ISP wants to stop outgoing web based spam

Hank Nussbacher hank at efes.iucc.ac.il
Wed Aug 9 15:11:47 UTC 2006


On Wed, 9 Aug 2006, Mills, Charles wrote:

I guess I wasn't clear enough in my first posting.  I am not interested in 
smtp (port 25 spam).  We have that covered.  I am only interested in 
blocking outgoing web based spam.  A user sits and sends out spam via 
automated tools via Hotmail, Yahoo, Gmail, or whatever Webmail system 
where they have set up thousands of throwaway users.  An antispam proxy 
(that I want to install and manage) has to be able to come between the 
user on his/her PC and the Hotmail system and scan the http posts and page 
templates for things like number of receipents and other tricks like 
keeping track of the number of http posts.  It has to maintain a list of 
known free webmail systems that are abused.

Based on my stats from Spamcop, 60% of all outgoing spam is http based 
rather than smtp based.  Others may have slightly higher or lower numbers.

So, is there any magic fu out there to solve this?

Thanks,
Hank Nussbacher
http://www.interall.co.il


> Seems like all mail would have to go through the same server at that
> point or at least every server would have to run the software.  Probably
> not practical for an ISP if you have multiple customers with their own
> mail servers?  I assume you're looking for something that would sit on
> your egress point to your upstream providers?   I would think that the
> Packeteer box would almost be there to do this if you could have it or a
> box like it inspect all traffic destined for port 25.  Compare it
> against a database of known spammers, known spam keywords, etc.?
>
>
>
>
>
> Charles L. Mills
>
> Senior Network Engineer
>
> Access Data Corporation
>
> 90 Beta Drive
>
> Pittsburgh, PA 15238
>
> (412) 968-4024
>
> cmills at accessdc.com
>
> http://www.accessdc.com <http://www.accessdc.com/>
>
> Hosting, Colocation and Disaster Recovery
>
> ________________________________
>
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Michael K. Smith - Adhost
> Sent: Wednesday, August 09, 2006 9:11 AM
> To: Hank Nussbacher; Nanog
> Subject: Re: ISP wants to stop outgoing web based spam
>
>
>
> Hello Hank:
>
>
> On 8/9/06 3:28 AM, "Hank Nussbacher" <hank at efes.iucc.ac.il> wrote:
>
>>
>> Back in 2002 I asked if anyone had a solution to block or rate limit
>> outgoing web based spam. Nothing came about from that thread. I have
> an
>> ISP that *wants* to stop the outgoing spam on an automatic basis and
> be
>> a good netizen. I would have hoped that 4 years later there would be
>> some technical solution from some hungry startup. Perhaps I have
> missed
>> it. What I have found so far is:
>>
>> Detecting Outgoing Spam and Mail Bombing
>> http://www.brettglass.com/spam/paper.html
>> SMTP based mitigation - thing on HTTP/HTTPS
>>
>> Stopping Outgoing Spam
>> http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf
>> Research paper - nothing practical
>>
>> Throttling Outgoing SPAM for Webmail Services
>> http://www.ceas.cc/papers-2005/164.pdf
>> Research paper - nothing practical
>>
>> ISPs look inward to stop spam - Network World
>> http://www.networkworld.com/news/2004/071204carrispspam.html
>> Bottom line - no solution
>>
>> So I am trying once again.  Hopefully someone has some magic dust
>> this time around.
>>
>> Thanks,
>> Hank Nussbacher
>> http://www.interall.co.il
>>
>
> My answer is based on the word "startup" so I'm assuming "no money" but
> I
> could be "wrong".  :-)  We use the standard SpamAssassin, ClamAV setup
> both
> on ingress and egress.  On egress we set the detection levels and divert
> and
> save anything that is marked as Spam rather than sending it on with
> headers
> and subject modifications.
>
> We've found this to be very effective in reducing our scores with
> Comcast
> and AOL in particular and it's pretty much stopped our being blocked by
> those services, even using a fairly loose setting for SpamAssassin.  As
> a
> service provider that forwards tons of mail to addresses on those
> networks
> (previously un-scanned so we forwarded everything, including Spam) we've
> found it essential to put these filters in place to guarantee (as much
> as
> anyone can) service for our email customers.
>
> Regards,
>
> Mike
>
>
>
> +++++++++++++++++++++++++++++++++++++++++++
> This Mail Was Scanned By Mail-seCure System
> at the Tel-Aviv University CC.



More information about the NANOG mailing list