North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISP wants to stop outgoing web based spam

  • From: Suresh Ramasubramanian
  • Date: Wed Aug 09 13:29:47 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=paIxtHhpP+B53LWzAqSZ7Fq/3vRXrNhdZFrZOnbTTXKBOoCroq6NYz6MLpBBxXrwcVF8olG43ZSdvvOnvcDeoZZK6giG2Oq5rPA1WZikEAOaSqyfhskBzp+C2C+AxvPTRtsPjijahlxtxtOgYSTs433cX3LxTSUI6kXXzfQvYrQ=

On 8/9/06, Gregory Kuhn <[email protected]> wrote:
> I think he's talking about blog spam, which is definitely submitted
> over HTTP.

Similar. Picture this ...

1. A satellite connectivity provider, that provides connectivity to
huge swathes of west africa, among other places.

2. West african cities like Lagos, Nigeria, that are full of
cybercafes that use this satellite connectivity, and have a huge
customer base that has a largish number of 419 scam artists who sit
around in cybercafes doing nothing except opening up free hotmail,
gmail etc accounts, and posting spam through those accounts, using the
cybercafe / satellite ISP's connectivity.

3. The cybercafe / satellite IP shows up in a Received: or
X-Originating-IP type header in the spam that results.

4. The satellite provider really needs to do something about this -
something proactive, because trying to whack cybercafe based scam
artists after the fact is just not going to work.

5. So - a spamassassin plugin to a squid or other transparent proxy,
for outbound filtering.

Something that can be rolled out at the satellite provider level, or
probably at the cybercafe level, and with an attached alert mechanism
that logs the spamming IP, and the mac address of the PC that's
sending the spam that got caught.   Something that ISPs in west africa
that operate on wafer thin margins, and resell satellite connectivity,
can easily afford.

Oh - and something that is not the usual kind of corporation / library
type firewall [those would do this, but they'd roll over and die at
the least hint of actual production use in this kind of scenario .. as
some ISPs who deployed these in W. Africa apparently found out]

I got asked this way back in 2005, and then talked to Justin Mason of
the spamassassin project.  He was of the opinion that it could be done
but he wasnt too aware of anybody who had tried it, plus he didnt
exactly have much free time on his hands for that.

Anybody who can do it - with open source and reasonably low costs,
plus ISP grade scalablity - please do let me know.  I know some people
(including govt / LE) who would be just as interested as Hank is.


Suresh Ramasubramanian ([email protected])