North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISP wants to stop outgoing web based spam

  • From: Simon Waters
  • Date: Thu Aug 10 03:29:30 2006

On Wednesday 09 Aug 2006 18:28, Suresh Ramasubramanian wrote:
> 2. West african cities like Lagos, Nigeria, that are full of
> cybercafes that use this satellite connectivity, and have a huge
> customer base that has a largish number of 419 scam artists who sit
> around in cybercafes doing nothing except opening up free hotmail,
> gmail etc accounts, and posting spam through those accounts, using the
> cybercafe / satellite ISP's connectivity.

If we get abuse like that from a Cybercafe, and we have in the past, we block 
their IP address allocation on our webservers. It is up to the cybercafe 
owner to police his space, or suffer the consequences, just like any other 

If the question is how can he police his space, well I'm sure technical 
solutions are possible, but there are very cheap human solutions, along with 
keeping a functional abuse address.

> I got asked this way back in 2005, and then talked to Justin Mason of
> the spamassassin project.  He was of the opinion that it could be done
> but he wasnt too aware of anybody who had tried it, plus he didnt
> exactly have much free time on his hands for that.

I suspect there are sufficient free email servers using HTTPS, that it is 
pretty much impossible to spot this kind of thing from content inspection, at 
least not as a long term solution.

Certainly if you assume content inspection is impossible, or at least 
unreliable as a long term solution, you are left with traffic analysis. I 
suspect IP addresses doing automated abuse have distinctive patterns, but the 
risk of false positives must be reasonably high. Simple analysis tools 
applied to a Squid log would show volume of HTTP traffic and other stuff. 
Provide them a login when they pay, and you can immediately know who it is as 
well. There are even real time analysis tools for Squid logs.

The webmail provider on the other hand can easily and cheaply check if content 
from one member is suspicious in either content or volume, and suspend the 
account. So perhaps you are trying to apply the solution in the wrong place.