Slashdot Mirror
Fighting Spam on the Home Front
Saint Aardvark writes: "Something interesting from the SecurityFocus Honeypot mailing list: a couple of honeypots for spammers. This message has a link to a how-to page for setting up a Sendmail honeypot to trap spammers, and the status page for a honeypot in Moscow that's trapped spam meant for >1.7 million recipients. The author mentions using a honeypot in conjunction with the Distributed Checksum Clearinghouse -- this seems like a great way identify both spammers and their messages."
And C-Moan writes: "Wireless spam volume is likely to increase in the coming years. But smart use of spam-fighting measures can go a long way toward eliminating the problem. This article provides info about the latest crop of e-mail filters and enhanced mail client options, as well as two roll-your-own programming platforms that could help keep your in-boxes spam free."
I run a fourth level .ca domain. It gets so much spam that the only solution for me was to put in firewall rules. TCP port 25 is open for my 5 friends, and a few mailing lists. For everyone else, it's closed.
I've got a longer rant on my web page, but I won't post it here, as the machine will die.
Suffix it to say that I can't afford 500k+ spams a day. The SMTP 'HELO', 'MAIL FROM', and 'RCPT TO' traffic for spam was getting to a gigabyte of
traffic every few days.
rbl doesn't work. The spammers that hit me aren't listed on it. 'teergrube' doesn't work. I can't afford the bandwidth or the CPU time to maintain millions of open connections.
When you get spam, if you do ANYTHING other than
drop the TCP SYN packet, you've lost.
I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.
"It is a greater offense to steal men's labor, than their clothes"
I like the idea with sendmail -bd, not delivering any mail, but surely spammers will simply assume that an "open" relay that takes 2 days to deliver their test message is being moderated as such by somebody running a honeypot. Unless you can identify, and forward spam tests as quickly as if the mailserver was running properly, then the spammers will soon catch on.
...I've noticed that spam has increased quite a bit. Like 10x or more.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
I don't normally complain about this, but why is this story in "Your Rights Online"?
Unless, the Slashdot authors have finally acknowledged that spammers have rights too, but I doubt that.
(And no, I'm not trolling.)
I read the article, and it seems to be based on this.
(1) Spammer sends bunch of stuff to someone who is throwing it away, unread
(2) ? ? ?
(3) Spammer is discouraged from sending spam
In other words, I understand that that spammer THINKS his spam is reaching endusers, when, in actuality, it is not. But I don't understand how that discourages or harms the spammer in any way.
God is real unless declared integer
This sounds alot like vipul's razor a fellow checksum'ing spam catcher. In addition to being free and open source, I think vipul's has been around longer than these other guys. They also use honeypots to catch lots of spam, but I believe not so much in the relay dept.
I ate my sig.
"Suffix to say"? Bwahahahaha! {wiping tears} thanks for the laugh dude!
LOL
ROFLMFAO
"Suffix to say"?
tee hee
I've come to the realization that the solution to spam is political/legislative.
I use SpamAssassin and it blocks virtually all spam, but that doesn't really solve the problem. Most users can't use spam assassin, or other good spam blocking system. Spamcop is good too, but that's now $3/month. Why should I be forced to pay to haul the spam, and $3/month not to see it?
The solution as I see it is this. We need legislation that allows for damages from the beneficiary of the spam. Almost all of the spam I get comes from SMTP servers in China and Eastern Europe. Good luck getting these people shutdown. Or, it comes from an open relay. Again, it's useless to attack the unwitting/stupid party, although it might have some effect here. But the spam beneficiary almost certainly has a bank account in your country, or some bank funds transfer mechanism. If they want to do lots of business with the US or other countries, there's going to be somefinancial presence there. So, we now have money...just tap into that money, by making the beneficiary of spam a civil tort, and spam just gets more expensive to promote.
When the demand for spam drops, because it's too expensive, then the demand for the out of country spam services drops, and eventually, most spam stops.
There would need to be some way to keep companies from being "set-up" as spam beneficiaries, but I think that shouldn't be too hard of a problem to solve. (Who's going to pay a spammer to "set-up" someone else, when the risk could be quite high if you get caught?)
Anyway, I'm starting to print out the most scummy spams, Porn etc (Esp pictures) and I'm going to mail them to my Congressmen and Senators. I don't know that they care, but I can pretty much guarantee they're going to get sick of getting such sicko stuff in the mail. Perhaps they'll actually do something. I've even pondered sending it all to every congressman and every senator, but that's a bit costly!
Well, do your damage...
Cheers!
uce@ftc.gov is for this purpose.
UCE = Unsolicited Commercial E-Mail FTC = Federal Trade Commission
If you send it to someone like your congressman, YOU are spamming. If you do it often enough, I'm sure they will have a word or two with your ISP.
If someone sends you a letter filled with anthrax, forwarding it to the president will not make things better...
A monkey is doing the real work for me.
I've just rented a dedicated server running freebsd, and I get messages of relay denied daily, now I need to accept relay for my users... so i've been reading about pop before smpt, thats a good solution, since I am not used to sendmail, it has been very difficult to configure it for me...I think we need a document to configure sendmail "for dummies"...all the documentation ive found is not so easy to understand.
This kind of spam exists no more. How? It was made illegal practically overnight and that shut the bastards down.
The spam problem is a political problem. Until there is enough political will in your governments to crack down on the spammers HARD, the spam problem will be getting worse and worse.
Are you to say, that this email address (uce@ftc.gov) is for us to forward the spam that hunts us? If so, why is it not more widely known?
thelikesofwhich.com
It would be really cool to take the relay blackhole list to an extreme, and enhance it with something like LaBrea. That way, instead of just immediately refusing to accept spam, freeing the spammer to move on to the next host on the list, a "tarpit" relay would bog the spammer down, maybe slowing their spamstream down to the point that they're sending only one message per hour. If we could get just a small percent of the SMTP servers on the 'net running such a tarpit, that would reduce the amount of spam that we all get. That is, until the spammers rewrite their software to give up on slow relays.
The only real solution to the spam problem is to kill spammers brutally, horribly and publically -- placing their heads on pikes as a warning to others. The US should encourage foreign governments to do the same under threat of airstrikes (though said airstrikes should only be centered on the locations of known spammers).
Yes, I'm serious about this. I despise spam and wish all spammers DEAD.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I heard the president actually tried anthrax once..., but he didnt inhale... or so he says... No wait that was Clinton... (This was intended to be funny not serious, for the geeks out there with no humor)
Am I lying when I tell you that im telling the truth? Or am I telling the truth when I say that Im lying?
On another front, the FTC set up a special electronic mailbox reserved for UCE in order to assess, first hand, emerging trends and developments in UCE. With the assistance of Internet service providers, privacy advocates, and other law enforcers, staff publicized the Commission's UCE mailbox, "uce@ftc.gov," and invited consumers to forward their UCE to it. The UCE mailbox has received more than 2,010,000 forwarded messages to date, including 3,000 to 4,000 new pieces of UCE every day. Staff enters each UCE message into the database; UCE received and entered in the database within the preceding 6 months is searchable. Periodically, staff analyzes the data, identifies trends, and uses its findings to target law enforcement and consumer and business education efforts.
~
--
"we live in a post-ideological world..." - Billy Bragg.
I decided that one day I would reply to all the spam that I received in my non-personal mailbox.
I did
I then received all the mail back as undeliverable.
I replied the same day it was received so what good are these spammers doing? I mean, how do they expect to make any money if they were not there to take mine?
www.slightlycrewed.com - Because aren't we all?
The most effective solution for fighting spam is NOT legal; it is also not honeypots, or open server bans. It's community action.
Did you receive a spam directing you to a website? Good. Surf there. Reload. Reload a few hundred times. 800 number? Call it and complain. When they hang up on you, call back.
Multiply this by even a small fraction of the people the company sent spam to and swamp their lines and slashdot their servers. They won't be making any sales, and any earnings they do make won't come close to paying their bandwidth or phone bills.
I remember a while back, someone did a story about a day in the life of a script kiddie type person. I think a day in the life of a spammer would be much more educational!
We first got a way that can punish spammers that dates back to the 1600's, and now a way that we can trap them. Just think, instead of locking up Bernard Shifman in a damp dungeon in England, we could honeypot his resume, then smear real honey all over Bernie and leave him near an anthill with a bunch of red ants.
looks like UUNet is at the top of the list... UUNet and prserv/IBM/AT&T are always at the top of my list when it comes to spam in my inbox...
-switched
PocoMail is an email program I've been using for a while that has a gret junk mail filter and things like html image loading can be turned off to prevent spammers for sending webbugs (clear images) to track active email accounts, it has other cool features as well but that'd be (-1, Offtipic)
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
I posted an article that deals with stopping spambots with common apache tools last week in the apache section of slashdot. hopefully some can find use of it here as well :)
here's the link directly to the article as well:
Stopping Spambots II - The Admin Strikes Back
Makes quite a difference. I've pointed my trollbox at the report script. My own spamido scripts were OK, but lacked the distributed functionality of Razor.
Government of the people, by corporate executives, for corporate profits.
Perhaps this has been discussed before, but why not have ISPs levy a per-email-charge so that the real cost of sending these messages is reflected? It's not like it would take a quantum leap in billing technology.
Let's make it $0.01 per email, which will cost near nothing to the average email user, but for the lousy spammer who sends out 10,000 emails, this will set him back $100.
People will only change their behavior if it hits them right in the pocket, as soon as they carry out that unwanted behavior. Why should email be free for people to abuse?
Question: If this idea is viable, why don't ISPs implement it, too? For example, if AOL used this technique on a few of its dial-up (or cable) IP addresses, they could potentially make quite an impact. Futher, they could apply this technique across each of their address blocks. They could also rotate through the address block the particular addresses which act as the honeypot.
Now imagine that AT&T, Earthlink, MSN, and other ISPs implemented this, too, that should put a HUGE DENT in spamming.
Granted, this would chew up bandwidth on their network, but delivering spam chews it up, too.
Please, if there are mistakes in this, don't mod me down but instead point out what ISPs COULD DO to make this work. Thanks!
But any spammer worth his TOSsing will simply salt the list with a known address or two he set up himself to check his spam run.
Get 1000 /.ers to setup a web page on a simple box they already have or on a free web server... in fact, setup hundreds of pages. Embed in the page every political email address you can find as well as a honeypot one you setup. Set the honeypot one up to forward to the political addresses as well (all of them).
After senator what's his face gets spammed by 10000+ p04n addresses a day for weeks on end he might take notice.
> I don't normally complain about this, but why is this story in "Your Rights Online"?
How about the right not to be harrassed by unsolicited e-mail? Or the right that my children should have to be shielded from pornographic e-mail? Or the right for me not to pay for spammers use of my bandwidth? Although I hate making more laws, as we already have enough of them, I feel like I should have these rights.
anyone ever responded to a spam pretending to be interested in the product? I get about a 20% turnaround on "serious inquiries". If I am using a real email address and look like a real customer, and they arent even writing back to me... they must be spamming several times what they could "legitimately" handle.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
It looks like it's designed to integrate quite well with sendmail while Vipuls Razor is easier to plug and play with Procmail.
Vipuls Razor looks easier to install and get running, but DCC might be more effective for high capacity sites.
Two slightly different approaches, Vipuls Razor is Perl based and DCC is written in C. How's about a common data format, common databases and servers?
Government of the people, by corporate executives, for corporate profits.
I have a client (in the porn biz) who has a similar problem.
From aaa@hisdomain.net to zzzzz651@hisdomain.net, over 700,000 seperate unique names that someone had put up for the harvesters to find/get. When I called the FTC about it, and talked to the anti-spam department, they had not heard about such activities.
His windows NT box would crash, and if the mail was allowed to follow the normal 'accept the message, then try to bounce it', his little 'old T1 would be saturated. FreeBSD didn't crash, but had over 200 sendmail connections when it took over for NT, and now sees 35 connections at any one time.
Sounds like someone has it out for you, and is willing to allow the spammers to create the DOS attack. If you are lucky, abandoning the domain that is getting the spam means your problem will go away.
mmmm... balls.
-linuxchik
Maybe we can capitalize on the It's For The Children idiocy that seems so prevalant in government:
1) Have your 14-year-old kid set up and email account somewhere.
2) Help him/her write an innocent letter to your representative complaining about the inappropriate spam s/he is recieving.
3) Watch them trip over themselves to Save The Children =P
replying to this article as an isp with about 12k email accounts, I'd like to point out that the biggest thing holding an ISP back from implementing large global spam blocking routines is the fear of dropping more than zero legitimate emails. It's like that old legal thought, "better to let 10 guilty men go free than to jail 1 innocent man". If I blocked an email inviting someone's grampa to the family reunion and killed 500 pr0n spams, and found out about it, I'd feel miserable for days. (Not that such a ruleset would be that likely to trigger for both- if it did I'd prolly end up with a giant R branded to my forehead for "regex")
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
If everyone posted their spam-sender lists on their web pages, then the spammers would be harvesting their own email addresses. While this wouldn't do anything about the disposable addresses, it'd do something about the people providing said addresses.
Checksumming strikes me as very easy to defeat. Just have the mailer append a random string to each message body. I've noticed most spam already does this with subject headers. Am I missing something?
This isn't flamebait, but what is the point of doing all of this?
So now the spammers have a lot of worthless addresses. Well let's think about that for a minute. Spam is built around a theory that next-to-no-one will reply anyway, so that doesn't matter much. Spammers also rarely pay for their own bandwidth, choosing instead to spoof unsecure machines to do their dirtywork. So in the long run, you only end up giving them more worthless addresses that creates more wasted bandwidth, neither of which really harms the people you are attempting to target.
------
Today's Top Deals
We do not need more laws "protecting" us! What we really need is a easy to use universal email crypto standard where everyone will sign thier email. Any mail not signed is immediatly suspect. Any keys you do not recognize are suspect.
Standard crypto would serve us much better then any new law (set of laws) and the possible abusive applications of said law(s). We would surly end up with all sorts of lawful and awful unintended consequences as a result af anything that is generated by any government.
~Sean
Often I see it encoded, such as /image.png?5f7a97d66d9aec0e1582c15578ac5815. I think they know otherwise I can do this, by hand:
/image.png?uselessaddr1@hotmail.com /image.png?uselessaddr2@hotmail.com /image.png?uselessaddr3@hotmail.com /image.png?junk-in-ur-db@excite.com /image.png?hahah@u.spamming.ass /image.png?XXXXXXXXXXXXXXXXXXXXXXXXXXXX.... DID I BREAK SOMETHING? AW...
GET
GET
GET
GET
GET
GET
Liberty in your lifetime
I can't see this happening while the Direct Marketing Association is lobbying (read bribing) the government.
It uses a weighted score that derives it's values from a variety of sources including Razor and various Black Hole Lists.
The type of heuristics are along the lines of:
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (12.24 hits, 5 required)
SPAM: Hit! (1 point) From: contains numbers mixed in with letters
SPAM: Hit! (1.2 points) From: does not include a real name
SPAM: Hit! (1 point) 'Message-Id' was added by a relay (2)
SPAM: Hit! (1 point) Subject contains lots of white space
SPAM: Hit! (1 point) BODY: List removal information
SPAM: Hit! (1.56 points) Contains phrases frequently found in spam
SPAM: [score: 26, hits: accept credit, credit cards,]
SPAM: [fill out, for your, more information, our]
SPAM: [company, phone number, receive further, remove]
SPAM: [the, reply this, subject line, thank you, the]
SPAM: [subject, this email, wish receive, word remove,]
SPAM: [you for, you like, you wish, your]
SPAM: [email]
SPAM: Hit! (1 point) spam-phrase score is over 20
SPAM: Hit! (1 point) Received via a relay in inputs.orbz.org
SPAM: [RBL check: found 14.54.162.63.inputs.orbz.org.]
SPAM: Hit! (2 points) Received via a relay in relays.osirusoft.com
SPAM: [RBL check: found 6.223.155.212.relays.osirusoft.com., type: 127.0.0.9]
SPAM: Hit! (1.48 points) Subject contains a unique ID number
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------
is there a site with some info spammers like phone numbers, email address, and such. i would very much like to start or participate in a campaign to bombard spamemrs with phone calls, emails, letters, etc--anything that would totally saturate their time with clearing out the mess it would create. i would be willing, even eager, to place a hundred calls a day (if it involved a toll free number.) i'm spiteful enough to waste my time so hopefully spammers won't waste the time of others.
I setup an account on my mail server just called "spam;" whenever a site like Real.com asks me for an E-Mail address, I give them that. In fact, I don't even remember the password for the account, and I usually have to su to it from root to get the confirmation. Out of sight out of mind.
I've occasionally replied to spam posing as a potential customer, usually when I want to know who's really behind a particular spam. I don't hear back from humans very often, either. I doubt it's that the spammer (or his client) doesn't want our "business." In most cases I think it can probably be explained by one of the following,
a) Spammer sent spam, checked for replies for awhile, then abandoned that dropbox for a fresh one. By the time I replied to his spam, he was no longer checking on that box.
b) Spammer sent spam, and because everything under the sun was in tune, someone with a clue was reading abuse@ and nuked his dropbox.
c) Spammer sent spam, got mailbombed with thousands of junk letters and didn't bother to clean the dropbox out. Both Hotmail and Yahoo - from my experience, anyway - will spool new messages for you even when you exceed your storage quota. Those messages won't show in your inbox until you delete some of the existing drek, but they don't bounce either; we could be sending order inquiries to a "full" dropbox that's never cleared.
Of course, we can always dream about
d) Spammer sent spam, was visited by a few guys with baseball bats, and was rendered physically unable to reply to our solicitations!
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
How's that going to help if the porn sites are in China? Passing a law won't change it, your Congressman and Senator would have to be willing to support some kind of "punishment" in the form of economic sanctions or something on the country as a whole.... If that... It's not going to happen, not by just passing a law.
If it were to be stopped by law, it would have to be an INTERNATIONAL law (funny how electrons in cables don't know to carry a passport and stop to check in with the Customs Officer when they cross a border).
And, EVERY country would have to support the law. Or else the spaming operations would just move to a country that allows it. Good luck getting every country in the world to agree to an international policy just to keep spam out of your inbox.
Sorry to rant, but it gets on my nerves when ANYONE thinks the USA has some right to make any Internet regulation at all.... because, they are trying to control something that extends way beyond the countrys borders.
Check out Rokso. This site maintains a database of well known spammers, as well as spam samples, MO's, partners in spam and, yes, personal info for many of the spammers.
Try going to SPEWS and searching on the IP addresses of any SMTP relays used in the mail. If you find a hit, view the evidence file. It will usually contain information about the sender of the spam, their ISP, and related domains.
Subscribe to news.admin.net-abuse.email via your news provider of choice, or search the archives at groups.google.com. If you type in some particulars about the spam - for example the domain being advertised, or maybe the email address listed on the whois for that domain - Google will usually bring up some pertinent matches from NANAE. When it's a new spam run, or a new spammer, remember that Google's archive is usually at least 12 hours behind.
If you don't find anything, or even if you do find something and you're in a sharing mood, post the spam you get to news.admin.net-abuse.sightings and if you've done any research into the spammer, include it at the top of your post.
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Just a thought.
Does anyone know the requlations regarding sending pornographic materials via the US Postal Service?
If you read about the purpose of that email address on the FTC's site you will see that while the FTC is aware of the burden/inconvenience of spam on the user and ISP, their primary focus is on identifying trends in illegal activities (ie: get rich quick schemes and other types of fraud).
While bulk UCE burdens Internet service providers and frustrates their customers, the FTC's main concern with UCE is its widespread use to disseminate false and misleading claims about products and services offered for sale on the Internet. The Commission believes the proliferation of deceptive bulk UCE on the Internet poses a threat to consumer confidence in online commerce and thus views the problem of deception as a significant issue in the debate over UCE.
Because if they think the spam is getting through, the spammer ends up wasting a whole lot of time sending spams which don't get delivered. If they realize they've got a honeypot, they move to another relay and start sending spams which do get delivered. Clearly it's better to have a spammer sending mail to nowhere than sending it to everywhere, but no spammer's going to intentionally send mail to nowhere. That's where the trickery comes in.
Okay, this is the step 2 that I was missing. I assumed that the spammers would just hit every open relay that they could. The above is saying (if I understand correctly) that they will find an open relay, and use it as long as possible, and then when the spam is sent they will say, "A job well done. Now let us go out and find puppies to slay." And thus the honeypot prevents the spam from being sent, and thus they get no responses, and say, "My, sending spam is useless."
...which answers my question. Thanks.
God is real unless declared integer
if we can set up a trap and let the email-harvesting bots come in, and the trap sends back a virus to blow the machine up, or something less dramatic like deleting the contents of the hard drive.
Is this legal? Is this feasible? I'm no expert is email system and scripting.
Follow my sig into the spam death chamber....
Look, you don't have to make this decision. Install a solution, default it to "off" for all customers, put up a web-form for them to turn it on FOR THEIR INDIVIDUAL ACCOUNT if desired, and send all customers instructions including a full and accurate description of the consequences.
If they don't want to live with the possibility of not getting their invitation to the family reunion, well, fine, they can live with the spam. If they're willing to risk losing that invitation in order to kill the corresponding 50 spams that they would receive with it, great, they can turn on the solition for themselves and then they have no right to complain if some legitimate email gets lost because, well, YOU WARNED THEM.
While I was doing my CS degree I spent my placement year at a small data mining software company. Once we got a request from marketing company based in Estonia asking if we could clean some 'addresses', as their cutomers had a tendancy to deliberately mis-spell their addresses. We found their attempts to hide the company background and extent of their business odd especially the ordinary ISP email address (not their own domain), but never thought any more about it. We asked them for a sample data set of these 'addresses' so we knew what we were dealing with, initially they did not want to hand them over after a while we said if you don't show us the data we are unable to tender for the work. What arrived was a text files containing email addresses along the lines of:. com
someone@REMOVETHISdomain.com
me@SPAMOFFhost
NOSPAMme@isp.net etc.
Suffice to say we did not tender for the work. What worried me was the fact that they were willing to pay good money (arounf 5,000 sterling) to extract maybe 250,000 email addresses, this goes to show there must be a good incentive to do all this spamming.
You can usually make the top 10 spammers on this list pay between $1 and $10 by clicking their link.
The cell phone that my company provided us has the service from AT&T (that would not be my first choice if I could choose). And I received all kinds of spam pages on the phone every week (it's not as crazy as email spam, but still...)
Some of them are from AT&T itself (I really can't understand why they spam their own already-service-subscribing customers!). Otheres are from who-knows-whom. Some with messages like "Call this number to make more money", or "Call this number for a free home loan consulting", or some idiotic messages like that.
sendmail -bd will always try and deliver, even though no -q flag is set. This setup is extremely dangerous and will play right into the hands of the spammers.
Their spam-software site is here. Scroll down to the bottom to see the (c) Elcomsoft.
Of course, the Slashdot editors rejected this story :-)
Oolite: Elite-like game. For Mac, Linux and Windows
Unfortunately with any sort of government regulation, we will sacrifice even more freedoms for security.
However, a simple solution is to legislate that all e-mail must originate from a valid account on a valid domain. Granted this means that all mail server software will have to be updated to handle these checks, but it's a "safer" solution than having the government legislate the e-mails themselves.
Email software that does not have these checks will be blacklisted from those with the checks. Of course the procedure to be taken off the black list is easy, just update your server and contact the proper authorities and have your server automatically checked and tested to see if it's a compliant mail server.
This will take away the advantage that spammers have now of not easily being tracked down.
The only real downside is that people like myself who have mail servers running on broadband/dialup will no longer be able to use them to send out mail (not unless we had a static IP or somesuch).
Just a thought. I'd prefer that over giving the government an excuse to scan all emails.
As many posters wrote, many UCBE emails come from servers outside US and EU, so I don't see how a legislation could help for those cases.
That doesn't mean nothing can be done, but no solution will make spam disappear instantly.
Men are born ignorant, not stupid; they are made stupid by education. Bertrand Russel
That's been common knowledge on /. almost since Dmitry got arrested. Most of the comments were along the lines of: yeah, spammers suck, but getting arrested for talking about Adobe's poor encryption is criminal.
I'm far from a sophisticated programmer, but I can bang out the odd script in Perl and I use procmail.
I've been actually collecting Spam for an idea that I have -- Spam can be identified by the subject matter based upon the vocabulary. This weekend I hacked out a script that goes through a spam mbox and builds an index of words and two-word phrases.
I ran it against my main inbox and it generated an entirely different vocabulary than the one generated by my spam mailbox. This leads me to believe that a new mail message could be judged by subject alone to see if contained a lot of spam vocabulary, and if it did its words could get added to the dictionary.
The virtue of this is that its self-learning -- the more you get, the better it gets at finding them since the spam vocabularly gets even better defined.
Of course, I haven't worked out the scheme for matching new mail against the dictionary yet (either in a logical sense or an implementation sense), so it may prove much harder than it seems -- but the fact that Spam is spottable in the subject by me just reading it vs normal mail shows me that the vocabulary is significant.
the spammer gets wise to the checksums. Then, all it has to do, is generate a checksum on his spam, monitor the checksum repository, and when the checksum appears, change the spam going out.
Or better yet, create the spam, run the checksum algorithm (it is open source after all). Then run the spam through an algorithm which changes x amount of words to various synonyms or pads the message so that each successive spam sent generates a unique checksum. Probably wouldn't add that much overhead to the spam bot when doing a mailing. Boy, that would flood the checksum database in no time.
It's just like an arms war. As long as you try and build a better mouse trap, someone else is building a better mouse.
ChuckyG
I've noticed a lot of people complaining about spam originating from UUNet's network.
I've observed this problem for a few weeks now as well, so I called their abuse group
and asked them why their dialup pools were not in MAPS DUL (which I use). The
representative told methat they were moving around their dialup pools and their
entries in the DUL would be updated shortly.
Cheers,
pointer
[%- PROCESS life -%]
why doesn't someone post a list of spammers 1-800 numbers for everyone to war dial. that may help.
Before long they will require us all to register email addresses as @ssa.gov. i've already got mine registered at yahoo and msn but this would just be too much.
Who says you have to checksum the entire body of the message?
You can pick bits of the messages to checksum, say the 5th to the 10th from last line. Exactly the bits the spammer wants you to read.
Deleted
It isn't really fair to blame interns who happen to work for [insert name of evil corporation] for the company's possibly unethical behaviour. I doubt that many people here agree with everything their employer's does. (I know I disagree with my employer's decision not to promote me and give me a big fat pay rise...)
"We were /.'ted. This tiny machine, i486DX4/100, handled load well. There are way too many hits for this page from all over the world -- machine isn't ready for this load but I'm surprized how well this simple machine can perform! Ok. But this means that this my honeypot isn't hidden anymore... And I was unaware of /. post, I only noticied greatly increased hit ratio."
/. informed users that they were about to be hit...?
I thought
God bless the poor little guy and its ISA nic.
I gave myself to Jesus, but now he never calls
I live in an area with 2 local pops. Booth are local ISP's. There's no cable, ISDN or DSL for the home user. Due to the lack of competition we pay more and receive less.
Here's their latest program:
http://www.acsworld.net/images/avas.htm
They're charging for filtering spam. I can't beleive they have the nerve. Has anyone else seen an ISP trying this crap?
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I recently published an article that outlines a way to put an end to spam on the internet. Chek it if interested...
Wouldn't trying to attribute a checksum to a spam message be difficult? It would only work for messages that are 100% identical. So all a spammer would have to do is include something unique in each email (like 5 random characters at the end of the body?) which I think they're doing now for some spam I've been getting...
I don't see how someone who writes a script that adds a spam victim's name to an email's subject or body is going to be stopped by comparing a checksum.
And seeing as ~90% of the spam I get always has some nonsensical letters on the end of the subject, I can't imagine it doing any good. Slightly different content equals a completely different checksum.
These lists of "20 million clean email addresses" have to be placed in some order, and I would bet that most spammers don't get through the entire list for every spam. So, if your name appears near the top, you should get a lot more spam than if your name is near the bottom. A lot of spammers seem to sort by either the whole email address, or by the host name.
So, would aaron@aalig.org going to get a lot more email than zork@zyzzyva.com?
SPF support for most open source mail servers can be found at libspf2.
We had previously tried a number of anti-spam solutions, including combinations of RBL, ORBS, locally-maintained blacklists and lots of Sendmail hacks.
We had very little luck until November, when we implemented Spam Assassin on all of our mailboxes. After turning on Spam Assassin, the SPAM seemed to just go away. In the first day alone, we caught over 300 pieces of SPAM with ZERO false-positives with less than 10 pieces of junk making it through to the end user's mailbox. The program is, simply put, amazing.
It's multi-faceted approach works very well. It uses a combination of simple logical string checking, in addition to things like distributed databases like RBL and Razor.
The program can also place SPAM's in a dedicated mailbox file so you can see what got rejected. Each piece of rejected mail contains a report that includes the reasons that contributed to the rejection. Each reason has a weighted value that contributes to the final "good" or "bad" disposition. All of this is highly customizeable, but it does work very well out of the box without any tinkering.
I highly recommend this program. Take the time to sit down and install it on your mail server.
Or any sort of attack on the spam sponsors' e-mail, web, phone, or other legit business contact info? The "weakness" of spam is that it must deliver legitimate, and usually immutable, business information in order to fulfill its marketing needs. With honeypots and data-mining you can even automate the attack process, thereby using the spammers tools back on their sponsors. Socially conscience distributive computing at its best.
Typically the aliases point to my account, but as soon as they abuse the address and start spamming, and most do, I repoint the alias to my Razor trollbox.
Spam's gone from my box and anyone else using Razor is also protected.
Deleted
OK, so detect those feedback URLs and use a variation of WebPoison. Make up a bunch of email addresses and use them to retrieve those URLs.
"Gee, I sent out a million emails and got forty million responses..."
Seriously, I don't particularly care about the bandwidth as long as the mails don't get to my mailbox.
Deleted
You're assuming that they checksum the entire message. No need to do that.
Deleted
"www.ombramarketing.com" has been a MAJOR source of spam e-mail. I was getting about 20 messages daily (that originated from completely unique addresses, so I couldn't effectively filter them), that I eventually tied back to them.
/. them into re-thinking their corporate strategies. As long as they can spam away at the cost of their time only, nothing will change. If so, I can contribute a few more major culprits to the list (though the one above was the worst for me).
.inbox). I'm not changing ISP's, as its not their fault that one spammer picked up my account from somewhere and sold it to every damn spammer around. Obviously I HATE spammers as much as anyone can imagine. I'd like to personally kick the crap out of every one of them, for my direct expenses incurred.
Please feel free to forward them ALL your spam at: contactombra@ombramarketing.com.
It got me off their list, and gave me a little personal satisfaction as well.
Put something like "Business Inquiry" in the subject line to get them to read it (just like the tactics they use). Let's increase THEIR cost of doing business.
Maybe someone can put together a list of major culprits, and we can
Sorry to be an "anonymous coward". I can't remember my password and wanted to send this off quickly.
BTW, my ISP (The Well) charges me for storage used monthly (which includes my
Vic
The page you want to read is Junkbusters Telemarketing Headlines.
A quick how-to to reduce the amount of telemarketing calls you receive. Yes, I have followed these steps. Yes, over time (say, 90 days) they work.
Cheers,
-- RLJ
I think we need a document to configure sendmail "for dummies"... They do have Sendmail for dummies, it's called Postfix. I use it and like it.
Yeah, I can tweak the filtering rules -- if my provider will let me. That's still gonna block important email, like when I don't know the exact return address in advance.
Apple and Microsoft should turn on a SMTP honeypot by default on EVERY machine.
It would be the digital equivalent to the irradiation of Tsetse Flies in Africa. They could access everywhere, but none of the sites would actually relay the mail.
The real problem on why spam is here and why it stays is simple. Money. The ISP's take the money of the spammer just like your money. Only with a spammer they usually have higher bandwidth to spam ya all. That means more money to the ISP. By the time ou get the spam its too late. Lots of sites have paid money to get it to you.
Now in all fairness most ISP's try to keep up with the flood of ce-mails/calls about spam. However; they are under a deludge to keep up.
The only real way to block this vermin from our net is to have routers block it at the source. if routers implemented RBl you would see those sites, that insist on harassing the rest of us, slowly getting choked out.
What the internet needs is a ruler to smack the hands of those delinquent spammers et al.
make Linux, not Microsoft. sin(beast) = -0.809016994374947424102293417182819
My father's trick:
... Ooops, someone's at the door, hold on..." and then you put the phone down on the table and go back to what you were doing. 5-10 minutes later, go back and hang up the phone.
You say: "Yes that sounds interesting
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
(Posted by Brad Spencer, more lazy than cowardly)
Once you see a few relay tests you wil be able to devise automated ways to recognize them. My actual honeypot is a VMS system and is a mail server. Not only do I routinely recognize most relay tests I also routinely separate spam from legitimate email. I take advantage of some of the features of the email software used (PMDF) to do this. I don't recommend mixing a server with a honeypot but it can be done.
I don't normally get volumes like that of the Moscow honeypot. For instance, in all of today just 162 spam messages have been trapped, for probably 48 recipients each.) I've had long dry spells with no spam at all. somehow they always seem to come back.
While the how-to link fails the earlier version of the same information can be found at http://fightrelayspam.homestead.com/files/antispam 06122001.htm
Doesn't this adequately handle the problem? (in /etc/sendmail.cf)
# default delivery mode
O DeliveryMode=background
Would it really be that difficult for routers to block IPs from some source, on request of destination address? Blocking traffic near it's origin should save some bandwidth.
Drake
Spider traps are good at handing out bogus email addresses. If some of those addresses belong to teergrube machines, anybody who harvests them and then uses them to send spam to the "users" gets stuck in the tar pit for a while. If you're only doing that for your own machines, that's nice, and slows down the amount of spam you get from a given spammer, and maybe lets you track them down, but it's a pretty unfocused attack. The way to make these things really effective is to coordinate a bunch of honeypots with a bunch of spider traps, so a spammer gets totally mired down in a few hundred honeypots at once instead of just one or two. Is anybody running a project like this?
Running a network of honeypots properly isn't trivial - it helps to keep the list of cooperating honeypots semi-private, because otherwise spamware vendors will start avoiding them, and you need to make sure that every machine on your honeypot list *is* really a honeypot, and not some poor sucker's machine that's suddenly DDOS's by tons of spam because 500 Sugarplums are handing out his address to spammers. If you're going to automate this sort of thing, you should probably require at least confirmation-mail from postmaster@targetdomain.org or possibly a digital signature. One convenient method for coordinating it could be an IRC channel or similar IM server, though you could just use email. An entertaining technique to use would be to have the bogus addresses all belong to domains that you control the MX records for, so you can use DNS to load-balance the spam among machines that have spare cycles for teergrubing (e.g. spammer asks for bogus1.bogusdomain.com, bogus2.widgets.org, bogus3.slashdot.org, etc.) Too bad Napster's dead - most machines running Napster were clients that didn't run their own Port 25 SMTP services, so adding teergrube features to Napster clients wouldn't have interfered with real email, wouldn't have added much bandwidth because it doesn't actually accept messages very fast, and would have made the Napster folks anti-spamming heros. Any other Peer-to-Peer services such as ICQ/Jabber/etc or for that matter IRC clients want to jump in?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But there are still entertaining things you can do that are within the bounds of propriety, legality, and sometimes even good taste.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
What-if situation:
1)Spammer tries do relay
2)Host detects spammer
3)Host starts sending messages to all IPs in traceroute, asking to block that from:spammer+to:myself+port:25 combination
4)Spammer blocked
Is this THAT difficult to implement? A firewalling-on-demand? Maybe I'm missing the security issue here...
(if I'm just wasting a patent possibility, let me know)
If this is possible, wouldn't it save lot's of bandwidth? Any thoughts?
--Drake 2c
Meanwhile, arranging payment is simply not hard. The most convenient payment mechanisms are credit cards and paypal, and sometimes you can get those providers to block payments to the spammer, but it's usually difficult to block *everything* - at best you can block the payments that *you* made to them. So they probably collect at least some money through their storefront check cashing / money laundering store in Taiwan, and *you* can't trace them easily.
The legislative problems that are easier to solve are the anti-hacking laws, which make it somewhat harder to track down spammers and much harder to stop them. While obviously you don't want some cracker to break into your machine, send themselves backdated spam claiming to be from you, and use that as their get-out-of-jail-free card, there may still be some middle ground that makes self-defense actions legal.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
My question, though, is how much information their customers get from my click-through. I assume that the long ugly URLs they generate encode the search terms, and maybe my IP address, and that their customers' web pages will use their favorite combinations of cookies, web bugs, and other images to find out more. But can they get my email address? If I'm checking out most sites that advertise there, I'm not too worried, but obviously clicking through to a spammer's web page has some inherent dangers. Should I be checking them out using the anonymizer, or is it ok to use my work network connection, which goes through a load-balancer-selected proxy server which probably looks a bit less like me?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
mailer1
mailer2
....etc. I stopped at looking at mailer10. Nice of them to show off their spamming efforts, I suppose. It'd be even nicer if their upstream provider would pay some damn attention to complaints.
Look at the Subject lines, don't run it in preview mode.
The harder problems are professional spammers, and spamware kit makers. Professionals do some level of measurement, and busting their numbers is important. If they think they've used up their supply of 42 million email addresses and 14000 open relays, great. If you're doing a fake open relay, you want them to think it's succeeding, so they keep using it instead of stopping, though that may not be very effective if they're doing good measurement (e.g. sending a mixture of test addresses along with spam victims.) But they're especially the ones you want to kill off, hunt down, and feed to wolves.
And then there are the spamware vendors. You want them to *think* their warez work, so they can be completely hosed without knowing it, but if you can get the spammers who buy their product to sue them for selling defective spamware, that'd be fun too :-)
Can you set up your honeypot to detect spamware versions, and post to Usenet alt.make.money.fast and freebie web pages about how terribly disappointed you are that Spambozo 3.2 didn't work for you and was eaten alive by anti-spammers and caused your PC to halt and catch fire, your girlfriend to leave you, and your dog to run away from home? (Surely you can find some way to promote that on a search engine?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If you send it to someone like your congressman, YOU are spamming. If you do it often enough, I'm sure they will have a word or two with your ISP.
And your point is? If it were illegal, there would be a law against it. So SPAMing is a perfectly legitmate to send to lawmakers. If it wasn't it would be illegal, and I would not have to deal with it.
Subject: [ spam 7.43/10.00 -- pobox.com ] original subject
if it exceeds whatever threshhold you set. They've gotten better - a large amount of my obvious spam gets marked 10.00/10.00, and I've seen so few false positives with that rating that I'm now discarding the 10's automatically. Lower ratings are sometimes wrong, especially for mail that someone's forwarded to a real mailing list I'm on, especially if the mailing list messages have a how-to-unsubscribe footer, but probably 95% of the stuff that's tagged as some kind of spam is spam, and the 10s are all spam.
Also, as an ISP, you usually know addresses at your site that aren't real users (but might be from spambait you've left around), and can safely discard any email messages matching those messages and those IP addresses.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You can implement it in software - set up mail filters so mail from bogus domains gets bounced. if you don't want to do it yourself (either to avoid the configuration and maintenance, or to get the spam tossed on your server instead of after downloading), find an ISP or email filtering/forwarding service that will. Pobox.com does a good job of spam-filtering, and a number of ISPs have various aggressive options, and then there are the spamcops and brightmails of the world that run services.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
# load average at which we just queue messages
O QueueLA=0 on in the
This can also be set in an mc file as:
define(`confQUEUE_LA', `0')dnl
(For RedHat users -- remember to delete the leading dnl if you start with the redhat.mc file).
One .mc configuration snipit that might be usefull would be:
define(`confTO_QUEUEWARN', `4000h')dnl
define(`confTO_QUEUERETURN', `5000d')dnl
define(`confQUEUE_LA', `0')dnl
define(`SMART_HOST', `nohost.nosuch.domain')dnl
define(`QUEUE_DIR',`/var/spool/devnull')dnl
define(`confDAEMON_OPTIONS',`addr=external.inte
This'll mean that you won't be generating (useless) non-delivery messages for email (spam) less than 10 years old, and any attempt to forward queued spam with an ETRN will fail. It also puts this outoging mail in a segregated queue directory.
for the last define line, 'external.interface.ip' should be replaced with the IP address of the interface where you'll be running the honeypot.
If you put this into a new mc file (say honeypot.mc), and use it to build honeypot.cf, then you can run a spare sendmail that only accepts network connections... (and trashes them)
This does, however, run into one reall nasty bug in the sendmail config... The sendmail.pid filename is hardwired into sendmail... (that's why I use the path /usr/honeypot/sendmail).
You have to recompile (or patch) the sendmail binary so that it doesn't use /var/run/sendmail.pid).
According to the sendmail book, this is done with
ENVDEF = -D_PATH_SENDMAILPID=\"/var/spool/honeymail.pid\" in the makefile.
(guh!)
(( You can, of course, always do a hot patch to the binary ))
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
How about a "test" for actually receiving funds in said account or method for any spam?
If you havn't received any spam funds, it shouldn't be too hard to prove, and thus would exempt you from the judgement.
There are some difficulties, but I do think, that in most cases, the link from spam to advertising to actual revenue should be fairly easy to prove or disprove.
Lets try this on for size...
Take your example from above. I get sued. I provide documentation showing the court (not the plaintiff) that revenue in my account is from other transactions unrelated to spam. (This keeps my privacy intact, as the hostile plaintiff doesn't get this material) The plaintiff then has to go another step to prove I'm the spammer. They would be left to subpoena the Korean relay.
Could this work? How about some refinement... It does presume some level of guilt until proven innocent, but this is civil not criminal, so that could work at least in a constitutional sense.
Someone with more knowledge of banking laws could tell you more, but I believe that most companies operating here in the US - i.e. doing business probably have a bank account here to bring funds into, then the funds are swept to the home country account... No?
Cheers!
Some of the programs encode the IP address of the harvester in the bogus addresses, which is nice for tracking down the real culprits as opposed to just blocking some open relay in Korea.
I do like this idea. From this it would be possible to build up a list of IP addresses of known email harvesters - which could then potentially be blocked, or shut-down.
Is running an email harvester on an ISP dial-up connection a breach of terms and conditions, or legit?
Beyond closing open relays (and not running ludicrously vulnerable daemons like sendmain to begin with), here is my solution: allow people to have, say, 100 recipients for any given email and charge a penny or so for each recipient above the 100. If you have a legitimate reason to email thousands of people at a time (as some very popular mailing-list administrators do), then there should be a way for you to get some type of certification with your provider. Otherwise, make these spammers pay a penny for each recipient over a hundred. At a dollar for every hundred recipients, I guarantee you the money will add up and many spammers will modify their tactics.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
Email Address Harvesters used to develop spam lists are almost always violations of acceptable use policies at good ISPs. And web spiders that ignore robots.txt prohibitions are also violations of many ISPs' AUPs. You probably could run a web spider on a dialup connection, but it'd be pretty slow - they have to suck down a lot of data to find what they're looking for, unless they can abuse popular search engines to look for addresses (e.g. use Google to look for @, if it'll do that, or dredge the whois registries to find all the names in .com and then use Google to look for name1.com, name2.com, etc. The web is really pretty big, and even the text parts are almost certainly growing at faster than 56kbps.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's probably more effective to use a credit card that's good at refunding complaining customers' money - if the merchant gets hit with a large number of complaints and demands for money back (either "I bought this plan to Make Money Fast and it's just tools for illegal spamming, I want a refund" or "Oops, I mistyped things into his ugly web page again, please refund my $0.99 and I'll pay him the $99.00 for the product later") multiplied by a few thousand could increase the spammer's costs and maybe get you a better trace on where he lives - but non-US banks are much less likely to give you a refund on credit card transactions for things like this.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks