Slashdot Mirror
Fighting Spam on the Home Front
Saint Aardvark writes: "Something interesting from the SecurityFocus Honeypot mailing list: a couple of honeypots for spammers. This message has a link to a how-to page for setting up a Sendmail honeypot to trap spammers, and the status page for a honeypot in Moscow that's trapped spam meant for >1.7 million recipients. The author mentions using a honeypot in conjunction with the Distributed Checksum Clearinghouse -- this seems like a great way identify both spammers and their messages."
And C-Moan writes: "Wireless spam volume is likely to increase in the coming years. But smart use of spam-fighting measures can go a long way toward eliminating the problem. This article provides info about the latest crop of e-mail filters and enhanced mail client options, as well as two roll-your-own programming platforms that could help keep your in-boxes spam free."
uce@ftc.gov is for this purpose.
UCE = Unsolicited Commercial E-Mail FTC = Federal Trade Commission
If you send it to someone like your congressman, YOU are spamming. If you do it often enough, I'm sure they will have a word or two with your ISP.
If someone sends you a letter filled with anthrax, forwarding it to the president will not make things better...
A monkey is doing the real work for me.
On another front, the FTC set up a special electronic mailbox reserved for UCE in order to assess, first hand, emerging trends and developments in UCE. With the assistance of Internet service providers, privacy advocates, and other law enforcers, staff publicized the Commission's UCE mailbox, "uce@ftc.gov," and invited consumers to forward their UCE to it. The UCE mailbox has received more than 2,010,000 forwarded messages to date, including 3,000 to 4,000 new pieces of UCE every day. Staff enters each UCE message into the database; UCE received and entered in the database within the preceding 6 months is searchable. Periodically, staff analyzes the data, identifies trends, and uses its findings to target law enforcement and consumer and business education efforts.
You are probably refering to Sugarplum or Wpoison.
They perform two very different purposes: the poisoning scripts mentioned above are designed to fool the robots that harvest e-mail addresses. They slow down the spammers and introduce many invalid addresses in their list, but they cannot completely prevent the spammers from collecting e-mail addresses.
The fake open relays mentioned in the article are designed to stop the spammers from sending their spam. The spammers think that they have found a nice open SMTP relay and they dump all their spam to it, but in the end nothing is sent to the intended recipients.
You could of course run both on the same machine, but this is probably not a good idea because the goals of these spam traps is to convince the spammers that they have found a "live one". If there is anything that looks strange on the target site (such as a warning generated by their harvesting robot), it is likely that they would consider this to be a suspicious site and they would not try to use it to relay their spam.
-Raphaël
I posted an article that deals with stopping spambots with common apache tools last week in the apache section of slashdot. hopefully some can find use of it here as well :)
here's the link directly to the article as well:
Stopping Spambots II - The Admin Strikes Back
I got one spam that had code to cause a banner advertising hit for the spammer. I notified the banner ad company. I suspect the spammer was unhappy about the result.
One line blog. I hear that they're called Twitters now.
It uses a weighted score that derives it's values from a variety of sources including Razor and various Black Hole Lists.
The type of heuristics are along the lines of:
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (12.24 hits, 5 required)
SPAM: Hit! (1 point) From: contains numbers mixed in with letters
SPAM: Hit! (1.2 points) From: does not include a real name
SPAM: Hit! (1 point) 'Message-Id' was added by a relay (2)
SPAM: Hit! (1 point) Subject contains lots of white space
SPAM: Hit! (1 point) BODY: List removal information
SPAM: Hit! (1.56 points) Contains phrases frequently found in spam
SPAM: [score: 26, hits: accept credit, credit cards,]
SPAM: [fill out, for your, more information, our]
SPAM: [company, phone number, receive further, remove]
SPAM: [the, reply this, subject line, thank you, the]
SPAM: [subject, this email, wish receive, word remove,]
SPAM: [you for, you like, you wish, your]
SPAM: [email]
SPAM: Hit! (1 point) spam-phrase score is over 20
SPAM: Hit! (1 point) Received via a relay in inputs.orbz.org
SPAM: [RBL check: found 14.54.162.63.inputs.orbz.org.]
SPAM: Hit! (2 points) Received via a relay in relays.osirusoft.com
SPAM: [RBL check: found 6.223.155.212.relays.osirusoft.com., type: 127.0.0.9]
SPAM: Hit! (1.48 points) Subject contains a unique ID number
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------
O'Reilly. The one word you need. The "Bat Book", which is their sendmail tome, helped me daily when I ran sendmail.
I now run postfix (or qmail, when I need EZMLM for mailing lists), and am eagerly awaiting their Postfix book.
Check out Rokso. This site maintains a database of well known spammers, as well as spam samples, MO's, partners in spam and, yes, personal info for many of the spammers.
Try going to SPEWS and searching on the IP addresses of any SMTP relays used in the mail. If you find a hit, view the evidence file. It will usually contain information about the sender of the spam, their ISP, and related domains.
Subscribe to news.admin.net-abuse.email via your news provider of choice, or search the archives at groups.google.com. If you type in some particulars about the spam - for example the domain being advertised, or maybe the email address listed on the whois for that domain - Google will usually bring up some pertinent matches from NANAE. When it's a new spam run, or a new spammer, remember that Google's archive is usually at least 12 hours behind.
If you don't find anything, or even if you do find something and you're in a sharing mood, post the spam you get to news.admin.net-abuse.sightings and if you've done any research into the spammer, include it at the top of your post.
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Am I missing something?
Yes. The DCC page states that they use a 'fuzzy' checksumming algorithm that doesn't just checksum the whole message, and that the algorithm is evolving as spam evolves.
You can usually make the top 10 spammers on this list pay between $1 and $10 by clicking their link.
Well, a comment from your "Operator in Moscow" who is actually runs this system (h0n5yp0t url above). No, my system is well-running. It's i486DX4/100 machine (go to www.corpit.ru). I can control it to the level I need. But what I want this machine to be protected from is -- from being /.'ed... ;) I noticied that machine load average increased to about 8..9 and noticied huge amount of hits in my apache logs. I was unaware of this /. posting. Well, machine handled (and handles) this load pretty good.
We had previously tried a number of anti-spam solutions, including combinations of RBL, ORBS, locally-maintained blacklists and lots of Sendmail hacks.
We had very little luck until November, when we implemented Spam Assassin on all of our mailboxes. After turning on Spam Assassin, the SPAM seemed to just go away. In the first day alone, we caught over 300 pieces of SPAM with ZERO false-positives with less than 10 pieces of junk making it through to the end user's mailbox. The program is, simply put, amazing.
It's multi-faceted approach works very well. It uses a combination of simple logical string checking, in addition to things like distributed databases like RBL and Razor.
The program can also place SPAM's in a dedicated mailbox file so you can see what got rejected. Each piece of rejected mail contains a report that includes the reasons that contributed to the rejection. Each reason has a weighted value that contributes to the final "good" or "bad" disposition. All of this is highly customizeable, but it does work very well out of the box without any tinkering.
I highly recommend this program. Take the time to sit down and install it on your mail server.