god of the Internet.  They insist that we comply with their demands, in the manner that THEY want it done and because we won't comply they will not allow legitimate emails to be delivered.  One of the servers that they have blocked is a mail server for a small city government, for their police dept, fire dept, and EMS dept.  It was explained to Trend Micro that they were endangering the well being of this small community without justification.  I asked them if they had any examples of spam originating from the IP's and they indicated they had none. They sent an email with what needed to be done to comply with their rules.   They said that we had to comply or they WILL NOT remove the block.  

Some of you are probably thinking - why don't you just do what they want done so that it doesn't happen again?  We have considered that.  However, last week it was SORBS, this week it is Trend Micro, next week someone else, the next week someone else and we will end up spending all of our time trying to comply with every one of these groups that comes along.  We were told by Trend Micro that they want all mail servers to indicate that they are mail servers by using mail. or smtp. for the server names.  We don't control our customers mail servers. We don't tell them what they have to name the server and many times we don't even know that they put up a mail server unless they have problems delivering or receiving mail.  We don't have time to be big brother to our customers.  If the customer violates our AUP, if the customer's IP is reported for spam or copyright infringement it is handled immediately.  Otherwise, it is up to the business themselves and their IT folks what they do with the static IP's that are assigned to them.

Some people complain that the ISP's aren't doing enough to keep the Internet free from spam and malicious activity and you may be right.  It could be because the ISP's are spending all of their free time playing games with the Internet Big Brothers.  I for one am tired of hearing the criticism of ISP's, of the complaining that we aren't doing enough.  I know folks that work for other small ISP's such as ours and I know that they too are doing their best to stay ahead of the game.  I think it is time for all of the "Big Brothers" out there to get a clue, you are doing more damage to the Internet by your lack of responsibility then all of us put together.  Until we all agree to one standard, until the Internet "police" provide all of us with one set of rules that we all have to comply with we will continue to fight the battle of not only spam but also the differing opinions on how these lists should be handled.  

If these companies want to set rules, why not use SPF (Sender Policy Framework) to set these rules.  SPF has been in place for a long time and has been a recommended standard.  We are working towards SPF records for all of our mail servers and hope to have all SPF records completed within the next week.  Will this be enough to satisfy the "big brothers"?  We are also setting up RDNS records for our customers mail servers that we are aware of.  Will this be enough?  I am all for blocking computers, mail servers or home computers that are identified as sending legitimate spam.  If one of our devices is spamming, I block it on our network before it ever gets to yours.

The frustrating thing about all of this is that I know that these companies are making big bucks selling a product to their customers that will break the customers ability to receive email.  Are these companies explaining that to the customers?  Obviously not.  The folks emailing our customers expecting a response from our customers don't have a clue that it is their "filter" that is preventing the delivery of the email.  It is this Handlers opinion that we will all really need to take a step back and learn to work TOGETHER to resolve the spam problem without causing more issues for an already stressed business community.  

 

Deb Hale Long Lines, LLC

Keywords: ISP Abuse
13 comment(s)
Diary Archives