PSINet and AT&T caught serving up spam

A U.K. anti-spam organization has uncovered proof that two of the world’s largest Internet infrastructure companies, AT&T Corp. and PSINet Inc., have signed contracts with companies that send unsolicited commercial e-mail – so-called spammers.

The Spamhaus Project, an organization dedicated to removing spam from the Internet, published on its Web site last week a copy of a “bulk hosting” contract between AT&T Corp. and Inc. of Delaware. Under terms of the contract, AT&T acts as a wholesaler of Web hosting space. NevadaHosting resells that space to its customers, who are notorious spammers, according to the Spamhaus Project.

This week, the same anti-spam group also obtained a copy of a contract between PSINet and Cajunnet Inc., a marketing company based in Slidell, Louisiana, which Spamhaus says also acts as a funnel for unsolicited e-mail. A PSINet official on Tuesday confirmed the existence of the contract, which allows Cajunnet to send unsolicited e-mail messages directly from PSINet’s networks, according to Spamhaus.

In each case the service providers claimed that the contracts were drawn up in error by junior or inexperienced employees, and said the contracts were terminated as soon as the nature of the activity was discovered. PSINet pointed to the difficulties of policing spammers on its networks, which it said often employ deceitful tactics to go undetected.

Anti-spam groups have long suspected the existence of these contracts, which they term “pink contracts.” Broadly speaking, they include language that expressly permits a spammer to distribute unsolicited e-mail from an ISP’s network.

In AT&T’s case, the unsolicited e-mail promoted a site hosted on the AT&T network by NevadaHosting while the actual spam messages were sent to users via a third party e-mail service. In the contract, which was signed in February this year, AT&T states clearly that NevadaHosting will host Web sites that will be advertised in spam sent from gateways other than that of NevadaHosting itself.

“This proves that AT&T knowingly does business with spammers. They made this contract to bypass AT&T’s anti-spam policy,” Steve Linford, project manager for the Spamhaus Project, said in an interview Friday with IDG News Service. “AT&T was basically saying it [would] allow spam and neglect any complaints.”

In its anti-spam policy, AT&T clearly stated: “spam is an unacceptable use of the AT&T IP Network.”

AT&T cancelled its contract with in August, Linford said. “From February to August sites hosted by NevadaHosting were spamming and a few thousand complaints were filed with AT&T.”

AT&T spokesperson Bill Hoffman confirmed the authenticity of the contract with NevadaHosting, but called it “invalid.”

“That document represents an unauthorized revision to AT&T’s standard contract and is in direct conflict with AT&T’s anti-spamming policies,” Hoffman said. “The contract was prepared by a sales representative without prior authorization.”

PSINet also claimed that its “pink contract” slipped through because a less experienced member of its commercial contracts group handled it. The PSINet employee was “too young and too green” to catch a clause in the contract that allowed Cajunnet to distribute spam using PSINet’s networks, according to Robert Leahy, PSINet’s senior vice president for corporate marketing and communications.

“I think it’s fair to say in hindsight that this was a pink contract, and it is absolutely true, as we have admitted with great regret and red face, that one of our junior guys got duped into it,” Leahy said.

In a statement issued Tuesday, PSINet added that its Net Abuse Policy is “not negotiable, and we will not knowingly enter into service agreements that provide a license to commit Policy violations.”

Leahy said service providers face “tremendous difficulties” weeding out spammers from their networks, and pointed to a raft of tactics they employ in order to go about their business undetected.

“These guys basically come in and swear up and down that they’re holy rollers, and then the next thing you know they’ve got pitch forks and horns. They change their names and they move around,” Leahy said. “It’s almost like buying a firearm, we have to do a background check on these guys to use them as a customer … and from a commercial position it’s just not a viable thing to do.”

The Spamhaus Project remained unconvinced, and maintained that both AT&T and PSINet were fully aware of the spamming activities going on in their network.

In an e-mail response to questions Tuesday, Linford pointed to a clause in PSINet’s contract where it acknowledges that the contract will allow “opt-out commercial email” to be distributed “in mass quantity” by Cajunnet. “Opt-out” e-mail requires a user to actively notify a spammer that he or she no longer wishes to receive unsolicited e-mail.

“I think the ISP community as a whole needs to reexamine its ethics,” Linford wrote in the email. “The contracts we’re finding show that far from regulating themselves, some U.S. backbones are colluding with spammers to profit (from) the spam problem.”

The Spamhaus Project, in London can be reached at AT&T, in Basking Ridge, N.J., is at PSINet, in Ashburn, Va., is