Top ISP caught red-handed aiding spammers
Leaked e-mails from Savvis reveal pro-spam policy.
By Paul Roberts, IDG News Service | Published: 10:11, 09 September 2004
Leaked memos appear to confirm a clandestine relationship between one of America's biggest ISPs and spammers.
Internal e-mail messages from Savvis Communications, published on the Internet, state that the company catered for e-mail marketing companies it suspected of sending out spam and even went so far as to help spammers stay online after their Internet address was blacklisted.
A company executive acknowledged the emails were genuine and that Savvis may have aided spammers, but said the company was a victim of poor organisation and internal communication about a mushrooming spam problem following its March acquisition of competitor Cable & Wireless. It is now taking steps to kick spammers off its network and mend fences with the anti-spam community, he said.
However, the leaked messages between senior IT officers provide a unique glimpse into a raging debate within Savvis, which found itself caught between a lucrative business hosting what it terms "e-mail marketing" businesses and increasing pressure from anti-spam blacklists for the company's spammer-friendly tactics, which at least some executives acknowledged were sinking the company's reputation.
Three-mail messages appear on http://www.savvis.info, a website run by Alif Terranson, Savvis' former manager of operations for the security engineering group, who claims he was fired by Savvis in April because of disagreements with management over the company's spam policy.
Terranson says he received the e-mail messages through an anonymous e-mail forwarding service but does not know who within Savvis sent the messages, which date from August this year.
Frank Sheeman, Savvis' vice president of security services, acknowledged the leaks, but said the company does not know who leaked the e-mail or how Terranson obtained copies of them. He said that Terranson was fired from Savvis, but for "human resources" reasons, not for disagreements over his position on spam.
The e-mails, which circulated among senior executives and IT employees at Savvis, discuss the decision by spam blacklists to block a wide range of IP addresses belonging to the ISP, which hosted a number of Internet domains linked to spam campaigns. "We are already having several legitimate customers suffering and complaining due to their IP space just being near the spammers' space," wrote Kris Kistler, Savvis' director of Infosec and Abuse in an e-mail dated 30 August. "This problem grows larger every week and will continue to get worse." Kistler declined to comment on the leaked memo, citing company policy.
The memos also reveal growing concern within the company about the impact of a recent audit by the American Registry for Internet Numbers (ARIN) that was prompted by the transfer of IP addresses from C&W to Savvis after Savvis purchased C&W's assets for $155 million.
According to one memo by Thomas Armstrong, Savvis' senior manager of IP provisioning, the audit revealed a large number of unused blocks of IP addresses assigned to Savvis, which ARIN requested Savvis to return. Armstrong did not respond to requests for comment.
The loss of that extra IP space put a squeeze on the company and its customers, because "much of [Savvis' IP address] space is already blacklisted and unstable," Kistler wrote. Reduced IP address space would also ruin Savvis' practice of "replacing IPs for customer once they appear on one of the spam or black lists," Armstrong wrote in his memo.
Indeed, the memos reveal what appears to be an official company policy of catering to spammers, providing services that helped them sidestep blacklists. "We should put the burden of changing company names, switching IP's, and using other subversive business methods back on the spammers themselves instead of acting on their behalf," Kistler wrote, arguing that Savvis should take tough steps to rid its customer list of spammers and regain its reputation with the anti-spam community.
However, others within the company weren't so sure, and worried about the loss of revenue the company would face. In an e-mail dated 31 August, Sheeman wrote that firing spammers could get Savvis into legal troubles for "breach of contract," and would result in "revenue losses ranges (sic) from $250k [a month] to $2 million [a month] in revenue, depending on judgements about where to draw the line."
Other options considered by Sheeman included frequently changing the company's IP address to avoid black lists and suing blacklists including "Spews, et al" for "libel, blackmail and interference with a contract."
For employees like Kistler, however, the choice between defending the companies spamming customers and complying with the requests of Spews and others was more stark. "We have already lost our reputation with the RBL providers, and if we do not act soon, may not be able to recover it from them or future potential customers without a huge amount of bad publicity," he wrote. "I realise there is some revenue at stake here, but I see this as a huge risk to Savvis as a whole that is not warranted from my point of view."
Sheeman claims his e-mail was intended to educate company executives, who were preoccupied with merging operations, about the growing spam problem, and to address all possible questions from them, rather than to justify a particular company practice.
But Terranson rejected Sheeman's view of events. "They told me to my face that spamming was a source of revenue that was profitable and that I was not to terminate spamming clients," he said.
Starved for cash, Savvis executives saw hosting spamming companies and selling them premium services, such as new IP addresses to replace their blacklisted addresses, as a promising source of revenue, despite the fact that the company had cultivated a reputation as an ISP that was intolerant of spamming on its network prior to its acquisition of C&W, Terranson claimed. He also maintained that the policy came "straight from the top".
Such tactics were common three or more years ago, but are rare today, said John Levine of the Internet Research Task Force's Anti-Spam Research Group. "This is like out of a time warp," he said "I didn't know there were any ISPs left in this country that thought you could get away with hosting spammers by moving their IP address around."
Savvis has since announced that it will work with Spamhaus.org and is adopting the ROKSO database "as a principal metric for ensuring that the SAVVIS global IT infrastructure does not promote or condone spamming". Sheeman said he will begin kicking spammers off the company's network and hopes to significantly reduce the number of spammers linked to Savvis in the next 60 days.