[ On Thursday, April 22, 1999 at 09:42:03 (-0700), Steve Lamb wrote: ]
> Subject: Re: OFFTOPIC was Re: [EXIM] (un)blocking dynamic IP addresses [Was: A way to do this?]
>
> Then this is a problem with their policy in signups and should be
> addressed THERE and not in causing problems and heartache for the rest of
> their customers.
Well, yes, but that's an extremely difficult problem to solve because it
pits the engineering and operations groups directly against marketing,
sales, and the bottom line. "We can't sign up a whole boat-load of new
customers that way because 1% of them might be rabid spammers who'll
we'll take months to track and erradicate!" Guess which way the bottom
line will point and who'll get stuck with the responsibility of killing
the spammers before the new customers get peeved and run away again....
It's a vicious circle unless you implement technical controls to prevent
the spammers from doing harm in the first place.
> I mean, let's think this through. They force all customers to go through
> a redirect to port 25. Great, now they increased the load of their mail
> machine, piss off customers, but themselves at risk of legal action, and what
> have they gained? Nothing. When the see the load, they cancel the account
> and the spammer just gets a new one. If anything, all they have done is
> shorten the cycle, nothing more. That isn't worth it.
No, no, you don't worry about the load -- you've got it mostly anyway
because most people will be following your instructions and pointing
their MUAs at your gateway anyway. The extra load will only be from the
spammers.
And you don't just "notice" the increased load of spammer who's pumping
through extra stuff -- you implement technically controlled limits to
enforce your policies and the spammer can never blow your load out of
the water (i.e. only N RCPT's per connection, and if you're keen then
only N connections per unit of time, etc.). Then you don't even have to
cancel the account because the goof can never annoy enough people to
"worry" about (i.e. only hundreds, or thousands, or tens of thousands,
of messages get out, not millions or tens of millions). I.e. there's no
operational cost.
You also get instant and total blocking of all open relay abuse. This
alone is one of the best reasons to redirect outging SMTP to your own
mail relay gateway.
It *IS* worth it, especially when you balance it against the operational
costs of dealing with <abuse> and <postmaster> mailboxes. Service
organizations sometimes seem to be blind to these costs, but they're
very real. There's also the human cost of dealing with such negative
stuff all the time and the turnover in the industry is very high (though
of course those sorts of support people are always treated like meat and
aren't often paid enough to make them worthwhile holding on to).
And the PR and support issues are very easy to deal with in comparison
because it's usually only the spammers and a few techie nerds who'll
raise the issue in the first place! Not only that, but it's a
no-brainer for a new service because there's no change to worry about if
you implement it from day one, as some new services are doing.
The legal risk is just that -- a risk, and it's minimal anywhere but in
the USA, and it can be mitigated even there through appropriate AUPs and
service contracts.
> The last ISP I worked for had a simple policy. If you're paying by
> credit card, ya got on. If you were being billed, you had to fill out an
> application and return it. Credit cards can be verified online with ease. I
> should know, I just dropped $40 in the last week on an on-line card game.
> Registered and bought cards online in less than 5 minutes from the page
> loading. Applications, well, they check before activating the account. That
> retains most of the speed since most people do sign-up by credit card anyway.
Ha! That's funny! I know a *large* local ISP who set up a very fancy
and expensive on-line accounting system with live credit card
verification (they spent over $250,000 building it, though at least half
that was extraneous because they decided on an AS/400 for their billing
system ;-) and they got beat upon with stolen credit card numbers being
used by spammers and other types of abusers. It's *FAR* too late to
cancel accounts like that once you've bee notified that they're stolen
because the damage is already done. Now this ISP can't do a damn thing
about it except deal with the problem over and over every day. Of
course that kind of credit card fraud is an emense problem throughout
society and has extremely costly implications for all of us -- the banks
won't even tell us how much they lose every week (but its in the tens of
millions -- I personally know one person who's stolen card racked up
over $30,000 in the couple of days it took for the bank to spot the odd
usage pattern and realize that maybe she didn't have the new one she was
sent in the mail), and somehow the theives seem to bypass every new and
costly anti-fraud scheme they implement within a matter of days. It's
risk-free for the spammers though -- they can't get caught if they're
smart because they're totally anonymous.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@???> <robohack!woods>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>
--
*** Exim information can be found at
http://www.exim.org/ ***