Due Diligence in Selecting an Internet Service Provider for your Company
Friday, August 15, 2003
Posted by: Charles Oriez
The company name referred to in the following article has been replaced with [company] to protect the integrity of its employees.
Subject: Re: Emails blocked because [company] hosts my sites
From: firstname.lastname@example.org (Keenan Clay Wilkie)
email@example.com (Reel Fish) writes:
>My business emails are blocked because [company] (on the [company]
>network) hosts my Web sites. Is there anything I can do besides moving
>my sites? I have 7 sites. I DO NOT send any spam. I hate spam. It
>wastes my time and now dealing with this is wasting more. I don't
>even have an opt in/out mailing list because I hate to be on them
The problem is that [company] has made it very, very clear that they are
openly tolerant of criminal activity amongst their customers -- and that they may even encourage criminal behavior. Rather than go to the trouble of sorting out just who at [company] is and is not a criminal customer, most people find it much easier to just block all of [company]. This is useful because it prevents [company] from moving around their criminals to non-blocked IP addresses and it encourages legitimate businesses, such as yours, to move to more respectable companies and thus deprive [company] of further income.
You should get away from [company]. Far, far away from [company]. They've proven that they don't care that their customers break the law, and you don't want that taint upon you.
Has this happened to you? You go with the cut-rate ISP for your connectivity, and you find out that the reason they are so inexpensive is that their tolerance of spammers on their network has caused them to be blocked by half the world. Yes, your email is cheap, but it is also undeliverable in many cases. That translates into lost customers, lost orders, and lost revenues.
This is not idle speculation about something that has seldom happened before. Mile High AITP email via Yahoo Groups regularly fails to reach one chapter activist because her company has decided that there is too much spam coming from Yahoo Groups. An AITP leader in Minnesota reported that she has "had to try helping some people with REALLY major bad-news situations with blacklists, and with missing email due to false positives." Even the AITP leaders discussion list ran afoul of a blacklist when SPEWS (Spam Prevention and Early Warning System) issued the opinion that the upstream provider for the ISP who was hosting our national list was less than diligent in terminating spammers on his network. Additionally, a chapter leader in Nebraska works for a company whose domain has made it onto so many blacklists, that much of her business email fails to reach intended recipients on a daily basis.
Don't expect that you'll have legal recourse against the blacklist operators. They have as much right to express their opinion that a particular ISP is not responsive to complaints as Consumer Reports has a right to criticize the repair record on a given car, or Roger Ebert has to say that a particular movie lacks plot, characters, or artistic merit. If that bad review causes an ISP to refuse your mail or causes you to skip the particular movie, that's the penalty for bad reviews.
There is also another reason to perform due diligence before choosing an ISP. I have discussed spam-related litigation elsewhere in this series of articles. Some employees have begun to sue employers for sexual harassment when the employers fail to make reasonable efforts to block porn spam from reaching their desktops. ISPs that harbor spammers also tend, in my experience, to have a poor track record at anti-spam filtering. Ask your attorneys about your potential liability if employees complain about the porn spam showing up on their desktops and you are unable or unwilling to take reasonable steps to block it.
You can avoid or at least limit the problem if you perform your due diligence a little better before signing the connectivity contract. Performing that due diligence really isn't as hard as it seems since there are a lot of people out there willing to let you know whether the ISP that you are about to do business with wears a white hat or a black hat.
First, identify who your proposed ISP gets their backbone connectivity from. You may not personally be signing a contract with the backbone provider, but you may be signing a contract with someone downstream of that provider. When they get blocked, their downstreams get blocked and you get blocked.
The next step is to visit spamhaus.org, a UK based anti-spam operation that does a particularly good job of tracking long time, prolific spammers. Since I used [company] as my example to start this article, let's ask Spamhaus about [company]. As of early July, Spamhaus listed 38 current spamming operations hosted by [company]. 32 of them had been there over a month. 10 listings have 2002 start of service dates. This is not a good sign.
Another good source of information is the Spam Prevention Early Warning System, or SPEWS. SPEWS runs a series of spam traps (addresses designed solely to attract spam and never used for legitimate communications). Spam comes in. Complaints go out. If the ISP fails to cancel the spammer's connectivity, the ISP gets listed in SPEWS. First, the specific mail server is listed, then larger and larger parts of the ISP's net space get listed. Eventually, the listing gets broad enough that the ISP decides to start paying attention to spam complaints. A visit to spews.org can quickly show you whether your prospective ISP is on that list, and why.
There are global query engines which check all or most of the 400 or so free anti-spam databases to see which, if any, contain the IP address or range that you are interested in. The best are moensted.dk in Denmark, relays.osirusoft.com here in the US, and openrbl.org in Holland. I decided to do a search on a uu.net IP address that I just got spam from. The IPA 220.127.116.11 is on 15 lists according to moensted, and 9 lists according to openrbl.
All of the global anti-spam lists use the IP Address, not the domain name, to block traffic from spammers. This is because domain names in from addresses are trivially easy to forge, while IP Addresses in received headers generally are not.
Just because your potential IP address is on blacklists doesn't mean that you should absolutely avoid that ISP. You need to evaluate the number of lists that this IPA is on, and how widely used those lists are. If your proposed IPA appears for instance on SPEWS, Spamhaus, and Fiveten already, not only should you avoid that ISP, but you should probably have security frisk their sales rep on his way out your door to make sure he hasn't stolen office supplies. If your IPA only appears on the XBL and NERD-US, you can probably ignore the listing. In fact, any IPA in the US will appear on NERD-US.
When in doubt, there is one final step to take. Ask what the ISP's track record is. Note that this is not what the ISP's published policies say, but how they actually perform on their policies. Do they in fact cancel spammers when the complaints come in, or do they wait six months until their checks start bouncing? The place to raise that question is the Usenet news group news.admin.net-abuse.email, or nanae. If you are not familiar with Usenet, this is an area that contains well over 50,000 different discussion forums on virtually every conceivable topic. Spam is the designated topic in nanae. If you don't know how to access it using a news server, the best Web based portal is groups.google.com. Post a question there and you'll get a strongly opinionated response from a fair number of people. Most of the people on that forum will generally provide hard, accurate facts to back up their opinions. Many of them run mail servers for a living. I offer one piece of advice though, when you post there, use a throwaway or nonexistent email address. Usenet is a favorite place for spammers to harvest addresses and any address posted on Usenet, particularly on nanae, will become overwhelmed by spam in short order. I use an old address that no longer has a mail server behind it although the domain still exists. You can also use a non-existent address, provided the domain in the address does not really exist either and has little or no likelihood of existing in the future. But don't use a fake address in a real domain, because that domain's owner may soon become flooded with the spam.
Follow these steps, and the likelihood that your domain will become collateral damage in the spam wars is greatly reduced. You'll also be doing your part in reducing spam, because you won't be providing revenue to a spam friendly ISP. There should only be one fate for ISPs who harbor spammers, and that's bankruptcy.
Charles Oriez has an MS-CIS from the University of Denver and writes and speaks on email issues in the Denver area.
Looking for more information on Spam? Check out the next two articles in this series, "Spam Legislation” and "Technology Options for Fighting Spam,” published in the September/October 2003 issue of Information Executive