Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution).

In fact it does not take email identity technologies either (although these are certainly needed and part of the solution).

The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.

We need message providers to implement better security on their networks and take responsibility for their networks being sources of spam. The number of ISPs who don't even authenticate their members is frankly appalling (just for starters).

AOL has implemented the solution to stop spam on our system. We do not send it any more. We even published the solution in the ASTA [the Anti-Spam Technical Alliance, a group of the largest ISPs] technical document. We are again trying to get the info to other messaging providers via the MAAWG.org group.

But no one wanted to listen to one ISP. So we had to apply the set of solutions for every other ISP around the planet for them!

1) The port 25 blocking we do for them (via pattern matches on their dynamic space or getting their actual dynamic IP space from them if their regex set-up is not thought out well)

2) Our Second Received Line rate limits which put reasonable controls on the amount of mail an end user can send through their ISPs mail server.

This is why AOL reported our spam is almost eliminated. Yes, I said it, eliminated. I get so little spam on my AOL business account (the one that has 20 pages of google results, countless newsgroup hits, etc). I think I have gotten 10 spams total in my inbox over the last month and many of them go to the spam folder where they should be. Just think how different everyone's spam problem could be if ISPs did a few of these things, and more simply, took responsibility for their customers/networks. Spam would be gone.

But no one else is reporting success like this? Why? Because every other ISP is building better and better filters to help their system fend of the spam. But the sources of spam are still there and spammers can keep sending till their hearts content until we stop them at the source.

• Filters and blocklists are band aids. They do nothing to solve the problem.
• Messaging Providers taking responsibility when their networks are commandeered to send spam is the solution.

Why do we all keep building better filters? Because it helps us instead of helping others. And its easy as most of these are shrink wrapped software or services that are easy to apply. Good for Postini and Brightmail and spamassasin, but not a solution, just a bandaid. Why do people do this and never try solving the problem? Security for our networks and messaging platforms is much harder to implement, and likely most importantly, it does not help the ISP stop spam inbound to its network usually. So no one does it.

What we need is for providers to do BOTH. You have to implement better filters to survive (we sure do), but we all also have to fix our sources of spam that clog other networks. Eventually as providers do BOTH actions, the problem will go away and everyone will be able to remove the BANDAIDS from the spam wound as we won't need filters and blacklists as much in the future.

A Funny example

If a spammer had a T1 line provided by [a large network], we all would be up in arms that the network is all of a sudden a blackhat ISP hosting known spammers on the Spamhaus ROKSO list, etc, etc. But the fact that that network and many other ISPs are hosting spammers via trojaned and zombied customers and have no security on their network to prevent this situation or manage it at least, does not seem to bother us (messaging providers) as much as it should. Well shame on us.

If you want less spam, then can we all commit to manage our systems better?

Carl then went on to comment on a large web hosting company, which will remain nameless both to protect the guilty and because many other web hosts are just as bad.

They have been spamming the be-jesus out of AOL for months now because they have customers who run insecure formmail and other CGIs. When will these premier hosting companies write a program to find them before the spammers and prevent customers from installing these open relays (cgi scripts) on their network? When will these companies monitor their scomp [AOL's automated spam reporting] complaints and take them off the air without my team having to constantly call them? When will they stop telling their customer service reps to blame AOL for delivery issues their customers are seeing when they can't mail to AOL because we have temporarily blocked them for the 15th time in 2 months?

Should anyone be allowed to operate an email system? Perhaps not. Or perhaps we will find a group of ISPs that band together to create a second email system on top of the current one for email providers that know how to control their networks. And the other people will be on another system, the old one filled with spam.

Everything that Carl says is, largely self-evidently, true. What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?