North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: ISP wants to stop outgoing web based spam

  • From: Hank Nussbacher
  • Date: Wed Aug 09 11:12:58 2006

On Wed, 9 Aug 2006, Mills, Charles wrote:

I guess I wasn't clear enough in my first posting. I am not interested in smtp (port 25 spam). We have that covered. I am only interested in blocking outgoing web based spam. A user sits and sends out spam via automated tools via Hotmail, Yahoo, Gmail, or whatever Webmail system where they have set up thousands of throwaway users. An antispam proxy (that I want to install and manage) has to be able to come between the user on his/her PC and the Hotmail system and scan the http posts and page templates for things like number of receipents and other tricks like keeping track of the number of http posts. It has to maintain a list of known free webmail systems that are abused.

Based on my stats from Spamcop, 60% of all outgoing spam is http based rather than smtp based. Others may have slightly higher or lower numbers.

So, is there any magic fu out there to solve this?

Hank Nussbacher

Seems like all mail would have to go through the same server at that
point or at least every server would have to run the software.  Probably
not practical for an ISP if you have multiple customers with their own
mail servers?  I assume you're looking for something that would sit on
your egress point to your upstream providers?   I would think that the
Packeteer box would almost be there to do this if you could have it or a
box like it inspect all traffic destined for port 25.  Compare it
against a database of known spammers, known spam keywords, etc.?

Charles L. Mills

Senior Network Engineer

Access Data Corporation

90 Beta Drive

Pittsburgh, PA 15238

(412) 968-4024

[email protected] <>

Hosting, Colocation and Disaster Recovery


From: [email protected] [mailto:[email protected]] On Behalf Of
Michael K. Smith - Adhost
Sent: Wednesday, August 09, 2006 9:11 AM
To: Hank Nussbacher; Nanog
Subject: Re: ISP wants to stop outgoing web based spam

Hello Hank:

On 8/9/06 3:28 AM, "Hank Nussbacher" <[email protected]> wrote:

Back in 2002 I asked if anyone had a solution to block or rate limit outgoing web based spam. Nothing came about from that thread. I have
ISP that *wants* to stop the outgoing spam on an automatic basis and
a good netizen. I would have hoped that 4 years later there would be
some technical solution from some hungry startup. Perhaps I have
it. What I have found so far is:

Detecting Outgoing Spam and Mail Bombing
SMTP based mitigation - thing on HTTP/HTTPS

Stopping Outgoing Spam
Research paper - nothing practical

Throttling Outgoing SPAM for Webmail Services
Research paper - nothing practical

ISPs look inward to stop spam - Network World
Bottom line - no solution

So I am trying once again.  Hopefully someone has some magic dust
this time around.

Hank Nussbacher

My answer is based on the word "startup" so I'm assuming "no money" but I could be "wrong". :-) We use the standard SpamAssassin, ClamAV setup both on ingress and egress. On egress we set the detection levels and divert and save anything that is marked as Spam rather than sending it on with headers and subject modifications.

We've found this to be very effective in reducing our scores with
and AOL in particular and it's pretty much stopped our being blocked by
those services, even using a fairly loose setting for SpamAssassin.  As
service provider that forwards tons of mail to addresses on those
(previously un-scanned so we forwarded everything, including Spam) we've
found it essential to put these filters in place to guarantee (as much
anyone can) service for our email customers.



This Mail Was Scanned By Mail-seCure System
at the Tel-Aviv University CC.