ISP wants to stop outgoing web based spam
Simon Waters
simonw at zynet.net
Thu Aug 10 07:28:18 UTC 2006
On Wednesday 09 Aug 2006 18:28, Suresh Ramasubramanian wrote:
>
> 2. West african cities like Lagos, Nigeria, that are full of
> cybercafes that use this satellite connectivity, and have a huge
> customer base that has a largish number of 419 scam artists who sit
> around in cybercafes doing nothing except opening up free hotmail,
> gmail etc accounts, and posting spam through those accounts, using the
> cybercafe / satellite ISP's connectivity.
If we get abuse like that from a Cybercafe, and we have in the past, we block
their IP address allocation on our webservers. It is up to the cybercafe
owner to police his space, or suffer the consequences, just like any other
ISP.
If the question is how can he police his space, well I'm sure technical
solutions are possible, but there are very cheap human solutions, along with
keeping a functional abuse address.
> I got asked this way back in 2005, and then talked to Justin Mason of
> the spamassassin project. He was of the opinion that it could be done
> but he wasnt too aware of anybody who had tried it, plus he didnt
> exactly have much free time on his hands for that.
I suspect there are sufficient free email servers using HTTPS, that it is
pretty much impossible to spot this kind of thing from content inspection, at
least not as a long term solution.
Certainly if you assume content inspection is impossible, or at least
unreliable as a long term solution, you are left with traffic analysis. I
suspect IP addresses doing automated abuse have distinctive patterns, but the
risk of false positives must be reasonably high. Simple analysis tools
applied to a Squid log would show volume of HTTP traffic and other stuff.
Provide them a login when they pay, and you can immediately know who it is as
well. There are even real time analysis tools for Squid logs.
The webmail provider on the other hand can easily and cheaply check if content
from one member is suspicious in either content or volume, and suspend the
account. So perhaps you are trying to apply the solution in the wrong place.
More information about the NANOG
mailing list