Monday, August 15, 2005

ISPs can prevent spam... if they wanted to

If you are like me, you receive maybe a couple hundred spams per day. I have quite a few email addresses and some are more, some are less, but all are spammed. And like me, you need to review at least the subject message of most of these spams to make sure that it isn't a customer placing an order or an important message from Uncle Charlie. This take time, not a lot of time every day, but enough... and it adds up.

So why don't ISPs do something about it? Simple! They cannot see past the next 5 minutes and nobody else is doing it. Most ISPs will tell you that spam is a real problem for them. It costs a ton of bandwidth, servers and software, abuse personnel, and lots and lots of customer support and irritation. Those who do filter have to buy and upgrade their filtering software, and generally, it raises the cost of doing business. So to the average consumer, the fact that their ISP is NOT doing anything probably means they can't.

That couldn't be more untrue. There is plenty that ISPs could do about spam. But believe it or not, since nobody else is doing it, nobody is going to start. Stopping spam can be done but unless many ISPs do it, there will be little savings. One or two ISPs who stop spam only eat the costs. It will not reduce their overhead, but it will cost money to set up the software and services that help to prevent the spam. If Earthlink or SBC customers don't get spam, it won't make a huge difference to spammers. However, if most ISPs are doing it, it cuts deep into the profits of spammers, raises the cost and risks of customer acquisition significantly, and ultimately, it just doesn't pay. If nobody gets your spam, nobody can respond.

Stopping spam quickly and effectively

Realize it or not, most of the spam that hits your inbox does not come from the USA, even if it looks like it does. A close examination of the IP addresses will show you that most spam comes from Asian countries, Europe, or South America and the spammers simply fake an email address, something that isn't hard to do. ISPs in many of the countries outside the USA aren't necessarily as hindered by spam laws, and many of these ISPs simply couldn't make it without the spammers. Imagine being an ISP in Taipai and having an American contact you with the idea of sending out 20 million spams per day, and willing to pay you $1000 per day for the privilege. That pays your entire staff and pretty much guarantees that you will not go out of business. Is it likely that you will turn this down? Not a chance!

That brings us back to the USA. Since much of this spam comes from outside the country and all is identifiable by the IP address that it comes from, why not simply block by IP address? All IP addresses are broken down into major blocks represented by the first number, and each of these blocks are assigned to certain areas of the world. APNIC largely controls Asia and anything in the Pacific, RIPE controls Europe, LACNIC controls South America, and ARIN controls North America.

Now you may have legitimate email coming in from Malaysia, but most of us don't. In fact, since being on the Internet since 1994, I've not received one email that I could not do without from anyone outside the USA and Canada. . There's nobody there that has a reason to write me. On the other hand, I've gotten 10's of thousands of spam from these countries, costing me cumulatively hundreds of hours of time previewing them and deleting them.

Cutting the spam - simple

Now here's where it gets to the meat -- cutting the spam. I don't need complicated filterbots. I don't need fancy software. I don't need to spend weeks setting up my filter rules. What I need to be able to do is block every non-ARIN IP address out there and enable the Spamhaus list of spammer IP addresses from the USA. Give me that capability and I will knock out 99% of my spam overnnight.

How easy would that be for the consumer? Nearly impossible! And that's where the ISP comes in. Blocking IP address blocks for the ISP is nothing, and while enabling it by account is quite a bit more, it's hardly rocket science either. In fact, leave it blocked default but tell customers that if they do want to receive email from outside the country, to enable the IPs from that country or even the region. Overnight, that would cut out most of the spam that gets through that ISPs network.

Will it cut every spam? Hardly! There are the spammers that use trojans, those that are just stupid newbies, those who will risk penalties under US law, and probably a few more. What it will do however, is slowly eat into the spammers' profits. Wiping out corners that spammers can hide in is like eliminating all the places where rats can stay out of site. Like kicking over a rat nest, spammers will scatter, some will find themselves in the light where they can be stomped, others will just decide that it isn't worth it, and others will be forced back into U.S. jurisdiction in order to do business.

While it won't wipe out spammers, it will make it hugely less profitable for all of them. Spam response rates now are only in the range of 1 in 10,000. This means that if a spammer sends out a million spams per day, he fills 100 orders. At a profit of $20 each, the spammer clears $2000 per day or $60,000 per month. Now, if you wipe out 90% of his delivery, that brings his number of customers down to 10, his daily profit to $200, and his monthly income to $6000. For most, that's not worth the risks of moving digital operations back to the USA where they cost more, where the risks are high, and where the ISPs are more likely to care.

Utilizing Spamhous IP lists will also make US hosts care a bit more. Imagine running a legit hosting business with thousands of legitimate clients, when suddenly a spammer comes along and his use of your system threatens to get your entire business blacklisted by Spamhaus. Getting banned from every major ISP in the nation means that your legitimate clients will drop you like the wet dog that you are. An ISP in that instance is going to take some very strong action against anyone threatening their business instead of coddling them, allowing it, or simply ignoring it.

So why is it that ISPs don't take these remarkably simple steps? Because unless many companies are doing it, there won't be a global effect. One or two ISPs aren't going to make a difference. It takes a sizeable majority to effect that change. Second, it will cost money without any direct payback. Spam will still hit the ISP, even if it doesn't get to the customer. Their servers will still have to deal with it, they will still pay the bandwidth, and there is no direct ROI. Third, and perhaps most tragic of all, is that most will be intimidated by the small but annoyingly whiny group of people that will point a finger and accuse them of being racists by allowing banning of all foreign email.

I still wait however, for an ISP that finally "gets it"! When they can allow their customers to block spam, this is a sure ticket to attracting a good chunk of your competitor's customers. I just hope that company is public because I will be first in line to buy their service and their stock... because it's going UP!

Roadrunner - spam lovers at heart

I just had an interesting conversation with my RoadRunner (cable access provider) about spam. After calling to see what the deal is why I cannot reply to my neighborhood's email network as can my other neighbors, I found out that I am limited to no more than 99 addresses in a single email.

Okay, I can live with that. Why not... so I have to send the same email out twice. According to the Roadrunner rep, this is to help prevent spam. Good idea. Spam is so prolific that ISPs need to be doing all they can to take charge of the situation and if all ISPs did this, there would be no more spam. Imagine how miserable life would be for a spammer who could only send out 99 at a time and had to max at 1000 total per day. I'd never be invited to participate in another survey or get a Rolex for $19.

But then I asked what Roadrunner was doing for us... their customers.

ME: Are you doing any filtering based on keywords?
RR: Roadrunner is very committed to preventing spam, but we do not do any filtering.
ME: If you are very committed to preventing spam but don't do filtering, what DO you do?
RR: Well sir, we prevent you from sending out more than 99 emails at a time or 1000 per day.
ME: No, I understand what you do to protect everyone else's customers. What do you to do protect your own?
RR: Well sir, if you get a spam you can send it to the abuse address and if we determine that it is spam, then we will block that email address.
ME: So I am supposed to send you all 200 spam that I get every day that has totally bogus email addresses on it and, you will investigate each one and the block that email address? And you want all couple of million of your customers to do this? That would be an awful lot of abuse reports.
RR: Yes sir.
ME: You do know that spammers just make up email addresses and never use the same one twice, don't you? And if they did that, you would never block them.
RR: Yes sir.
ME: So if they never use the same one twice, how does what you do help?
RR: Well sir, if they did, then it would stop them.
ME: But they don't!
RR: Yes sir.
ME: So why don't you use filtering of some kind? It would be so easy to block out your basic Viagra/Cialis spam.
RR: Well Sir, there are some people that would like to get these emails.
ME: What about porn?
RR: Well sir, there are some people that want to receive these as well.
ME: So for the sake of these few perverts, the rest of your customers must suffer?
RR: Well sir, we don't make those judgements.
ME: What about ripoffs... you know... those emails that tell you that you qualify for loans but all they want is your personal information so they can steal your identity? Do you know anyone who wants those?
RR: Well sir, not personally. But there could be those.
ME: People who WANT to get ripped off and have their identity stolen?
RR: Yes sir.