Exchange between ATT.NET postmaster and Eric Dynamic (the very frustrated Sys. Admin. of Transbay.net)
Here' the bottom line: AT&T lets their users send spam to users of other ISPs. They then block the innocent recipients of this spam when these messages are bounced back.
First, here is a message from the AT&T postmaster:
We complied with each request you have made, including your request for lifting the block on 3/25. It (the block) was reinstated today after filtering 95% of your traffic to bellsouth.net. Please examine your logs carefully for the traffic causing the blocks and inform us when you have addressed the issue. We will be happy to lift the blocks when the issue is addressed.
Here is Eric Dynamic's response:
I have sent you several emails concerning this issue. Since I have a clearer understanding what is going on, let me summarize for you:
You complain that you have to "filter 95% of our traffic to bellsouth.net." I now understand that the traffic you're filtering is our bouncing email back to senders FROM bellsouth.net.
All you're getting is echoes from us of the "crap your users are sending us", and in most cases the offense of their mail is the IP address it was sent from: the address was flagged as a known source of spam and to be rejected for that reason.
So:
1) You didn't identify the contents and meaning of this traffic yourself, instead you had me do it for you. Insofar as these were bounce messages, they were splendid autopsies of who did what to whom, and if you had inspected any of them, you would have seen that our traffic is valid traffic - responding to your users sending from IP addresses that have been flagged as known sources of SPAM. You would even have seen the SPAM. (NOTE:: since we are sending your users' spam BACK to them, our bounces LOOK LIKE SPAM. But, they only contain the original email your user sent, and you didn't STOP IT as spam on the way out!)
2) Unless the default has changed in the most recent releases, "sendmail", the software that processes 80% of all the world's email, provides a popular antispam feature that BY DEFAULT, RESPONDS TO A LABELED SPAMMER telling them their mail is on a BLOCK LIST. This is a COURTESY to the sender to let them know (on the assumption they are NOT a criminal) that they need to get themselves unblocked. Therefore, when we reply to your users, THAT MAIL IS VALID. The fact that sendmail does this BY DEFAULT coupled with the fact that sendmail runs 80% of the world's email means that you have to filter out a HUGE number of ISP COMPLAINTS ABOUT YOUR SPAMMING USERS. Of course, if you STOPPED YOUR SPAMMERS, you wouldn't HAVE this problem.
3) I see no awareness on your part that the SBL/XBL public block lists exist and what purpose they serve. In particular, they stand for you as an open reference as to which of your IP addresses have been BLOCKED FOR SPAM. I suggest the obvious: If ANY of your IP addresses are found on these lists, YOU HAVE A PROBLEM. It means you have to correct the problem (stop the spammer, or make the innocent user de-virus and de-malware their PCs) and then submit the IP address to the block list for removal. You evidently DO NOT DO such obvious things, because as our logs show, an ENORMOUS number of your IP addresses are flagged in the SBL/XBL.
4) Addresses in the SBL/XBL are FLAGGED FOR CAUSE. If an IP address belonging to you is found in the SBL/XBL, it means that ISPs can expect that email from that address is SPAM, and that is why they can reject that mail. YOU CAN USE the SBL/XBL as well as we can, and YOU CAN STOP YOUR FLAGGED USERS from sending SPAM to the internet. IF YOU DID SO, you would ASSIST IN REDUCING THE SPAM PROBLEM OVERALL (insofar as we alone, one ISP, get HUNDREDS of SPAM ATTEMPTS PER HOUR from bellsouth,net addresses alone. I can speak for all ISPs to say, if you STOPPED THAT SPAM, THAT WOULD BE NICE.)
5) Legal, nothing. If you're not worried about class action lawsuits for arbitrarily blocking thousands of small ISPs from sending to users@sbcglobal.net (apparently in response to SPAMMERS on YOUR network), then you can hardly be worried about getting sued for blocking your users based on a PUBLIC BLOCK LIST.
6) If the RFCs that define email handling MANDATE a reply to the sender whose mail Will Not be delivered, then you have no legal defense for disallowing those replies. I'll bet they're not strict, but if I wanted to sue you, I would read them in order to find out. Maybe you should read them so you'll know.
7) Gee, when you realize that the endless traffic you're getting from us is bounces of YOUR SPAMMERS, why don't you FIX YOUR SPAMMERS? In fact, what you should ask us is to send those bounces to your ABUSE MAILBOX for you to know who on YOUR NETWORK is SPAMMING. But as I said, you can use the very same public database that we do, to determine if your users are behaving themselves. And you can do it in real time, so that once one of your addresses gets flagged, you block it, and a notice is sent to a sysad there to have them contact the feckless user to clean the endless viruses from their pathetic Microsoft BOTNET PC. Maybe be a bit proactive to protect the internet - that would be nice.
8) We don't filter our users' outbound mail, but then we don't have to - we are a small shop and our users are good or they are axed, and I haven't had to axe anyone for spam for 8 years. You, on the other hand, have millions of subscribers, tens of thousands of whom have PCs that send or attempt to send us SPAM every hour of every day. It seems to me that your "filtering" is misguided and that you should APPLY (the SBL/XBL) TO YOURSELF FIRST, because if you did so it would accomplish two related things: (1) You would be STOPPING SPAM emanating from your network, of which there is a GREAT DEAL. (2) You would be cleaning your network of BOTNET PCs and SPAMMERS. That is all the rest of us ISPs could ask. If YOUR USERS don't get on the SBL/XBL, WE will never have to BOUNCE THEM FOR CAUSE. You could announce that you were going proactive on the issue and adopting the SBL/XBL, and for a while thumb your nose at places like Charter, Cox, Sympatico, and even Comcast, that you were doing much more to combat spam than they. I wish they blocked their users based on the SBL/XBL, and spam would dramatically decrease. That, and slapping the Chinese for their Internet Crime Orgy.
I have altered my sendmail DEFAULT to DISCARD email flagged by the SBL/XBL, but let's remember that such bounce mail is a COURTESY and one ORDINARILY should not expect to have to use that bounce mechanism. If you're remotely curious how much outright JUNK we get from your networks, ask me sometime. You get that traffic FROM us because so MANY of YOUR users have spammed from their connection. That is YOUR problem to fix, and it's only responsible that you do so. What you are imposing on other ISPs as things stand is a violation of the mail protocol, in intent if not in letter. We should feel free to tell any sender that they have been blocked - so that they, the PROBABLY INNOCENT user, will be alerted to a problem with their account/connection.
I can unblock the bellsouth.net domains now, but I will wait for a reply to this email. I will see if I can restore bounces for domains other than yours; on the other hand, you should fix your INTERNAL ISSUES so that you don't falsely blame all the messengers, which is what you're doing when you block hundreds of ISPs for replying to your users that their addresses have been abused and so mail from them is ignored. If you DID YOUR JOB fixing YOUR SPAMMERS, you would not GET a flood of bounces as you do.
I had to manually "hack" sendmail's defaults to make it DISCARD rather than BOUNCE the flagged mail. I knew how to do that; a lot of ISPs you block may not. sendmail is at version 8.14.2 now. As of sendmail 8.13.2 there was still no electable option to DISCARD rather than BOUNCE email, probably because that violates the mail protocol. ALL YOU HAVE TO DO to that email being returned to your users is SEE WHO SENT IT. If it was MAILER-DAEMON, then it's PROBABLY VALID MAIL. I haven't seen spammers abuse that address yet. If a MAILER-DAEMON bounce to your user contains SPAM, it will be because the email that THE USER SENT contained THAT SPAM, and if YOU read the MAILER-DAEMON email, you will see the SPAM that originated from YOUR user's connection. Blocking such "we don't want your spam" email is a backward thing to do. You should GRAB and PROCESS that mail to flush the SPAM out of your network. In fact, a simple filter could grab bounces that referred to the SBL/XBL, allowing the remaining bounces to be delivered to the user (who should get them.)
I assume you'll be willing to do and spend the little needed to handle these issues correctly. I hope I'm right.
I am only suggesting that you use the SBL/XBL checks on your outbound mail. I have not suggested that you analyze the outbound mail, but I offer that solution to you as well: you could run it through SpamAssassin or similar, and refer the marginally flagged messages to an operator who could manually pass/fail the mail; or have it all done in software. But you need to do SOMETHING, that REALLY addresses the problem, rather than blocking email from ISPs telling your users they are blocked for SPAM.
It doesn't make sense to block us from sbcglobal.net when the hassle was with bellsouth.net, but I'll ignore that apart from mentioning it. You should tell your users to abandon Microsoft software, because that is the source of the BOTNET festival. Offer a discount for Unix/Linux users. If Microsoft software were removed from the internet, SPAM would vanish within months because there would be no more anonymous spambots to combat. See ecsd's remarks in the discussion of Google versus the 700MHz auction on internetevolution.com. To be sure, you can ignore this paragraph when you can quit laughing.
Thanks for your time.
Eric Dynamic
Systems Admin, transbay.net
Oakland, California