Annalivia Ford

There's been a lot of talk lately about how ESPs need to step up - an excellent series of posts by Laura Atkins at Word to the Wise, Jamie Tomasello posting at Cloudmark, Al Iverson on Spamresource, and Karen Balle from ExactTarget to name a few. I am in absolute agreement with them. ESPs are now in the same position a lot of ISPs were in roughly a decade ago. It's time for them to start taking responsibility for their own traffic. No argument from me. Putting the burden on the spam filtering vendors and on recipients to block their bad clients' mail is not going to work much longer. What I haven't heard much of anything about is hosting companies.

There are a number of them out there that have enormous IP allocations, and that blatantly cater to spammers, especially snowshoers (Return Path just posted a good explanation of the term). They don't police the traffic coming from their networks, even if they do have feedback loops. They sell IP space, cash the checks, and turn a blind eye to what their customers are doing. If some ISP finally loses patience, they will terminate a spammer or two, wait a little while, and then re-assign the IPs to...say it with me now!...another spammer. This put the ISPs in a very untenable position, because they're not ESPs, contracted to monitor and send client mail. They're closer to ISPs in business model - they don't send mail, they just rent out IP space, and they do have some very legitimate clientele. This essentially makes it so that it's very difficult to justify outright blocking the Huge Tracts Of Land that the hosting companies control.

I don't do much in the way of front-line spam fighting any more, but every now and then a circumstance comes up where I get to pick up my mallet again. Usually, it's an executive escalation with words to the effect of "MAKE IT STOP". The kind of mail they are talking about is rarely easily traceable, and from an ESP that I know - that would make it simple. I'd pick up the phone, tell my contact that one of their clients has done something Really Bad, and to please fix it. And they do.

No, the emails that I'm talking about are usually either from a botnet - in which case I regretfully tell the exec that there's not a whole lot I can do - or from a snowshoer. Ah, I love hunting those down. It's not easy. The moment I find a sending domain that is "privacy protected" - and in these situations, they nearly always are - my spidey sense starts tingling. I cant remember a single instance in which a domain with an obfuscated identity has proved to be legitimate. Chasing this stuff around through WHOIS, org handles, rDNS, our complaints database, asking questions, etc usually leads me to at least a few of their IP ranges. Then I do a little dance, get out the mallet, and whack a few /19s. Or entire hosting companies.

That usually gets their attention.

But mostly, I get fed a line. "Yes, yes, we will do a better job of vetting prospective clients. Yes, we will get a feedback loop monitor and action it. Yes, we are sorry and it won't happen again". But they don't do what they say they'll do, and it does happen again. Over and over. And over. It becomes a lather, rinse, repeat game that I am very tired of. A couple of the blacklists I work with are also very tired of it.

In a couple of instances, I have had some luck over the course of a couple of years in getting a hosting company like this to change its policies a bit by way of using a big carrot and stick. Mostly, though, I'm just washing that gray right into my hair.

Anyone have any ideas on how to confront this particular aspect of the problem, as an industry?