UUNet’s Spam problem points to larger issues

Richard Nace gets ornery when he’s called a spammer. Nace, president and CEO of @SyberSchool LLC, promotes his Web site, SyberSchool.net with e-mail.

“My Friends Are You Running Into Brick Walls With Your Job?” his e-mail asks. “Have you have considered a job change lately? If so read on…”

Most people don’t read on, said Nace. Most people figure his bulk, unsolicited commercial e-mail is spam, and delete it.

The issue is more complex, however, for those people hoping to get SyberSchool.net kicked off its network connection with a complaint to the e-mail abuse centre for UUNet Technologies Inc. UUNet’s no-spam policy appears hard to enforce consistently and successfully. Other ISPs also have difficulty policing their own spam policies, eventually passing costs on to businesses and consumers.

UUNet, WorldCom Inc.’s subsidiary for Internet services, explicitly prohibits bulk e-mailing in its acceptable use policy. “Sending unsolicited mail messages, including, without limitation, commercial advertising and informational announcements, is explicitly prohibited,” indicates the policy as written on UUNet’s Web site.

But actual enforcement of the acceptable use policy – potentially, an account termination – requires review by UUNet’s Internet abuse investigations department, as well as its legal department, and notice must be given to the sales department as well, said Mike Whitman, UUNet’s director of customer security. Whitman said it could take two to four weeks to shut off a spammer’s digital tap, and it could take longer. “Last month, we got over 250,000 complaints,” he said. “We’re taking action against 50 to 100 customers a month.”

UUNet ranks at the top of the chart for abuse reports logged at SpamCop.net, an e-mail filtering and automatic abuse report filing service. According to statistics kept on the site, SpamCop logged 36,657 abuse complaints against UUNet for customers sending spam in the week ending Dec. 5, while the next most reported ISP, Core.com, earned 4,784 complaints.

“UUNet has been the number one or number two source of spam for at least a year now,” said Julian Haight, owner and administrator of SpamCop. “I figure most of the problem comes from their dial-up service.” Spammers will subscribe to a dial-up service expecting to be booted off within a few hours or days, simply re-signing up after service is terminated, he said.

ISPs that use a technique called port 25 filtering – configuring routers to deny mail service except from accepted servers – can halt the problem. America Online Inc. “has come around with some very effective filters,” Haight said. “They used to be the worst, but they have turned that around amazingly.” Microsoft Corp.’s MSN service – a UUNet partner – does not use port 25 filtering, he said. “MSN is just sort of the last one that’s using this unfiltered set-up. That’s why spammers are going there, that’s where the pasture’s green.”

About 40 people work in UUNet’s abuse investigations department, said Janet Brumfield, a UUNet spokeswoman. The company and spends about US$10 million a year fighting spam. “We have a process in place, and we want to be fair to all our customers.”

Haight said he doesn’t doubt that UUNet’s technical staff works hard to fight spam, but questions the company’s priorities. “UUNet spends two or three million dollars a day upgrading their network. Spam is not costing them enough to clean up their mess.” Other ISPs spending money for excess capacity to handle the spam e-mail – up to 40 per cent of traffic – bear the financial burden, a burden eventually passed on to consumers, he said.

A day after IDG News Service began inquiring into UUNet’s enforcement policy and SyberSchool, Nace’s service was terminated. Nace claimed UUNet cut his service without warning, despite UUNet’s claim that they had opened an investigation against him on Nov. 17. “We had to call them, and all we got was an attitude.” He said he was told by a UUNet staffer who would not identify himself fully that there were “a ton of complaints.” Nace also said that when pressed by one of Nace’s co-workers, the UUNet staffer told the co-worker that he was “stupid for not using cloaking software,” to hide the IP address of his outgoing mail.

Nace repeatedly claimed his company has a modified contract with UUNet, allowing him bulk e-mailing privileges. Nace would not provide a copy of his contract for examination, and Nace’s attorney did not respond to repeated contact attempts.

UUNet’s spokeswoman flatly denied it had issued such a contract to Nace or anyone else.

So-called “pink contracts” allowing bulk e-mailers to operate outside the terms of an ISP’s acceptable use policy were once in the realm of conspiracy theory for anti-spam activists. But last month, the Spamhaus Project, a British anti-spam organization, published on its Web site a copy of a “bulk hosting” contract between AT&T Corp. and NevadaHosting.com Inc. of Delaware. Spamhaus also obtained a copy of a contract between PSINet Inc. and Cajunnet Inc., a Louisiana-based marketing company that Spamhaus said funnels unsolicited e-mail.

PSINet confirmed the existence of the contract, which allows Cajunnet to send unsolicited e-mail messages directly from PSINet’s networks, saying in a letter posted on its Web site that the contract was handled by a junior lawyer in PSINet’s commercial contracts group and pledging to better educate its sales force.

“This would all seem to indicate that there are more pink contracts out there than the consumer is aware of,” said Maurene Caplan Grey, a senior research analyst at high-tech market research firm Gartner Group Inc. She said that while PSINet may have looked at such a contract to improve its flagging finances, the temptation for ISPs to secretly circumvent no-spam policies doesn’t pay off. “My gut feeling is, assuming they get caught, it’s not worth it. It’s poor business form. You won’t get partners. You will be blacklisted.”

Unlike many bulk e-mailers hawking penny stocks or herbal Viagra, Nace makes no effort to hide his identity. The return address on his e-mails is genuine. Some call him – his number is in the e-mail – either for more information or a terse, impolite conversation with the sender. Some send a reply, with the subject “Remove” in the header, looking to escape from future mailings.

Some add death threats, Nace said.

“We follow all the rules and regulations, and we’ve had full compliance with the law,” he said, describing the 17 e-mail messages he said he sends over his two T-1 lines each second. “All they have to do is say, ‘we want off the list,’ and they’re off.”

Nace takes exception to being called a spammer, a term he associates with pornographers. UUNet’s reaction, he said, was unwarranted. “This is a clear-cut case of the big corporations telling the small operator, ‘screw you.’ “