Who Are The Good Guys?

[David Stoddard <dgs () us net>]

        In the war against spam, its getting harder to figure out who
        the good guys are.  Last weekend, we had an incident where a server
        called pure.fiber.net was relaying thousands of spam messages off
        one of our mail servers.  While we have filters in place to block
        the obvious spammers (cyberpromo and others), we don't learn about
        new ones until they cross the line (or we get them from Paul's
        site at http://www.vix.com/spam -- thanks Paul!).

        Unfortunately, fiber.net is a 9 to 5, Monday thru Friday operation
        with no weekend or evening NOC.  This made things difficult for us
        at 2 am on a Saturday night trying to get their attention.  Because
        fiber.net was not known as a spammer, we did not want to unilaterally
        block them off until we could talk to them when they opened on Monday
        morning, so we wrote some bash scripts and ran them against our mail
        queue every three minutes to kill messages with specific attributes
        relating to the spam.

        On Monday, we talked with their technical contact and he said that
        someone on their server must have been misbehaving, but that they
        would look into it.  Today I reviewed my logs and not only did it not
        stop, but they started ANOTHER spam off our mail servers.  When one
        of our engineers called them this afternoon, they said they were
        innocent because someone was using them as a relay -- nice try, but
        if they were a relay, we should not have seen any messages other
        than those destined for addresses on our network.  Instead, we got
        the entire spam feed.  They even went so far as to insert forged
        Received headers into the messages to try and throw us off.

        The spammers played us as chumps.  Fine -- now I have filters in
        my backbone routers for 204.250.13/24 and 204.250.192/19, and mail
        filters for *.fiber.net just in case they manage to get another IP
        block.  Grrrrr.  The bottom line is that you cant tell the good guys
        from the bad guys anymore.  There are ISPs that support spammers and
        then lie about it when they get caught.  Even though I detest the 
        fact that AGIS supports cyberpromo, at least they have the guts to
        tell it the way it is.

        As an aside, today we got a message in our marketing box asking 
        "Do you support spammers?" -- unbelievable.  The poster was looking
        for an ISP that would allow him to post 500 to 1000 spam messages
        each day.  I sent him a form letter telling him "no" and outlining
        why spam is a Bad Idea(tm).  It is obvious the spammers are getting
        much more aggresive and may even be compiling lists of spammer
        friendly ISPs.  Its not just getting worse -- its getting weird.

        Dave Stoddard
        US Net Incorporated
        301-572-5926
        dgs () us net
- - - - - - - - - - - - - - - - -