Slashdot Mirror

Silverlight is not meant for the World Wide Web. Rather, it is, like many other Microsoft products (...) for the corporate intranet.

So basically this is just like when they took ActiveX, which was designed as an application interface programming toolset (and a very good one) and shoe-horned it into their web browser as an "alternative" to Java. One must then wonder how much "enhanced and superior functionality" has been left enabled that should not have been there in the first place. Lack of proper planning with ActiveX led to wonderful things like unauthorized bank account transfers, viruses and worms, and people's computers spontaneously turning off when they visited websites that used it.

Personally, I would be happier if you didn't need an antivirus and firewall on windows to start with.

You need an antivirus on every maschine - nearly every OS has its problems (ok, MacOSX has 0 known viruses, but that's OT). Under Windows you do not nessesary need a personal firewall. I collected a few links for you ;)
http://www.fefe.de/pffaq/
http://www.iks-jena.de/mitarb/lutz/usenet/Firewall .en.html
http://www.ntsvcfg.de/ntsvcfg_eng.html
http://www.stud.tu-ilmenau.de/~traenk/zaweg.htm (this one's evil...)

Don't get me wrong: Firewalls are great - just personal firewalls aren't (IMHO). A firewall is a concept and not a program. Get a fine proxy and configure a packet-filter on it - this will give you more security than any personal firewall could!

throttle the amount of e-mails a customer can send per time-period.. and the max amount of "BCC, CC" addressess.


Or implement a teergrube.

Whatever happened to the idea of tarpits to stop spam? I haven't found anything about tarpits being a bad idea, but they don't seem to be in widespread use.

Teergrubes do the same thing without the necessity of getting Microsoft into the act.

All it does is act as a tarpit to slow down the spammer, who finds himself needing more and more open relays that stay connected for longer and longer periods of time sending less and less mail. And the best part is that it has no real effect on onesie-twosie emails from point to point.

It's been reported on in different comments here on /. -- check them out.

Okay, but I still don't get your comment that the connection is held open after the mail is delivered. According to the teergrubing FAQ it just takes its own sweet time about answering. Once the mail is delivered, however, the connection is closed.

Or am I misreading it?

The first time that I heard about a teergrube to use as a way to block -- or at least make it damned difficult for -- spammers I was intrigued at its simplicity. And tho' I find references to it all over the 'net, I don't think that it has been mainstreamed yet, and frankly I don't know why. Have spammers developed a counter to a teergrube? Or do mail admins simply not know enough about them?

A teergrube is actually a more effective anti-spam measure than a plain block. A teergrube accepts the spammer's connection, but then just stalls, only sending "continuation lines" from time to time, to keep the spammer's program from timing out. By doing that, we tie up the spammers resources: while he's busy with our teergrube, his program won't send out spams to anybody else either (unless their program is multi-threaded). Thus a teergrube not only protects its owner; it's also a valuable community service!

You could add both a "From: " and a "Sender: " header to your usenet/mailing list postings:
From: you@yourdomain
Sender: blockme@yourdomain

You'll gets tons of spam to both addresses (not neccessarily the same spam, unfortunately - that would make filtering real easy). You run SpamAssassin (or similar) to filter mail to your real address, and you run "spamassassin -r" or "razor-report" to handle mails sent to your spamtrap address (making the Razor service, and in turn, SpamAssassin, more efficient at identifying these spams).

Better yet, if your MTA is Exim, use SA-Exim to add teergrubing functionality to SpamAssassin. Oh, the satisfaction! :-)

There is a technology, known as teergrube that does exactly that. It slows down email from spammers, thus increasing their costs of sending spam.

Many have suggested various ways to fight back like bouncing all spam, but since most headers are forged these days, such practices just use up network bandwidth and hurt spoofed victimes. Teergrube seems to be one of the few ways to fight back that might actually work.

Now we just have to convince our ISP's to universally adopt terrgube MTA's and spam will be dealt a serious blow.

• A machine that doesn't do SMTP on Port 25, so the connections get rejected.
• Verisign's SiteFinder Email Handler which rejects messages for anybody? (Might as well get _some_ use out of them :-) Their first version would have worked better than the second one - it only rejected individual addresses at the RCPT TO: stage but didn't reject the whole session up front because some popular mailers reject brokenly to that (now it does both; not sure whether the spamware does or not.)
• Your own reject-mailer, which can reject the connection with something more appropriate, like 452 "insufficient system storage - try again later", which has the advantage that if somehow a real user connects to it, their stuff should stay queued until your main mailer is working again. That's also a good place to run a VRFY that will happily claim that any address the spammer wants to test is a correct adddress (or if you're not worried about real mailers using VRFY, only spammers, you can have VRFY respond positively only for user names that don't exist, and negatively for user names that do exist.)

I've read through the comments at score 3, and I'm surprised that no one has mentioned using the spamd utility that comes with OpenBSD 3.3 and above. Basically, it hurts the spamming mail servers, while although normally some poor machine caught in the crossfire, does make me happy to use.
Basically, for every email I get, it gets put through a baysien filter (bmf in this case) and handled through procmail correctly. However, the email is then passed through another program which constructs and adds to a whitelist and blacklist of IP's. Basically its a 3 to 1 ratio. If a mail server sends me a legit message, followed by a spam, it is still considered a legit server until I recieve 3 more spams from it and no more legit email.
Once an email server is considered to be on my blacklist, my firewall redirects the next connection from that server to my teergrube, which emulates an deaf man which you have to keep repeating yourself to rather loudly and slowly. The use of my resources is minimal.
For a more detailed explanation, take a look at Annoying Spammers with pf and spamd.

Not that I'm advocating it, but if you're worried about bandwidth, we could always adopt the teergrube tactic. You don't actually download much of anything, you just open up TCP connections and keep them alive until their servers run out of process space.

One of the nicest ways is a "teergrube" (tarpit) - a special SMTP server that is tuned to process incoming mail really, really slow, thus making the spammer's tools very ineffective. It doesn't take much bandwith or other resources to run one - everybody who has a computer connected to the net and doesn't need to run a "real" mail server (or is willing to configure a teergrubing proxy that only traps spammers and lets the real MTA take care of ham mail) should do so.

Most spam is sent via open mail relays. If you are bored or annoyed enough, take the time to read spam mail headers (the interesting one is the last "recieved" line, usually), and inform the admin of the open relay, so that they can close it or get the fuck out of the internet. Also, inform a blacklist like the Open Relay Database, so that mail servers will reject mails from these hosts.

Try to poison they address databases. Set up a web page invisible for human users that contains lots of addresses that don't exist. But be sure that these addresses also will never exist - only use subdomains that you control, or those mentioned in RFC 2606 (Reserved Top-Level Domain Names), hoping that stupid spamware will try to send to these addresses anyway.

None of this is at odds with client-side filtering or legislative initiatives, just some additional ideas. And annoying these bastards feels good.

I am nearly in the same situation like you, except that I have complete control of my domain name (slett.net). I run my own DNS, my own SMTP server (Exim with SpamAssassin at SMTP Time), etc.. A nice side benefit is the ability to teergrube spammer hosts.

If you are technically inclined, and you have a broadband connection, this is definitely the best way at present to take control of spam.

Incidentally, I believe the ultimate solution to spam must involve banks and financial institutions - basically, an international mandate for these to not honor payment requests (e.g. credit card payments) to spammers. In the mean time, a mandatory upgrade or replacement to the SMTP protocol, to provide foolproof sender validation (by way of private/public keys or similar), will certainly go a long way towards solving the problem.

-tor

There's not a lot wrong with SMTP. The trouble is that SMTP is always implemented so it delivers mail as fast as possible. And that's the problem.

Judicious teergrubing (intentional slowing of responses; teergrube is German for tarpit) can alleviate many problems.

For example, let's examine the Rumplestiltskin attack (a form of dictionary attack to guess e-mail addresses). The trouble here is that most mail servers send back their "No such account" response immediately, so an attacker can try about 5-15 addresses a second. If the mail server was programmed to wait 5 seconds before sending back the response, then the Rumplestiltskin attack would be slowed down by about 50 times. Even better would be to make the delay longer and longer for repeated attempts from the same IP. This way, a normal user with a couple of dud e-mail addresses is not harmed much, but the Rumplestiltskin attack eventually gets bogged down in the tarpit. We have a 3 second delay at the login prompt if we enter the wrong password, so why not a delay at the mail server for incorrect e-mail addresses?

Another way to slow the spam is to teergrube *all* e-mail connections so all email takes a few minutes to send. Legitimate users aren't harmed much by this, but spammers are hurt a lot. Spammers rely on speed to send all their e-mail, and if we slow them down we can hurt them.

Then there's the question of what happens if a spammer sends another RCPT or other similar packet before receiving the response from the first? SMTP can legally drop the connection because such command buffering may be "unsupported". So the spammer must be teergrubed or must experience a *lot* of dropped connections.

There's no need to replace SMTP yet. Instead, we use the tools we have in a slightly different way, and the spammer can be inconvenienced a lot.

For more information on teergrubing, go here.

ROFLMAO.

"teergrube" - German word for "tarpit".

Teergrubing FAQ

Teergrubing is a good idea, but it dates back from the days when open relays, not open proxies, were sending the emails. One spammer (with dialup) would hit you from one relay (with broadband) from the spammer's own (dialup) connection, and the goal was to slow down the open relay so that the open relay wouldn't be able to spew as many emails. Eventually, the admin of the open relay would wonder why his outbound queue was so huge, or why Sendmail fell over and died because /var/spool got full, and secure his server. In the old environment (spammer has narrowband, must hunt down broadband by finding open relays to steal from), one teergrube could "fix" one open relay at best, and at worst, would at least prevent delivery of several hundred thousand spams.

Doesn't really work as well in a world with millions of open broadband proxies. The spammer no longer cares if any individual open proxy hits a teergrube, because there's plenty more bandwidth where that came from. (And because open proxy luzers tend to be clueless twits, they're less likely to notice even if their machine crashes.) In today's environment (plenty of bandwidth on both the spammer's end, and plenty of proxies to steal bandwidth from), teergrubing in its original form is somewhat less effective.

<link rel="DoNotEmail" href="mailto:aa0u@kjernsmo.net" />

(yeah, that's a real, living trollbox, spambots, do your worst! :-) ) Very few users will ever see this, but the spambots will harvest it. It is clear that many of them do.

The other thing you mention, I think that is what is meant by a Teergrube. Marc Merlin has some good stuff on using Exim and SpamAssassin to reject messages or making spammers stick in a teergrube. He has some debs too.

Unfortunately, I haven't had time and I haven't been feeling adventurous enough to try all this, but clearly, it works well.

You're reinventing the "teergrube".

For the user interface to your mail clients, you'd have a friendly dialog box for "People who can send you mail for free" and another for "mailing lists I subscribe to". The "Mail from unknown users" dialog probably would give you something like checkboxes for "Make them do a copy-the-number Turing Test once" or "Turing test for every message" and/or "Make them run the 5/10/20 second hashcash page once/every message". The "Suspected Spammers" dialog could include "Drop their mail silently" and "try to trap them" and "trap them longer".

Read about a method to get SpamAssassin to execute at SMTP time in exim (I'm about to impliment this on my own mailserver) and read about teergrubing which is basically the same idea as a tarpit.

Unlike the original post, Marc seems to have a stable working version of this right now.

That said, this is probably the most realistic method of causing spammers pain that we have right now, short of changing the way mail works in a fundamental manner.

I'll definately be implimenting teergrubing/tarpitting. I might even impliment it on the multi-user hosting system that I helped to build. It probably wouldn't scale too well on a busy site though ;)

I'm going back to splinter cell.

And why exactly can't we have a SPEWS/blackhole type of call blocking list? I'm paitently waiting.

What Theo should be doing, instead of sending a 5xx response (which, by the way, won't keep the message in the spammer's queue; a 5xx is a final rejection) is to redirect spammers' connections to a Teergrube (a spam "tarpit"). If enough people do this, the spammer will be slowed down greatly.

You seem to think there's an unlimited capacity and market to send to. Wrong.

Spammers are already effectively targeting as much of the email-accessible population as they can. I've run stats from multiple, widely seperated addresses and domains, and have seen loads of largely identical patterns, trends, and mails received.

As several more critical articles have revealed (the WSJ one referenced as history in this article), spam is marginally profitable. Where it is profitable, it can be lucrative -- at least sufficiently so to leverage the ill-gotten gains to some impressive electronics and real estate. But raising costs will impact the bottom line

And that means:

• Going after the ISPs.
• Reducing TTL for a given relay.
• Utilizing SPEWS and other blacklists to put the muscle on pink-contract ISPs.
• Utilizing SpamAssassin and other adaptive filtering methods to reduce the crud flowing into mailboxes.
• Using heuristic throttles at major gateways to slow down major spews of email.
• Teergrubbing.
• Consider per-mail charges. The rate need not be high to be effective -- on the order of $0.01 / 100 mails would add $100 to a million mail spam dump, but only $1 per message for a mailing list with 10,000 subscribers. At these rates, membership dues or donations could float legitimate organizations, and legitimate commercial marketers would swallow the cost without blinking (legitimate email marketing has response rates in the 1% - 25%+ range -- thousands of times higher than spam).
• Leveraging political tactics in the effort...

Spam is economic activity. Attack it on economics. You'll see success.

Junk snailmail costs on the order of $1-$5 per item, with items such as circulars and flyers being considerably less, though there's an implied geographical targeting occuring. Yes. I've worked for outfits which considered a large campaign to be 30k pieces, and a large part of the effort was selecting the target group (blanketing the US or any other country is not an option), and measuring the results.

The result is that you receive a limited amount of such mail. Note too that payment methods (the USPS, in the US, is taking payment) means that there are audit trails available. And there are legal means, operating through the USPS, for blocking junk postal mail (including the pornography exclusion method). Very useful for, say, keeping a PO Box useful w/o requiring daily checks.

You are supposed to do it using an (m,n)-threshold scheme. That is, divide the secret into n parts, so that with any m of these parts you can calculate the secret, but with any number of parts less than m, you don't get any information about the secret. Such schemes are easily constructed using elementary number theory, IIRC there is on based on the chinese remainder theorem. See also this FAQ

But there are still entertaining things you can do that are within the bounds of propriety, legality, and sometimes even good taste.

• You can trace the IP addresses of the spammers, and traceroute to find their ISPs. You can autogenerate complaints, though it's probably worth waiting until you have a couple of messages to be sure it's not just a misdirected email message (or you can hand-inspect them to be sure they're really spam.)
• You can block all email from their IP addresses to your real users - especially convenient if you're running your spam-trapping on the same machine as your real email, or at least on a cooperating machine. (Be careful, and you may want to whitelist some machines, such as big email providers, and return good error messages so that any mail from real people can be resent using some other method or simply at a different time.)
• You can run Teergrube which doesn't do anything destructive to the spammer, but responds v.... e..... r.... y.... s.... l.... o..... w..... l.... y.... , tying up resources that could otherwise be used to annoy other people.
• You can run open relay checks on their machines - even though the RBLs of the world have cut down on real providers allowing open relays, there are lots of misconfigured open relay machines that spammers abuse. You can send them to the RBL people so they get cut off, but you can also quickly cut them off from your real email servers.
• If the machine does have an open relay, and you've got a few thousand close friends running teergrube, you could use the relay to drop each of them a note. Do be careful not to cause infinite loops when you do this, though... Exponential growth is easier to cause than to recover from, and you don't want to shut down all the teergrubes you know.
• (Also, be careful not to engage in defensive action for every message from a given source - you only need to traceroute and relay-check a given address once....)
• Spam from China gets the additional letter to the spammer and also the ISP about "Dear Postmaster@btamail.net.cn, I'm having trouble reaching your subscriber AmyWilson@btamail.net.cn. Please let her know that the arms shipment will arrive next Thursday. Long live Falun Gong!" :-)
  

Spider traps are good at handing out bogus email addresses. If some of those addresses belong to teergrube machines, anybody who harvests them and then uses them to send spam to the "users" gets stuck in the tar pit for a while. If you're only doing that for your own machines, that's nice, and slows down the amount of spam you get from a given spammer, and maybe lets you track them down, but it's a pretty unfocused attack. The way to make these things really effective is to coordinate a bunch of honeypots with a bunch of spider traps, so a spammer gets totally mired down in a few hundred honeypots at once instead of just one or two. Is anybody running a project like this?

Running a network of honeypots properly isn't trivial - it helps to keep the list of cooperating honeypots semi-private, because otherwise spamware vendors will start avoiding them, and you need to make sure that every machine on your honeypot list *is* really a honeypot, and not some poor sucker's machine that's suddenly DDOS's by tons of spam because 500 Sugarplums are handing out his address to spammers. If you're going to automate this sort of thing, you should probably require at least confirmation-mail from postmaster@targetdomain.org or possibly a digital signature. One convenient method for coordinating it could be an IRC channel or similar IM server, though you could just use email. An entertaining technique to use would be to have the bogus addresses all belong to domains that you control the MX records for, so you can use DNS to load-balance the spam among machines that have spare cycles for teergrubing (e.g. spammer asks for bogus1.bogusdomain.com, bogus2.widgets.org, bogus3.slashdot.org, etc.) Too bad Napster's dead - most machines running Napster were clients that didn't run their own Port 25 SMTP services, so adding teergrube features to Napster clients wouldn't have interfered with real email, wouldn't have added much bandwidth because it doesn't actually accept messages very fast, and would have made the Napster folks anti-spamming heros. Any other Peer-to-Peer services such as ICQ/Jabber/etc or for that matter IRC clients want to jump in?

You should run teergrube, here's an answer as to why from the Teergrube FAQ:

How many connections will be tied up by a teergrube on my host?

A regular teergrube will hold up to ten connections open at a time. On the spammer's side there will be up to ten connections open for every teergrube he runs into. So decentral resources fight against centralised spammer ressources. The more teergrubes are installed, the better.

1. razor (I recently posted a message about it on /.)
2. A "teergrube". This is german for "tar pit". In the ice age, animals like mammoths trapped into them, today the spammers shall trap into them. Lutz Donnerhacke wrote an interesing FAQ about it, you can get it from here (english, of course). IMHO every ISP should run such a teergrube on his SMTP host.

So what's the alternative? It's to make sure, as often as possible, to build applications programs that have security tools, and to make them as secure as possible by default. We need to try to anticipate problems that will affect lots of people beyond the intended users.

Economics will be hard to fix, because the whole Moore's Law effect driving our industry is that computation and communications keep becoming radically cheaper, and email has been really cheap for a long time. What we have to do is find ways to use those economics for spam prevention - as pattern recognition becomes easier, it's more usable for tracking down spammers, and you can make it *much* easier by techniques like seeding your websites with bogus email addresses you can use to trigger defensive responses, track down spammers, and get ISPs to block abusers. It's also important to use our communications abilities to coordinate spam detection and blocking - the RBL and its relatives are a beginning for this kind of process. Teergruben are another approach, especially if they can be coordinated. But it's also important to make sure that anti-spam tools aren't easily abused as Distributed Denial Of Service attacks (e.g. forging spam leading to mailbombing or long-term blockading of the forgee), which is amazingly easy (e.g. suppose you reply to a spammer's "remove me" address with a thousand emails of "From: bogusaddress1@bogus.net\nSubject: Unsubscribe\n\nbegin 666 vmunix\n...."

http://www.iks-jena.de/mitarb/lutz/usenet/teergrub e.en.html

What you're proposing has already been thought of. It's called a Teergrube. What it does is hold the spammer's SMTP connection open for as long as possible, appearing to slowly accept mail, but in reality doing nothing but wasting the spammer's time. You can do a Usenet search on that term to get more information. Here's an FAQ that may help you out. The post I pulled the link from is several years old, so you may want to look for something more up to date.

Most ISPs won't do -anything- when someone is knocking on your firewall. IME their staffs generally don't understand the issues. I've had, for some time, a guy -on my subnet- knocking. Easy enough for me, just deny his IP address, but he's probably doing it to the -whole- subnet.

For the RIAA: sooner or later we'll find where they launch their attacks from. An analog of teergrube might help them waste their time. I don't have the coding skill to build this, but allowing, say, one bit per second from RIAA addresses on 10% of machines ought to keep them from having much fun.

What you are describing is basically a "Teergrube" (german for tar pit). Read here about them: http://www.iks-jena.de/mitarb/lutz/usenet/teergrub e.en.html

I often prefer displaying my real email on web site, on news groups, because I love fighting spammers. we have _tools_. *grin*

uce :
before spam :


http://www.devin.com/sugarplum/ to protect your webserver from search bots.
teergrubing to protect your MTA :
http://www.iks-jena.de/mitarb/lutz/usenet/teergrub e.en.html
(and of course, hide your email like that : xavieratbocaldotcsdotunivdashparis8dotSPAMfr ;-)

after spam :


http://spamcop.net/
http://www.samspade.org
http://mail-abuse.org(RBL)

tools to semi-automaticly report/fight spam :

http://freshmeat.net/appindex/console/anti-spam.ht ml

irl :

As other says, send back the empty enveloppe.

One funny thing about phone spam is the possibility to talk to the person which is trying to sell you something, like to a human being. (after all, it's often a woman poorly payed to do this job. she(he) deserve humanity). I usually ask if the person is in good mood, and it's easier to say goodbye after this.

Throw them into a tar pit. This keeps them online, and makes them vulnerable as they are a target as long as they are connected.

© Copyright 2000 Kristian Köhntopp
All rights reserved.

Blow the spammers away by stopping their tools:

From the Teergrubing FAQ:

E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources.

If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts.

A teergrube is a modified MTA (mail transport agent) able to do this to specified senders.

Read the full story in the Teergrubing FAQ:

Blow the spammers away by stopping their tools:

From the Teergrubing FAQ:

E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources.

If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts.

A teergrube is a modified MTA (mail transport agent) able to do this to specified senders.

Read the full story in the Teergrubing FAQ:

In Europe, there's a 70 or so candidates (but some of them seem to candidate just for fun). Looking at the endorsments received right now, there seems to be a good chance that the speaker of german hacker organization CCC Andy Mueller Maghun will make it.
My favourite, though, is crypto- and usenet activist Lutz Donnerhacke, who is CCC-related as well.

This is different from mostly-passive traps like teergrube (FAQ; jargon) or Deception Toolkit or spider traps which sit around waiting for Bad Guys to attack them and react unexpectedly when attacked (e.g. ...res.p...o...n...d....v...e...r...y....s..l..o.. o...ooo...w...l...y.... while logging stuff or sending back odd replies). ("mostly passive" doesn't exclude leaving lots of inviting copies of your address around for harvesters or script kiddies to find.)

People in Erfurt and Jena (two cities in Germany) connected to each other using Wireless LAN for internet access. Read about it here.
Remember the old mailbox-nets like FidoNet? That exactly the same thing: Private information infrastructure.

A short delay would only work for mail relays. Most spam is sent point-to-point, so the technique of a two-second delay won't slow spammers down much.

So forget a two-second delay. Someone in Germany has invented a technique called "teergrubing" where an SMTP connection is held open for as much as several hours. It exploits SMTP continuation lines. Read more about it in the teergrubing FAQ. A spammer runs into enough teergrubing sites, and their spam output plummets.

Personally, I like the idea of fake open relays set up especially for spammers to find. It accepts any relay requests, but only pretends to forward the mail instead of sending back an error message (unless the spammer host was a recipient, in which case the message is processed as normal - this defeats the spammer's check of the effectiveness of the spamming). A spammer could be connected to such a relay for six hours, only to find that of the quarter of a million spams sent, *not one* was really sent! I know this might deform the rules of the 'Net a bit, but really, what legitimate purpose would an open relay serve the 'Net community?

--