Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Matts (1087)

  (email not shown publicly)

I work for MessageLabs [] in Toronto, ON, Canada. I write spam filters, MTA software, high performance network software, string matching algorithms, and other cool stuff mostly in Perl and C.

Journal of Matts (1087)

Tuesday February 18, 2003
04:58 AM

Sensible view on shutting down spammers

[ #10642 ]

Are you an abuse desk operator? Ever suffered the wrath of NANAE when you didn't shut down a spammer the very second they notified you of the presence of the spammer?

Well I've seen it over and over again, and I thought this post to SPAM-L from Gary S Callison really summed up my feelings on it:

> As to UUNET, what do you consider to be an acceptable amount of time
> between their receiving an abuse complaint and the spammer being
> terminated? I'm not asking how many fingers are in the pie, or why the
> delay is as long as it is, I'm asking what *YOU* consider to be
> acceptable. If your answer is measured in days or weeks rather than
> hours then what we have is a failure to communicate.

Shmuel: You (and anyone else who thinks this) really need some experience
working at even a mid-tier ISP - say one with a couple hundred
thousand to half a million users or so. You will spend a few months
dealing with a queue depth that hovers around a week or so, and then
you'll either see reason or get fired for trying to cowboy every incident
and being too draconian in a misguided attempt to close tickets faster.
Incidents require investigation, from the dialup luser whose roommate is
spamming while he's off at work, to the chucklehead who has Klez but
knows he's okay because he runs the "Klez Removal Tool" (i.e: Elkern.D)
every day, to the OC-3 sold to a reseller sold to a webhosting firm who
host a website registered to Johnathan Cosie that has never actually sent
any spam or hosted any webpages referenced in any spam. All of those
investigations take time. How much time? I dunno. Minutes or hours.

Now suppose you get a thousand incident reports a day, referencing
a few score distinct incidents. You sift through all of that crap (takes
time) to aggregate into the incidents, then you have a couple dozen
incidents that each take 'minutes or hours'. You have (just suppose) a
really well-staffed abuse desk for a smaller provider: five people. You
triage out 'easy to close' and give those to the new guy, which removes
all of the 'minutes' and knocks your queue down by half. Now, assume one
of your people did all of the ticket-aggregating in half a day. You have
3-1/2 man-days at this point to close a dozen or two tickets on a scale of
'hours' apiece. Are you going to tread water and never get your queue
backlog down? Yes, if you're lucky. So your response time is going to
stay at a week - unless you get something really tricky like a whackamole
using stolen accounts, a rooted box with a proxy or relay they can open
and close at will, a compromised router that the bad guys can put stolen
routes on, or something like that. Then you're going to get even further

Meanwhile, in n.a.n-a.e, the torch-bearing mob will be chanting for your
head on a pike. "Takes 'em a week to close a fucking dropbox, pieces of
shit." Never mind that the dropbox is hosted on a lights-out-
administration webhost which is hosted on a reseller and both
of those only have one guy doing abuse part-time. You're there, you've
seen the ticket, you've told them to fix their shit, it's not your fault,
and the loudmouthed pricks in n.a.n-a.e are calling for YOUR head? Fuck 'em.
They don't have a clue what the hell is going on; you do. Right?

I don't know what the collective wisdom of n.a.n-a.e aggregates to an idea
of "how long should it take for a provider to resolve an issue", but if
that answer is hours, rather than days or weeks, people who believe that
have a failure to understand the magnitude of the issues involved. And
responding to reality with "Well, they should just hire more people then!"
will get you a "Thank you, Captain Obvious" from anyone working at any of
those overworked understaffed abuse desks. They're doing the best they
can, and if that takes days or weeks rather than hours, deal with it.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • This is good advice, and reminded me of a story [] I saw on 60 minutes a couple weeks ago. Apparently the health insurance company UnumProvident [] instructed their claims handlers to shutdown and refuse claims to meet monthly targets. This resulted in lots of people getting shut down unfairly.
    • This practice is not entirely rare, and often not as bad as it sounds; the idea is (often) that if the claim is legitimate, the claimant will re-file, or appeal, or whatever. I am not saying it is a good thing that they do it ... but usually, the people who have legitimate claims do get them covered. I don't know if that is the case with UnumProvident or not.
      • Unfortunately, UnumProvident had targets to cut claims which didn't correspond to the amount of illigetimate the predictable result was that legitimate claims were denied. I can see your point though regarding spam: legit mailers would notice that they have been shut down and present evidence that they are not spamming...while the real spammers would guiltily accept the verdict with no questions asked.
      • Yeah, I was just reminded of this recently while building a new computer. The board from ASUS seemed to have a faulty disk controller that could write but not read. I RMA'd it to ASUS, and two weeks later got a new board. Only problem was it wasn't new. I had nicked one of the memory clamps by accident, and sure enough the board they sent back had the same marking. I tried it just to see if it work, and of course it didn't. I called them up, and they claimed it was a new board with a new serial #. Sure enou