ISPs: Preventing Outbound Spam?

Kris writes, "Hi Al, I am contacting you because I would like to receive some feedback (advice, tips) on how an ISP can help to prevent outbound spam.

"I work for an ISP in the Netherlands. Inbound spam isn't much of a problem for us, this is usually handled well by DNSBLs and filters. However, outbound spam is a problem. As we don't have any control over all the servers operating within our IP space, nor do we have the processing power to filter all outbound e-mail, we rely heavily on automated abuse reports to identify spam problems. These automated responses can really accumulate and clog up a ticketing system like RT. Instead of trying to remove out all the duplicate reports for a single IP address, I decided to aggregate those reports based on the source IP address of the spam. Now I have come to a point where I have a system that can do just that and a bit more, but I'm running out of ideas to effectively minimize spam originating from my network. Perhaps you could share your thoughts."

Kris, thanks for writing. I know that proactively monitoring, mitigating or preventing outbound spam is a huge challenge for ISPs. I deal with it from the ESP side of things, where it is very complex, and over on your side of things, it is probably even more complex. I don't think I have much useful advice to give on the topic, so I'm posting this with the hope that you, dear readers, will step up and share some of your thoughts on best practices for an ISP as far as mitigating outbound abuse.

(One thing I would suggest is checking out a more robust, abuse-specific ticketing system, such as Abacus.)


  1. I'll definitely give the thumbs up for Abacus although I realise that not everyone will be able to convince their powers that be to spend money on abuse related matters.

    If you operate an outbound smarthost then you might also find it useful to parse the logs each day (we* used to do it the day after) to identify any other additional problems that your customers are causing you. We* used to be able to spot zombied customers, those whose systems had a compromised local SMTP AUTH account or open relay, and a myriad of mail loop issues (not strictly abusing others but generating enough waste of both their resources and ours).

    Really, the best you are likely to be able to achieve is quickly closing down issues once you are made aware. That means making sure you get signed up with as many FBLs or other data sources as you can, and having a ticketing system that can handle the volume and do the triage work for you, and being able to suspend accounts that cause these problems.

    If you find your users get their servers used to host phishing websites then getting the RSS feed for your ASN from Phishtank [] will be very useful. Use an rss2email tool to feed the data to your ticketing system.

    (* The 'we' here was Demon Internet in the UK)

  2. If you are in charge of a really large network (i.e. > 100,000 subscribers), then you want to take a look at transparent spam filtering as an option. This technique involves transparently inspecting the spam on its way out of the network. There are no free solutions that do this - at least that I'm aware of.


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.