Leaked memos link spammers to ISP Savvis

Internal e-mail messages from Savvis Communications Corp. have surfaced on the Internet that show that the St. Louis-based ISP (Internet service provider) catered to online e-mail marketing companies it suspected of sending out unsolicited commercial ("spam") e-mail, even using "subversive business methods" to help spammers stay online after their Internet address was blacklisted.

A company executive acknowledged that Savvis may have aided spammers, but said the company was a victim of poor organization and internal communication about a mushrooming spam problem following the March 2004 acquisition of competitor Cable & Wireless PLC, and is now taking steps to kick spammers off its network and mend fences with the antispam community.

However, the leaked e-mail messages between senior IT officers provide a unique glimpse into a raging debate within Savvis, which found itself caught between a lucrative business hosting what it terms "e-mail marketing" businesses and increasing pressure from antispam blacklists for the company's spammer-friendly tactics, which at least some executives acknowledged were sinking the company's reputation.

Three-mail messages appear on http://www.savvis.info, a Web site run by Alif Terranson, Savvis' former manager of operations for the security engineering group, who was fired by Savvis in April because of disagreements with management over the company's spam policy, Terranson said.

Terranson received the e-mail messages through an anonymous e-mail forwarding service but does not know who within Savvis sent the messages, which date from late August 2004.

Frank Sheeman, Savvis' vice president of security services, acknowledged the leaks, but said the company does not know who leaked the e-mail or how Terranson obtained copies of them. He said that Terranson was fired from Savvis, but for "human resources" reasons, not for disagreements over his position on spam.

The e-mail messages, which circulated among senior executives and IT employees at Savvis, discuss the decision by spam blacklists (SBLs) to block a wide range of IP (Internet Protocol) addresses belonging to the ISP, which hosted a number of Internet domains linked to spam campaigns.

"We are already having several legitimate customers suffering and complaining due to their IP space just being near the spammers' space," wrote Kris Kistler, Savvis' director of Infosec and Abuse in an e-mail dated Aug. 30. "This problem grows larger every week and will continue to get worse."

Kistler declined to comment on the leaked memo, citing company policy.

The memos also reveal growing concern within the company about the impact of a recent audit by the American Registry for Internet Numbers (ARIN) that was prompted by the transfer of IP addresses from C&W to Savvis after Savvis purchased C&W's assets for US$155 million, according to an Aug. 24 memo to Kistler and others from Thomas Armstrong, Savvis' senior manager of IP provisioning.

According to Armstrong's memo, the audit revealed a large number of unused blocks of IP addresses assigned to Savvis, which ARIN requested Savvis to return. Armstrong did not respond to requests for comment.

The loss of that extra IP space put a squeeze on the company and its customers, because "much of (Savvis' IP address) space is already blacklisted and unstable," Kistler wrote.

Reduced IP address space would also put a crimp in Savvis' practice of "replacing IPs for customer (sic) once they appear on one of the spam or black lists," Armstrong wrote in his memo.

Indeed, the memos reveal what appears to be an official company policy of catering to spammers, providing services that helped them sidestep blacklists such as Spews.

"We should put the burden of changing company names, switching IP's, and using other subversive business methods back on the spammers themselves instead of acting on their behalf," Kistler wrote, arguing that Savvis should take tough steps to rid its customer list of spammers and regain its reputation with the antispam community.

However, others within the company weren't so sure, and worried about the loss of revenue the company would face.

In an e-mail dated Aug. 31, that weighed the options facing the company, Sheeman wrote that firing spammers could get Savvis into legal troubles for "breach of contract," and would result in "revenue losses ranges (sic) from $250k (a month) to $2 million (a month) in revenue, depending on judgements about where to draw the line."

Other options considered by Sheeman included frequently changing the company's IP address to avoid black lists and suing blacklists including "Spews, et al" for "libel, blackmail and interference with a contract."

For employees like Kistler, however, the choice between defending the companies spamming customers and complying with the requests of Spews and others was more stark.

"We have already lost our reputation with the RBL providers, and if we do not act soon, may not be able to recover it from them or future potential customers without a huge amount of bad publicity," he wrote.

"I realize there is some revenue at stake here, but I see this as a huge risk to (Savvis) as a whole that is not warranted from my point of view," Kistler wrote.

While acknowledging that Savvis helped spammers, Sheeman said that the company did not do so intentionally.

"I think, in a sense, that we (helped spammers), yes. But did we help them in the sense that we thought about it? No," he said.

Instead, Sheeman painted a picture of a company struggling to integrate a number of different technical teams obtained through the acquisition of C&W, which itself had absorbed a number of smaller ISPs.

"You've got some people managing abuse, others managing IP provisioning and a third group running the company. It was my fault. I didn't get it to (Savvis Chief Executive Officer Rob McCormick's) attention earlier," he said.

Sheeman's e-mail message was intended to educate company executives, who were preoccupied with merging operations, about the growing spam problem, and to address all possible questions from them, rather than to justify a particular company practice, he said.

Terranson rejected Sheeman's characterization of events.

"They told me to my face that spamming was a source of revenue that was profitable and that I was not to terminate spamming clients," Terranson said.

Starved for cash, Savvis executives saw hosting spamming companies and selling them premium services, such as new IP addresses to replace their blacklisted addresses, as a promising source of revenue, despite the fact that the company had cultivated a reputation as an ISP that was intolerant of spamming on its network prior to its acquisition of C&W, Terranson claimed. He also maintained that the policy came "straight from the top."

That charge does seem to be supported by the e-mail messages from Sheeman and others.

Noting that Savvis' customers, "email marketers or spammers, depending on your viewpoint," technically adhere to the U.S. CanSPAM law, Sheeman writes in his e-mail that "the current policy was set by Rob McCormick a few months back. Any change to that policy will involve Rob's approval."

The tactics and methods discussed by Savvis were common among U.S. ISPs three or more years ago, but are rare today, said John Levine of the Internet Research Task Force's Anti-Spam Research Group. Levine also runs an anti-spam service called AbuseNet.

"This is like out of a time warp," he said "I didn't know there were any ISPs left in this country that thought you could get away with hosting spammers by moving (their IP address) around."

While it was common in the past for legitimate ISPs to find some -- or all -- of their IP addresses accidentally blocked by spam black lists, such incidents are rare today, Levine said.

"These days it really rare to be assigned to a blacklist without a real underlying (spam) problem," he said.

Some U.S. ISPs get into trouble for lax monitoring of customer activity and enforcement of provisions of their acceptable use policy that allow them to sever ties with spammers. However, it's much less common to find ISPs aiding and abetting spammers as is suggested in the Savvis memos, Levine said.

"I can't think of anyone who's doing that now. It's a whole different level of antisocialness when you're actively helping spamming customers avoid the blacklist," he said.

As of last week, antispam blacklist Spamhaus.org listed 146 spam domains that were hosted by Savvis, including 57 linked to known spammers on the ROKSO (Register of Know Spam Operations) blacklist.

On Wednesday Savvis announced that it will work with Spamhaus.org and is adopting the ROKSO database "as a principal metric for ensuring that the SAVVIS global IT infrastructure does not promote or condone spamming."

Sheeman said he will begin kicking spammers off the company's network and hopes to significantly reduce the number of spammers linked to Savvis in the next sixty days.

While obvious spammers on the ROKSO blacklist will be the first targets, it may take longer to work through the sites listed on the Spamhaus.org Web site and addressing companies that may or may not be wrongly blacklisted, Sheeman said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments