Australia's Largest ISP Redefines Spam

cpudney writes "According to this article in NEWS.com.au, Telstra BigPond, Australia's largest ISP will monitor its customers' e-mails and suspend the accounts of users suspected of sending spam, viruses or denial-of-service attacks. Under changes to its Acceptable Use Policy, BigPond will investigate cable and ADSL Internet customers sending more than 20 e-mails in a 10-minute period, and BigPond management "may suspend the (user's) account while the customer is contacted" if they are suspected of sending spam. Previously, BigPond's definition of spam was held to be 400 messages sent over a 15-minute period and now it's changed to 20 e-mails over 10 minutes. Internet Society of Australia president Tony Hill said BigPond's new definition of spam was very restrictive and he was concerned the limit had been set too low for legitimate e-mail users."

They are nuts - what about regular POP clients?

[thona]

Never had to answer 20 emails? Great. Just hope you are online all the time and not coming back from a trip or something, where some emails may have acumulated in your outbox. 20 emails is VERY low - I am now going on a three day trip, and I can bet I will have 40-50 outgoing mails in my mailbox when I return, just waiting to hit our email server. So, with their definition I would be in trouble. WHOW.

Stupid

[Uma Thurman]

There's no reason for this. All an ISP needs to do is institute a policy whereby if someone is caught spamming, the cleanup charge is $20,000. They already have their credit card, all they need to do is charge it.

This won't be good for Bigpond customers...

[Kulic]

One of my uni lecturers uses Bigpond as his ISP. He also has his uni email accounts redirected to his Bigpond address. He had problems a while ago when Bigpond went down. He normally accepts assignments via email, but everything sent to him got delayed a few days. Thankfully he accepted assignments which had been sent to him on time, otherwise a lot of people would have inconvenienced.

This lecturer also has other responsibilities (I won't go into detail here) which require him to him to send out newsletters to all of the students in our department, plus international committees and a large number of university staff. We are a small department, but still have ~100 students. Sending out a student newsletter would trip the new email limit. I don't know how he's going to get around this from home (obviously he can send it using our uni mail server when he's at work).

Just another example of Bigpond not being up to scratch these days. I personally use a competing ISP, and have never had a problem. I don't know how Bigpond is going to keep its customers with shit like this.

Re:This does seem a bit restrictive.

[Kris_J]

I think that an email with a bunch of addresses in the CC: line is just one email. The more valid example is of people that compose off-line then send messages in a big burst. Except that local phone calls are a fixed price in Australia, so who still does this?

I hope there are some other triggers for this system, for example: Sending more than 20 email in 10 minutes The first time you log on to a new account would probably be more suspicious.

(Also, I think the comparison to /.'s two minute wait before posting is a very valid one.)

Isn't this rather pointless?

[GabrielStrange]

Am I missing something?

I have an SMTP server running on my computer. I set it up a few years ago mainly to try to see how good a handle I had on how SMTP works, and I've continued to make use of it mainly so I can create my own Email aliases and help curb the amount of spam I get and keep track of its "real" origins... But setting it up was very little trouble for me. I grabbed a copy of sendmail, compiled it, spent a few hours figuring out how to configure it, registered an MX record with DHS International [dhs.org] and that's it... It's running. DHS was a free service the first few years I was with them -- now they charge me $5 per year.

For a brief period my ISP was filtering access to the SMTP port on my residential address, which meant I couldn't receive messages using my SMTP server... But I was still using it to send them out with no trouble! But at some point I contacted them and told them that I only want to have it running for my own usage, just to help curb the amount of spam I get, that I won't be giving anyone else accounts on it and that I understand how relaying works and have correctly restricted it... And a week or two later my SMTP port became accessible again. (Hopefully they actually reviewed my usage logs and tried to relay something through me before they did this... I'd hate to think they weren't careful.)

Sooooo... If I had no trouble setting up my own SMTP server, isn't it reasonable to assume that any halfway intelligent spamming organization would do the same -- set up their own server, then use that server to send out their spam, and avoid giving their ISP the chance to easily monitor their messages' content?

So isn't this really a more or less completely pointless violation of almost always legitimate Email users' privacy?

Solution: have the ISP host the lists

[Anonymous Coward]

If running a mailing list as a mere user gets you in trouble, then have the ISP host the list. Make sure it can only be joined by someone who actually confirms the subscription. Give the list owner a way to kick people off, and allow them to limit posting privileges to the list owner, list members, or not at all (aka wide open mode).

In other words, welcome to 1993. Colorado Supernet used to host a bunch of majordomo-run lists on their machines - either teal or csn itself. You could have their machines do the work for you instead of trying to slam dozens or hundreds of mails out from your lightweight machine. I'm sure that many other ISPs offered the same services back in the days that shell accounts were the norm.

I welcome our new SPAM-throttling overlords

[Crypto Gnome]

But seriously folks!

This is what you get for being a sheep and supporting your local (ex)Monopoly. No surprises here, none whatsoever.

Pain for many normal users? Sure!
Likely to increase ISPs income? Sure!
Actually going to make a *real* difference to professional spammers? Not likely!

Not much more than the usual big company thinking It's not important to solve the problem. It is only important that we convince the public we're working hard to solve the problem. (eg Microsoft and Security)

Then again, perhaps it'll encourage a few % more people to seriously consider their Internet Access choices in Australia, and they'll be better off in the long run.

If it's not entirely obvious (read-my-sig), HELLstra is not my ISP.

Whoa!

[Bifurcati]

As many people have (rightly!) pointed out, I could easily send two emails a minute - if I get back from a few days away, I might have twenty emails to reply to, and I have Pegasus Mail set to send everything in one hit. Especially if they're counting the number of recipients, and not just the number of emails (which would make sense re spam!)

What I want to know is, how do they decide if you're sending spam or not? Do they read your email? If so, that's pretty serious - I'd be interested to know what the user policy is with regards to that sort of thing. And if they just disconnect you while they check, that's bloody dramatic! I guess they can monitor you for continued heavy use, and then make a decision, but I can't see any middle ground between those two alternatives.

Either way, yet again glad I'm not with Telstra!

J.

Re:This won't be good for Bigpond customers...

[wrmrxxx]

I don't know how Bigpond is going to keep its customers with shit like this.

Telstra has all sorts of ways to try keep their customers. For example, misleading advertisements - they were forced to take some of their TV ads off the air by the ACCC. Or abusing their monopoly on the phone lines by lying about the availability of ADSL - they told a customer he was too far from the exchange when he wanted to get ADSL through another ISP, but was close enough for Bigpond. Then they threatened him when he talked!

I think there is only so far they can slide, however, before even the most uninformed consumers see the light. Their recent run of email brown outs must have been hard for even the most tolerant of users to ignore. This article [whirlpool.net.au] at whirpool suggests that people are finally starting to wake up.

Well, this should be entertaining.

[Niscenus]

If that happened here, I could only imagine the number of pseudo-mass-mailers that would have issues. You know, the people that send almost EVERYBODY WHOSE EMAIL ADDRESS THEY EVER HAD the greatest joke they read this morning, or funniest picture or....

Even I could get screwed over! After releasing a newsletter, which goes out upto 10 addresses (half in BCC), I get to hours old email, dashing through as much as I can, which tends to probably push the limit about once a month.

Besides, this problem could only be gotten around...oh, what, a dozen ways? Zombies, protocol switching, virii (have to write your own) and lets not forget remote accounts and any combinations you could come up with. Signal to noise is most certainly going to be difficult for Big Pond. As much as I dislike what they've done, I sincerily feel for their tech support.

Re:Oh telstra you dorks

[tunah]

Sometimes I write emails on my laptop while it's not on the network, and send them when i plug in.

Road Runner seems to have this

[DrMorpheus]

If I send email to more than five people then the mail that was cc'd to someone with a RR account gets bounced. Apparently RR thinks if your mailing more than five people your running a mailing list and they want the person receiving it to verify they agreed to the mailing list to them, (that is, Road Runner).

I object to this for several reasons:

• I come from a family of eleven children most of whom have five or more children so if we try to arrange things via email for the holidays we end up having much of our email bounced.
• Why should I, or anyone else, have to let RR know what email lists we subscribe to? Sorry, this is too big brotherish for me.
• Finally, there has to be better ways to stop spam. This seems too "designed by a committee" stupid.

Re:Stupid

[Reziac]

All well and good until your machine gets hijacked by a spammer, and you can't prove it wasn't you sending all that crap.

Spamassassin on outgoing email

[some1somewhere]

It is simple... enable Spamassassin not just for incoming mail, but for outgoing mail too.

Then calculate the scores of each user. If a particular user is sending lots of email that Spamassassin is "scoring" highly, then it is likely that the user is spamming or at least sending out spammy emails, and would warrent a closer look.

This would increase the load on outgoing mail servers, but if they want to do this right, and do it much more automated than manually reviewing everyone that sends "X emails in X minutes", then this would be one good way.

Or even... hold user's emails that have a very high score in a "pending" queue, and have an admin go through the queue to make sure it isn't spam before actually sending it.

Of course, this depends on Spamassassin being able to correctly target spam versus ham (and recently spammers are getting better at getting around it) but each new version of Spamassassin gets better at this again, so as long as they keep upgrading, the above system would work pretty accurately, and would minimize intrusion into people's private emails.

Sounds familiar -- and not even bad

[llauren]

There was an article, featured on Slashdot, quite some time ago, which could be applied here. The thought was that if an identified spammer tries to send to your SMTP server, the service would be slowed down.

To protect both the ISP and the innocent, they could implement a feature where after 20 mails in 10 minutes, mails would only be processed at the speed of, say, one mail per 30 seconds, and maybe slowing progressively after each 100 mails. When the mail pipe has been silent for a given amout of time, say ten minutes, the "mail slower" would be reset.

This wouldn't make much difference for the legit home user but for the spammer (and for a business connection) it would be a tar pit to avoid.

This could probably be implemented just by installing a crappier mail server ;)

~llauren

Re:This does seem a bit restrictive.

[terremoto]

A lot of virii and worms send email directly; therefore not using Telstra's mail servers. Therefore Telstra wouldn't even see the messages leaving the machine.

Telstra are the ISP. They can see anything they want.

# tcpdump -i eth0 dst port 25

YAY! this is great!

[the_unknown_soldier]

I am a bigpond user. and i know that for many users this is a godsend! you see bigpond has very restrivtive and long contracts which cost a lot to buy out of. this gives us the chance to get out of our contract without paying the fee. also... bigpond has the worst spam of any network in the world...simply because they have incompetent staff. this won't stop it.

It's the number of recipients,not number of emails

[joshv]

Ignore the frequency of email. If you are going to go digging into the details of your subscriber's emails, perform a one way hash on all of the recipient addresses and simply count the number of unique recipients in the last month (storing only the hash ensures privacy). More than 1000 - spammer. No spammer could make much money spamming less than 1000 people.

Granted, this is going to add some processing and storage overhead, but it could be done offline, and the statistics gathered used to suspend accounts once a day.

-josh

ISPs can act more proactively

[coral256]

ISPs do need to more closely monitor mail that is sent from their subscribers computers--not the content but the destination and headers. Similarly, ISPs need to filter incoming mail as described below. I am glad to see an ISP like BigPond taking some step though I think they could more narrowly tailor their efforts.

Right now three domains owned by members of my family have been chosen by spammers as the forged source domain for their spams, which are primarily sent to AOL, MSN, Yahoo. Working with AOL's postmaster team (which took a long time to find), we have determined these messages originate all over the world from a number of machines on many dozen ISPs and universities--directly from clients on those networks, not mail servers. AOL says there isnt a thing they can do about it (apparently even thousands of spam messages aren't a lot for them and no filtration process exists to, say, block any email which purports to originate from a domain but doesn't originate from the ip address of that domains email server) and I should contact each network directly (a daunting task since no one reads postmaster emails anymore).

Meanwhile, AOL's, MSN, Yahoo, etc. postmaster account sends hundreds of rejected messages to our domains daily.

The spammers' chosen method seem to be to create a relay on these public access networks. Chose a random source domain (which remains relatively constant) and then apply a number of random email account names to create a forged source. Then send to every possible subscriber at a major ISP in small but continuous batches.

Short of requiring authenticated emails, it would still seem relatively easy to detect this spam both leaving and coming in to an ISP:

-- mail is being sent directly from a client and not relayed either through the ISPs mail server or another relay which matches the reply to domain.
-- mail from the same machine continually iterates reply-to names
-- if 100s of messages are being rejected, then logically 1000s must be successfully sent--which means these machines should be more than a blip on ISPs server logs.
-- while messages come in waves, they continue throughout the day (and mail sent by humans is sent in small batches usually during waking hours)

What I would really like is a registry, perhaps tied to my domain registrar, wherein I can register the mail server(s) of my domain(s) and other ISPs can do a lookup for incoming mail and block email which isn't relayed through that mail server/IP address. This simple method would stop all my spam--at least until spammers find a new method.