North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: ISP wants to stop outgoing web based spam
On Wednesday 09 Aug 2006 18:28, Suresh Ramasubramanian wrote: > > 2. West african cities like Lagos, Nigeria, that are full of > cybercafes that use this satellite connectivity, and have a huge > customer base that has a largish number of 419 scam artists who sit > around in cybercafes doing nothing except opening up free hotmail, > gmail etc accounts, and posting spam through those accounts, using the > cybercafe / satellite ISP's connectivity. If we get abuse like that from a Cybercafe, and we have in the past, we block their IP address allocation on our webservers. It is up to the cybercafe owner to police his space, or suffer the consequences, just like any other ISP. If the question is how can he police his space, well I'm sure technical solutions are possible, but there are very cheap human solutions, along with keeping a functional abuse address. > I got asked this way back in 2005, and then talked to Justin Mason of > the spamassassin project. He was of the opinion that it could be done > but he wasnt too aware of anybody who had tried it, plus he didnt > exactly have much free time on his hands for that. I suspect there are sufficient free email servers using HTTPS, that it is pretty much impossible to spot this kind of thing from content inspection, at least not as a long term solution. Certainly if you assume content inspection is impossible, or at least unreliable as a long term solution, you are left with traffic analysis. I suspect IP addresses doing automated abuse have distinctive patterns, but the risk of false positives must be reasonably high. Simple analysis tools applied to a Squid log would show volume of HTTP traffic and other stuff. Provide them a login when they pay, and you can immediately know who it is as well. There are even real time analysis tools for Squid logs. The webmail provider on the other hand can easily and cheaply check if content from one member is suspicious in either content or volume, and suspend the account. So perhaps you are trying to apply the solution in the wrong place.