Much has been made of the recent revelation that Google had reached No. 4 on Spamhaus' list of "The 10 Worst Spam Service ISPs." In fact, as I check now, Google is No. 3.
It's no secret why Gmail is such a big spamming source now: Spammers have had success cracking the CAPTCHA tests and creating Gmail accounts from which to spam. Because the spam comes from a domain reputation systems can't block because it's so popular, spam from these accounts has an advantage in getting past many anti-spam systems.
But some other ISPs and mail service providers with lousy reputations, in the older sense of the word, are not in the top 10. Microsoft had been a fixture in the Spamhaus list and Comcast was once known as a happy hunting ground for botnet herders. Both of these companies seem to have turned the corner.
I could tell Comcast had changed its ways when I saw a discussion on a mailing list I'm on (I'll protect their reputations by not mentioning the name) where users were all steamed that Comcast had blocked access to external SMTP connections through TCP port 25.
This is the single most effective way that ISPs can block spam from coming out of their networks from botnets, and in fact there are other ports that need to be blocked nowadays, like SMB networking. Bots usually send e-mail directly out port 25 to the recipient domain, which usually works because, by default, port 25 is unauthenticated. If you want to use an non-Comcast mail server, you have to use TCP port 587, which is authenticated by default. I don't know for sure, but I'll wager the conventional ISPs on Spamhaus' list, headed up by sistemnet.com.tr (that's Systemnet Telekom in Turkey), give unfettered access to port 25.
Richard D G Cox, CIO of The Spamhaus Project, says the real difference these days isn't just stuff like port 25 blocking ("That's such a 'nineties' (or should that be 'eighties'?) issue"), but responsiveness to complaints, and not just from well-known complainers like Spamhaus.
Cox said, "You see, one of the most difficult things for any organization to accomplish is to see their own operation as it is seen from outside the organization. And that is especially true of IT-related organizations." It's easy to relate to this. And it's not just having the right perspective; lots of organizations probably figure they have their hands full going after the problems they know about. But if they're falling behind, it means they're not dedicating sufficient resources to the problem.