Due Diligence in selecting an Internet Service Provider for your Company

Due Diligence in selecting an Internet Service Provider for your Company

Subject: Re: Emails blocked because bluehill.com hosts my sites

From: darkstar@shell1.iglou.com (Keenan Clay Wilkie)

Newsgroups: news.admin.net-abuse.email

reelfish@vyanet.com (Reel Fish) writes:

>My business emails are blocked because bluehill.com (on the verio.com

>network) hosts my websites. Is there anything I can do besides moving

>my sites? I have 7 sites. I DO NOT send any spam. I hate spam. It

>wastes my time and now dealing with this is wasting more. I don't

>even have an opt in/out mailing list because I hate to be on them

>myself.

The problem is that Verio has made it very, very clear that they are

openly tolerant of criminal activity amongst their customers -- and that

they may even encourage criminal behaviour. Rather than go to the trouble

of sorting out just who at Verio is and is not a criminal customer at

Verio, most people find it much easier to just block all of Verio. This

is useful because it prevents Verio from moving around their criminals to

non-blocked IP addresses and it encourages legitimate businesses, such as

yours, to move to more respectable companies and thus deprive Verio of

further income.

You should get away from Verio. Far, far away from Verio. They've proven

that they don't care that their customers break the law, and you don't

want that taint upon you.

Has this happened to you? You go with the cut rate ISP for your connectivity, and you find out that the reason they are so inexpensive is that their tolerance of spammers on their network has caused them to be blocked by half the world. Yes, your email is cheap, but it is also undeliverable in many cases. That translates into lost customers, lost orders, and lost revenues.

This is not idle speculation about something that has seldom happened before. Mile High AITP email via Yahoo Groups regularly fails to reach one chapter activist because her company has decided that there is too much spam coming from Yahoo Groups. An AITP leader in Minnesota reported he has "had to try helping some people with REALLY major bad-news situations

with blacklists, and with missing Email due to false positives". Even the AITP leaders discussion list ran afoul of a blacklist when SPEWS (Spam Prevention and Early Warning System) issued the opinion that the upstream provider for the ISP who was hosting our national list was less than diligent in terminating spammers on his network. And one chapter leader in Nebraska works for a company whose domain has made it onto so many blacklists that much of her business email fails to reach intended recipients on a daily basis.

But don't expect that you'll have legal recourse against the blacklist operators. They have as much right to express their opinion that a particular ISP is not responsive to complaints as Consumer Reports has a right to criticize the repair record on a given car, or Roger Ebert has to say that a particular movie lacks plot, characters, or artistic merit. And if that bad review causes an ISP to refuse your mail, or you to skip the particular movie, that's the penalty for bad reviews.

There is also another reason to perform due diligence before choosing an ISP. I have discussed spam-related litigation elsewhere in this series of articles. Some employees have begun to sue employers for sexual harassment when the employers fail to make reasonable efforts to block porn spam from reaching their desktops. ISPs that harbor spammers also tend, in my experience, to have a poor track record at anti-spam filtering. Ask your attorneys about your potential liability if employees complain about the porn spam showing up on their desktops and you are unable or unwilling to take reasonable steps to block it.

You can avoid or at least limit the problem, if you perform your due diligence a little better before signing the connectivity contract. And performing that due diligence really isn't as hard as it seems, since there are a lot of people out there willing to let you know whether the ISP that you are about to do business with wears a white hat or a black hat.

First, identify who your proposed ISP gets their backbone connectivity from. You may not personally be signing a contract with the backbone provider, but you may be signing a contract with someone downstream of that provider. When they get blocked, their downstreams get blocked, and you get blocked.

The next step is to visit spamhaus.org, a UK based anti-spam operation that does a particularly good job of tracking long time, prolific spammers. Since I used Verio as my example to start this article, let's ask Spamhaus about Verio. As of early July, Spamhaus listed 38 current spamming operations hosted by Verio. 32 of them had been there over a month. 10 listings have 2002 start of service dates. This is not a good sign.

Another good source of information is the Spam Prevention Early Warning System, or SPEWS. SPEWS runs a series of spam traps (addresses designed solely to attract spam and never used for legitimate communications). Spam comes in. Complaints go out. If the ISP fails to cancel the spammer's connectivity, the ISP gets listed in SPEWS. First the specific mail server is listed, then larger and larger parts of the ISP's net space get listed. Eventually, the listing gets broad enough that the ISP decides to start paying attention to spam complaints. A visit to spews.org can quickly show you whether your prospective ISP is on that list, and why.

There are global query engines which check all or most of the 400 or so free anti-spam databases to see which, if any, contain the IP address or range that you are interested in. The best are moensted.dk in Denmark, relays.osirusoft.com here in the US, and openrbl.org in Holland. I decided to do a search on a uu.net IP address that I just got spam from. The IPA 65.215.29.250 is on 15 lists according to moensted, and 9 lists according to openrbl.

All of the global anti-spam lists use the IP Address, not the domain name, to block traffic from spammers. This is because domain names in from addresses are trivially easy to forge, while IP Addresses in received headers generally are not.

Just because your potential IP address is on blacklists doesn't mean that you should absolutely avoid that ISP. You need to evaluate the number of lists that this IPA is on, and how widely used those lists are. If your proposed IPA appears for instance on SPEWS, Spamhaus, and Fiveten already, not only should you avoid that ISP, but you should probably have security frisk their sales rep on his way out your door to make sure he hasn't stolen office supplies. If your IPA only appears on the XBL and NERD-US, you can probably ignore the listing. In fact, any IPA in the US will appear on NERD-US.

When in doubt, there is one final step to take. Ask what the ISP's track record is. Note this is not what the ISP's published policies say, but how they actually perform on their policies. Do they in fact cancel spammers when the complaints come in, or do they wait six months until their checks start bouncing? The place to raise that question is the Usenet news group news.admin.net-abuse.email, or nanae. If you are not familiar with Usenet, this is an area that contains well over 50,000 different discussion forums on virtually every conceivable topic. Spam is the designated topic in nanae. If you don't know how to access it using a news server, the best web based portal is groups.google.com. Post a question there and you'll get a strongly opinionated response from a fair number of people. Most of the people on that forum will generally provide hard, accurate facts to back up their opinions. And many of them run mail servers for a living. I offer one piece of advice though. When you post there, use a throwaway or nonexistent email address. Usenet is a favorite place for spammers to harvest addresses, and any address posted on Usenet, particularly on nanae, will become overwhelmed by spam in short order. Creating and then abandoning a Yahoo or Hotmail address is the preferred procedure. I use an old address that no longer has a mail server behind it although the domain still exists. You can also use a non-existent address, provided the domain in the address does not really exist either, and has little or no likelihood of existing in the future. But don't use a fake address in a real domain, because then that domain's owner may be flooded with the spam.

Follow these steps, and the likelihood that your domain will become collateral damage in the spam wars is greatly reduced. You'll also be doing your part in reducing spam, because you won’t be providing revenue to a spam friendly ISP. There should only be one fate for ISPs who harbor spammers, and that's bankruptcy.