Spam Control Considered Harmful

Thu Oct 30 19:42:46 UTC 1997

On Thu, 30 Oct 1997, Greg A. Woods wrote:

> > We are an ISP and we don't block our dialups from going to port 25 elsewhere
> > because this would eliminate their ability to rightfully use another mail
> > server.
> 
> That's all fine and dandy just so long as you trust your customers and
> you are certain they will adhere to your AUP.
> 
> However if you offer cheap dial-up accounts that can be opened either
> immediately, perhaps with a credit card number, then you've got no real
> way to establish *any* level of trust with your new customers and indeed
> the only way you can enforce your AUP is by technical means.  I.e. if
> your AUP says no spamming then you *must* implement controls that
> prevent new customers from spamming.  Period.  Otherwise Joe Spammer
> just buys a one-time (throw-away) account from you and violates your AUP
> under false pretenses.  I've even heard first-hand rumours that many
> spammers offer fraudulent credit card numbers and personal
> identification so you can't even try to bill them extra for breaking
> their contract.

There are costs of allowing spam and costs of stopping spam.  If the costs
of stopping it exceed the cost of allowing it, then obviously it is in our
best interest to allow it.  For example, there is a 100% certain way of
stopping spam -- unplug the wire.  However, the fact that we are all here
attests to the fact we deem this too high a cost for the benefit gained.

In our case, there are legitimate uses that customers expect to be able to
do, and we are unwilling to lose their business.  (More below).

If a spammer supplies a fraudulent credit card number, they have just 
committed a crime and can be prosecuted for that.  The spam they send out,
to be useful, must have a way of contacting them so that leaves a way to
track down who they are.  If a spammer wants to risk jail time to send out
some bulk email, anything I do isn't going to stop him.  You don't see junk
faxes since it was made illegal.

If they do supply their own credit card number, we charge $1 per intended 
recipient for any outgoing spam.  That can quickly cost them more than they
get from it and thus serves as a significant disincentive for them to spam.

> > This frequently occurs when a user accesses a mail server at work
> > from their home dialup account.  If other ISPs did this, we would have a
> > problem where a user dialing into their ISP couldn't reach their virtual
> > mail server, hosted on our network.  We currently don't have many going
> > the other way, but that may change.
> 
> There's no excuse for this.  The user should (and must in the proposed
> plan) use the mail relay operated by the ISP they dial into for *all*
> outgoing mail.

Ok, a customer is paying for a virtual domain service.  They want their
outgoing mail to appear as if they are running their own mail server, they
don't want people to know they are using someone else for it.  If they use
their other ISP for SMTP relay, that shows up in the outgoing mail.  I 
agree this is a minor issue for me, but it is not for some of our 
customers and since the customer is paying the bill, he gets what he wants.

> > In our case, this doesn't help since we and all the other local ISPs block
> > relay access, so you have to use the mail server of the ISP you are
> > currently connected to.
> 
> Exactly, so what's the problem?

I was simply saying that the example the original poster gave wasn't valid,
but that there were other examples which explain why it is infeasible to
implement blocking all access to port 25 elsewhere.

John Tamplin					Traveller Information Services
jat at Traveller.COM				2104 West Ferry Way
205/883-4233x7007				Huntsville, AL 35801