Don't spam filter your role accounts

A variety of “amazon.com order confirmations” showed up in my inbox this morning. They were quite well done, looking pretty close to real Amazon branding, so quite a few people will click on them. And they funnel people who do click to websites that contain hostile flash apps that’ll compromise their machines (and steal their private data, login and banking credentials then add them to botnets to attack other sites and so on).
Not good. Just the sort of urgent, high-risk issue that ISP abuse desks really want to hear about. I sent email about it to the ISPs involved, including a copy of the original email. One of them went to iWeb, a big (tens of thousands of servers) hosting company.
This was the response:

<abuse@noc.privatedns.com>: host mott.privatedns.com[174.142.252.34] said: 554 rejected due to spam content (in reply to end of DATA command)

That’s iWeb’s main abuse address for their address space, as registered with ARIN. They even have a comment in their network registration that says “Please use abuse@noc.privatedns.com for abuse issues”.
For email related abuse (spam, malware email, botnets, phishing, viruses, …) almost all valid, actionable abuse reports will include a copy of the email involved. And that’s exactly the sort of content that content-based spam filters do their best to block. That means that putting content-based spam filters on your abuse or security role addresses will prevent you seeing most reports about abusive traffic coming from your network.
There are some companies that have an intentional policy of rejecting most spam reports sent to them so that their abuse metrics look better, and they don’t have to pay for abuse desk staff to handle the high volumes of abuse reports their customers provoke. “Mistakenly” putting spam filters on their abuse alias is one way of doing that – others include using non-standard abuse aliases, demanding reports come in only via web forms, requiring abuse reports be sent in non-human-writable formats while discarding all others, and many more. If you don’t want to behave responsibly it’s easy enough to dodge those reports.
Legitimate companies really want to know about abusive traffic sooner rather than later, so they can shut it down and mitigate the damage as quickly as possible. Email systems are complex, though, and it’s quite easy for an upgrade to spam filtering at a companies main mailserver to mistakenly by applied to abuse@ and security@ aliases – especially when spam filtering or email services are outsourced. And if you’re a company that uses dozens of domains it’s easy to lose track of where mail to abuse@ some of those domains ends up.
If you’re responsible for email, abuse or security at your organization it’s worth occasionally checking that your role accounts actually work. Find yourself a fairly obvious bit of spam, then forward it to your abuse@ role address (with a sentence or two telling your abuse desk that you’re just testing, and can they reply to your mail so you know they received it).
Real spam sent directly to abuse@ role addresses can be a severe problem, but content-based filtering is not the way to deal with it. One approach that we suggest to our Abacus users is to prioritize reports that mention a URL or an IP address on your network, so that legitimate, actionable reports will “bubble up” above any spam.

Spamming ESPs: the followup
On Hiatus

Related Posts

Email filters

What makes the best email filter? There isn’t really a single answer to that question. Different people and different organizations have different tolerances for how false positives versus false negatives. For instance, we’re quite sensitive to false positives here, so we run extremely conservative filtering and don’t block very much at the MTA level. Other people I know are very sensitive to false negatives and run more aggressive filtering and block quite a bit of mail at the MTA level.
For the major ISPs, the people who plan, approve, design and monitor the filters usually want to maximize customer happiness. They want to deliver as much real mail as possible while blocking as much bad mail. Blocking real mail and letting through bad mail both result in unhappy customers and increase the ISP’s costs, either through customer churn or through support calls. And this is a process, filters are not static. ISPs roll out new filters all the time, sometimes they are an improvement and sometimes they’re not. When they’re not, they’re pulled out of production. This works both for positive filters like Return Path and negative filters like blocklists.
Then there is mail filtering that doesn’t have to do with spam. Business filters, for instance, often block non-business mail. Permission of the recipient often isn’t even a factor. Companies don’t often go out of their way to block personal mail, but if personal mail gets blocked (say the vacation plane ticket or the amazon receipt) they don’t often unblock it. But when you think about why a business provides email, it makes perfect sense. The business provides email to further its own business goals. Some personal usage is usually OK, but if someone notices and blocks personal email then it’s unlikely the business will unblock it, even if the employee opted in.
In the case of email filters, the free market does work. Different ISPs filter mail differently. Some people love Gmail’s filters. Other people think Hotmail has the best filtering. There are different standards for filtering, and that makes email stronger and more robust. Consumers have choices in their mail provider and spamfiltering.

Read More

Turn it all the way up to 11

I made that joke the other night and most of the folks who heard it didn’t get the reference. It made me feel just a little bit old.
Anyhow, Mickey beat me to it and posted much of what I was going to say about Ken Magill’s response to a very small quote from Neil’s guest post on expiring email headers last week.
I, too, was at that meeting, and at many other meetings where marketers and the folks that run the ISP spam filters end up in the same room. I don’t think the marketers always understand what is happening inside the postmaster and filtering desks on a day to day basis at the ISPs. Legitimate marketing? It’s a small fraction of the mail they deal with. Ken claims that marketing pays the salaries of these employees and they’d be out of a job if marketing didn’t exist. Possibly, but only in the context that they are paid to keep their employers servers up and running so that the giant promises made by the marketing team of faster downloads and better online experiences actually happen.
If there wasn’t an internet and there weren’t servers to maintain, they’d have good jobs elsewhere. They’d be building trains or designing buildings or any of the thousands of other jobs that require smart technical people.
Ken has no idea what these folks running the filters and keeping your email alive deal with on a regular basis. They deal with the utter dregs and horrors of society. They are the people dealing with unrelenting spam and virus and phishing attacks bad enough to threaten to take down their networks and the networks of everyone else. They also end up dealing with law enforcement to deal with criminals. Some of what they do is deal with is unspeakable, abuse and mistreatment of children and animals. These are the folks who stand in front of the rest of us, and make the world better for all of us.
They should be thanked for doing their job, not chastised because they’re doing what the people who pay them expect them to be doing.
Yes, recipients want the mail they want. But, y’know, I bet they really don’t want all the bad stuff that the ISPs protect against. Ken took offense at a statement that he really shouldn’t have. ISPs do check their false positive rates on filtering, and those rates are generally less than 1% of all the email that they filter. Marketers should be glad they’re such a small part of the problem. They really don’t want to be a bigger part.

Read More

The little things

It really amuses me when I get blatant spam coming from a network belonging to one of our Abacus customers. I know that the complaint will be handled appropriately.
It’s even better when the spam advertises the filter busting abilities of the spammer. I get a warm, fuzzy feeling to know that the spammer is going to be looking for a new host in the immediate future.

Read More