Fighting Spam on the Home Front

Saint Aardvark writes: "Something interesting from the SecurityFocus Honeypot mailing list: a couple of honeypots for spammers. This message has a link to a how-to page for setting up a Sendmail honeypot to trap spammers, and the status page for a honeypot in Moscow that's trapped spam meant for >1.7 million recipients. The author mentions using a honeypot in conjunction with the Distributed Checksum Clearinghouse -- this seems like a great way identify both spammers and their messages."

And C-Moan writes: "Wireless spam volume is likely to increase in the coming years. But smart use of spam-fighting measures can go a long way toward eliminating the problem. This article provides info about the latest crop of e-mail filters and enhanced mail client options, as well as two roll-your-own programming platforms that could help keep your in-boxes spam free."

If you don't drop the TCP SYN, you're dead.

I run a fourth level .ca domain. It gets so much spam that the only solution for me was to put in firewall rules. TCP port 25 is open for my 5 friends, and a few mailing lists. For everyone else, it's closed.

I've got a longer rant on my web page, but I won't post it here, as the machine will die.

Suffix it to say that I can't afford 500k+ spams a day. The SMTP 'HELO', 'MAIL FROM', and 'RCPT TO' traffic for spam was getting to a gigabyte of
traffic every few days.

rbl doesn't work. The spammers that hit me aren't listed on it. 'teergrube' doesn't work. I can't afford the bandwidth or the CPU time to maintain millions of open connections.

When you get spam, if you do ANYTHING other than
drop the TCP SYN packet, you've lost.

spider traps

[Alien54]

I recall a number of scripts meant to trap spidering harvesters by generating endless pages of bogus content, with bogus addresses.

I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.

Re:spider traps

[po_boy]

I just wrote a mod_perl apache module to implement a similar honeypot idea. The primary difference is, though, that if a spider requests a page from the honeypot, the webserver realize that it's a maliicious spider. After that the webserver refuses to serve any pages at all to that client for some time.

It's supposed to cut down on email harvesting bots and others that ignore the /robots.txt file

Delays with the sendmail-bd

[greyguppy]

I like the idea with sendmail -bd, not delivering any mail, but surely spammers will simply assume that an "open" relay that takes 2 days to deliver their test message is being moderated as such by somebody running a honeypot. Unless you can identify, and forward spam tests as quickly as if the mailserver was running properly, then the spammers will soon catch on.

Re:Delays with the sendmail-bd

[Raphael]

I do not think that many spammers pay attention to the delivery time for their test messages, because they usually send dozens or hundreds of probes at the same time. As long as the message is delivered (by hand) within a couple of hours, that should be sufficient.

But they will probably pay attention to this trick sooner or later. So we need a more sophisticated script than this simple "sendmail -bd". Maybe some kind of "limited open relay": a program that always delivers the first message received from any IP address, but delays (or drops) all the other ones coming from the same address. There could be a configurable threshold allowing more than one message per IP, in order to fool the spammers who would try to send two test messages.

Such a machine could be used as an open relay, but with limited consequences. As long as the administrator of the machine keeps the logs of all incoming IP addresses (with timestamps and as many details as possible), the messages that go through it will not do much damage.

Re:Delays with the sendmail-bd

[cornjones]

there was a school of thought on this that would increasingly delay the time between each message sent. first message goes right out. next takes 2 seconds, 4 seconds, 8, etc we all know how doubling works. simple but effective if I am sending a message to 4 or 5 people there is no noticeable delay. if I am sending to 50 people it will take a couple hours. any more than that you are probably spamming. in a real implementation you would probably come up w/ a more elegant scheme than doubling. B)

as w/ any spam ruleset there are exceptions. there should be a conf file for allowed mail senders such as if you are running a mailing list or the such.

it should be trivial to write something like this into a milter or to just put a wrapper in front of your port 25.

vipul's razor!!!1`

[notsoanonymouscoward]

This sounds alot like vipul's razor a fellow checksum'ing spam catcher. In addition to being free and open source, I think vipul's has been around longer than these other guys. They also use honeypots to catch lots of spam, but I believe not so much in the relay dept.

Spam only has a political/legislative solution

[GSloop]

I've come to the realization that the solution to spam is political/legislative.

I use SpamAssassin and it blocks virtually all spam, but that doesn't really solve the problem. Most users can't use spam assassin, or other good spam blocking system. Spamcop is good too, but that's now $3/month. Why should I be forced to pay to haul the spam, and $3/month not to see it?

The solution as I see it is this. We need legislation that allows for damages from the beneficiary of the spam. Almost all of the spam I get comes from SMTP servers in China and Eastern Europe. Good luck getting these people shutdown. Or, it comes from an open relay. Again, it's useless to attack the unwitting/stupid party, although it might have some effect here. But the spam beneficiary almost certainly has a bank account in your country, or some bank funds transfer mechanism. If they want to do lots of business with the US or other countries, there's going to be somefinancial presence there. So, we now have money...just tap into that money, by making the beneficiary of spam a civil tort, and spam just gets more expensive to promote.

When the demand for spam drops, because it's too expensive, then the demand for the out of country spam services drops, and eventually, most spam stops.

There would need to be some way to keep companies from being "set-up" as spam beneficiaries, but I think that shouldn't be too hard of a problem to solve. (Who's going to pay a spammer to "set-up" someone else, when the risk could be quite high if you get caught?)

Anyway, I'm starting to print out the most scummy spams, Porn etc (Esp pictures) and I'm going to mail them to my Congressmen and Senators. I don't know that they care, but I can pretty much guarantee they're going to get sick of getting such sicko stuff in the mail. Perhaps they'll actually do something. I've even pondered sending it all to every congressman and every senator, but that's a bit costly!

Well, do your damage...

Cheers!

more documentation

I've just rented a dedicated server running freebsd, and I get messages of relay denied daily, now I need to accept relay for my users... so i've been reading about pop before smpt, thats a good solution, since I am not used to sendmail, it has been very difficult to configure it for me...I think we need a document to configure sendmail "for dummies"...all the documentation ive found is not so easy to understand.

Re:more documentation

[ncc74656]

I've just rented a dedicated server running freebsd, and I get messages of relay denied daily, now I need to accept relay for my users... so i've been reading about pop before smpt, thats a good solution, since I am not used to sendmail, it has been very difficult to configure it for me...

I've handled local relaying by just adding IP addresses and/or address blocks to the server config. It works as long as nobody has a dynamic IP address...since the addresses that are let through are all private-subnet addresses (people behind the firewall), this isn't a problem. Their mail gets out, but spammers in search of an open relay are cut off.

You might also want to look into qmail...it's much simpler to get going than sendmail, and IIRC no security holes have been found yet.

Somebody linked to this article on using Apache to find the bots that swipe email addresses from websites. While you're waiting for the bots to respond to their suggested changes, you might also consider searching your logs for other attempts at sending mail through your system. Searching all the logged 404s on my server turned up 91 attempts at exploiting webmail systems. Some were the result of Nessus scans I had aimed at my server, but filtering those out left 36 confirmed attempts.

Here are the user-agents that turned up:

• EmailSiphon
• Microsoft URL Control - 6.00.8862
• Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)

...and here are the addresses of the spammers (get a load of the last one on the list):

• 07-127.057.popsite.net
• 209.85.24.157
• 24-161-169-176.san.rr.com
• 24.27.210.44.pinecastle-ubr-a.cfl.rr.com
• 251.cleveland-05-10rs.oh.dial-access.att.net
• 2cust165.tnt2.ladue.mo.da.uu.net
• 63.116.175.28
• 64-214-40-67.brv.frontiernet.net
• ac85c77d.ipt.aol.com
• ac894f07.ipt.aol.com
• ac8b6f74.ipt.aol.com
• acb5c2f6.ipt.aol.com
• adsl-64-169-101-147.dsl.lsan03.pacbell.net
• adsl-64-172-45-126.dsl.snfc21.pacbell.net
• cm092.8.234.24.lvcm.com
• ip68-0-166-201.tc.ph.cox.net
• lsanca1-ar2-143-206.lsanca1.dsl.gtei.net
• pool-151-201-153-163.phil.east.verizon.net
• roc-204-210-146-77.rochester.rr.com
• tide86.microsoft.com

Wireless spam in Finland

Short-messaging (SMS) is enormously popular in Europe. Here in Finland, the porn spammers begun to capitalise on the popularity by sending "call this number to get your cock sucked by beautiful ladies" kind of SMS spam to arbitrary listed numbers including underage kids' cellphones.

This kind of spam exists no more. How? It was made illegal practically overnight and that shut the bastards down.

The spam problem is a political problem. Until there is enough political will in your governments to crack down on the spammers HARD, the spam problem will be getting worse and worse.

Re:Wireless spam in Finland

[ackthpt]

Political will in the US Government? Surely you're mistaken. Oh, sure they all jumped up and said their piece after Sept, 11, and a bunch of them actually are behind campaign finance reform, but they only do this AFTER it's a problem. Well, spam's a problem, but they've let phone solicitors drive us to screen messages on answering machines (which I swore I never would do, but do now) and all this BS is some twisting of "Freedom of Speech".

I'd like to see the House, Senate and Administration actually come up with some relief legislation on this and crack down hard. Pity, they won't do it, but they saddle us with DMCA.

Throw SPAM to the tarpits!

[weefle]

It would be really cool to take the relay blackhole list to an extreme, and enhance it with something like LaBrea. That way, instead of just immediately refusing to accept spam, freeing the spammer to move on to the next host on the list, a "tarpit" relay would bog the spammer down, maybe slowing their spamstream down to the point that they're sending only one message per hour. If we could get just a small percent of the SMTP servers on the 'net running such a tarpit, that would reduce the amount of spam that we all get. That is, until the spammers rewrite their software to give up on slow relays.

Re:What am I missing?

[Carmody]

Uh, spammers send out spam to get orders, sales etc.. If their mails don't get through, they sell less and get discouraged.

You are misunderstanding me. I understand why it hurts spammers if their mail doesn't make it through to their destination. What I don't understand is why it is better to let them THINK it is getting through than it is to let them realize that it is not.

ISPs...

looks like UUNet is at the top of the list... UUNet and prserv/IBM/AT&T are always at the top of my list when it comes to spam in my inbox...

-switched

make people pay for email!

[supernova87a]

Perhaps this has been discussed before, but why not have ISPs levy a per-email-charge so that the real cost of sending these messages is reflected? It's not like it would take a quantum leap in billing technology.

Let's make it $0.01 per email, which will cost near nothing to the average email user, but for the lousy spammer who sends out 10,000 emails, this will set him back $100.

People will only change their behavior if it hits them right in the pocket, as soon as they carry out that unwanted behavior. Why should email be free for people to abuse?

Move it up a level?

[martyb]

Question: If this idea is viable, why don't ISPs implement it, too? For example, if AOL used this technique on a few of its dial-up (or cable) IP addresses, they could potentially make quite an impact. Futher, they could apply this technique across each of their address blocks. They could also rotate through the address block the particular addresses which act as the honeypot.

Now imagine that AT&T, Earthlink, MSN, and other ISPs implemented this, too, that should put a HUGE DENT in spamming.

Granted, this would chew up bandwidth on their network, but delivering spam chews it up, too.

Please, if there are mistakes in this, don't mod me down but instead point out what ISPs COULD DO to make this work. Thanks!

Want to stop span?

Get 1000 /.ers to setup a web page on a simple box they already have or on a free web server... in fact, setup hundreds of pages. Embed in the page every political email address you can find as well as a honeypot one you setup. Set the honeypot one up to forward to the political addresses as well (all of them).

After senator what's his face gets spammed by 10000+ p04n addresses a day for weeks on end he might take notice.

Anyone ever...

[digitalsushi]

anyone ever responded to a spam pretending to be interested in the product? I get about a 20% turnaround on "serious inquiries". If I am using a real email address and look like a real customer, and they arent even writing back to me... they must be spamming several times what they could "legitimately" handle.

Client with a similar problem.

I have a client (in the porn biz) who has a similar problem.

From aaa@hisdomain.net to zzzzz651@hisdomain.net, over 700,000 seperate unique names that someone had put up for the harvesters to find/get. When I called the FTC about it, and talked to the anti-spam department, they had not heard about such activities.

His windows NT box would crash, and if the mail was allowed to follow the normal 'accept the message, then try to bounce it', his little 'old T1 would be saturated. FreeBSD didn't crash, but had over 200 sendmail connections when it took over for NT, and now sees 35 connections at any one time.

Sounds like someone has it out for you, and is willing to allow the spammers to create the DOS attack. If you are lucky, abandoning the domain that is getting the spam means your problem will go away.

ISPs need to do more...

[digitalsushi]

replying to this article as an isp with about 12k email accounts, I'd like to point out that the biggest thing holding an ISP back from implementing large global spam blocking routines is the fear of dropping more than zero legitimate emails. It's like that old legal thought, "better to let 10 guilty men go free than to jail 1 innocent man". If I blocked an email inviting someone's grampa to the family reunion and killed 500 pr0n spams, and found out about it, I'd feel miserable for days. (Not that such a ruleset would be that likely to trigger for both- if it did I'd prolly end up with a giant R branded to my forehead for "regex")

Re:ISPs need to do more...

[CritterNYC]

What about the bounce message? When you use a good open relay blocking list (like ordb, my favorite), your mail server refuses to let the offending server send the message. The offending server reports back to the sender that the message did not go through. So, if Aunt Alice is sending out the message to Grandpa about the family reunion and receives a message back that the message couldn't be delivered... she'd just call him. The only really bad anti-spam technique is filtering that just discards messages. The sender doesn't know it wasn't delievered. With blacklists, the sender knows.

Checksumming -- defeatable?

[fm6]

Checksumming strikes me as very easy to defeat. Just have the mailer append a random string to each message body. I've noticed most spam already does this with subject headers. Am I missing something?

Re:Checksumming -- defeatable?

[AnotherBlackHat]

Checksumming strikes me as very easy to defeat.

It is.
A rock will let you enter a locked car, but you still lock your car.
A filter doesn't need to be 100% effective to be useful,
and it's not likely that spammers will care until this kind of thing is guarding more than 50% of mailboxes.

The random string is more likely a tag to find out who responded than an attempt to bypass filtering.

-- Is a "no soliciting" sign spam?

Not Quite So Easy.

[BadlandZ]

I'm starting to print out the most scummy spams, Porn etc (Esp pictures) and I'm going to mail them to my Congressmen and Senators.

How's that going to help if the porn sites are in China? Passing a law won't change it, your Congressman and Senator would have to be willing to support some kind of "punishment" in the form of economic sanctions or something on the country as a whole.... If that... It's not going to happen, not by just passing a law.

If it were to be stopped by law, it would have to be an INTERNATIONAL law (funny how electrons in cables don't know to carry a passport and stop to check in with the Customs Officer when they cross a border).

And, EVERY country would have to support the law. Or else the spaming operations would just move to a country that allows it. Good luck getting every country in the world to agree to an international policy just to keep spam out of your inbox.

Sorry to rant, but it gets on my nerves when ANYONE thinks the USA has some right to make any Internet regulation at all.... because, they are trying to control something that extends way beyond the countrys borders.

Re:Web Applications that Require Confirmation

[J'raxis]

A better trick: You should create multiple aliases that all point to that account, and use one alias for each transaction. Then you can track down who is doing the spamming.

spam-real@you.com
spam-ebay@you.com
spam-amazo n@you.com
spam-nytimes@you.com
&c.

If, for example, spam-amazon@you.com starts getting spammed two days after you created it, and you only gave this address when you signed up for Amazon, guess who sold or was sloppy with your address?

You'd be surprised what thye get up to...

[grundie]

While I was doing my CS degree I spent my placement year at a small data mining software company. Once we got a request from marketing company based in Estonia asking if we could clean some 'addresses', as their cutomers had a tendancy to deliberately mis-spell their addresses. We found their attempts to hide the company background and extent of their business odd especially the ordinary ISP email address (not their own domain), but never thought any more about it. We asked them for a sample data set of these 'addresses' so we knew what we were dealing with, initially they did not want to hand them over after a while we said if you don't show us the data we are unable to tender for the work. What arrived was a text files containing email addresses along the lines of:
someone@REMOVETHISdomain.com
me@SPAMOFFhost. com
NOSPAMme@isp.net etc.

Suffice to say we did not tender for the work. What worried me was the fact that they were willing to pay good money (arounf 5,000 sterling) to extract maybe 250,000 email addresses, this goes to show there must be a good incentive to do all this spamming.

Re:It's for the Children!

[Ldir]

I actually had this happen to my 11-year-old. When I first tried to set up an @home account for him, his name (first.last) was already in use so I used another variant. With the disintegration of @home, their customers are moving to new ISPs. In the process, we discovered that my son's name had become available, both at @home and at our new ISP.

We switched his account to the first.last format, and he immediately started receiving lots of spam - including porn - meant for the previous user. My wife was horrified, and wouldn't let him check e-mail until she screened it first. Once we moved entirely off of @home, the problem went away ... for now.

Re:Careful - violate USPS requlations?

[GSloop]

Does anyone know the requlations regarding sending pornographic materials via the US Postal Service?

Yes, I'd like to know...

But, I think it would be very NEWSWORTHY for me to get "prosecuted" for sending porn in the mail to my representatives, when government refuses to do anything against the spammer and the beneficiary of the spam for sending it to me in th first place.

Plus, I think they would have a difficult time making it stick, as it would be the most protected speech. Speech to a representative for political discourse... (Or am I full of it?)

I would really hate the time spent fighting it, and the expense, but I could really raise the roof if I was able to get it in the press.

This is rather a cool idea. I might just "push the envelope" to see what a stink I can raise!

Any suggestions?

Cheers!

Spam filtering -- dictionary based effort?

[swb]

I'm far from a sophisticated programmer, but I can bang out the odd script in Perl and I use procmail.

I've been actually collecting Spam for an idea that I have -- Spam can be identified by the subject matter based upon the vocabulary. This weekend I hacked out a script that goes through a spam mbox and builds an index of words and two-word phrases.

I ran it against my main inbox and it generated an entirely different vocabulary than the one generated by my spam mailbox. This leads me to believe that a new mail message could be judged by subject alone to see if contained a lot of spam vocabulary, and if it did its words could get added to the dictionary.

The virtue of this is that its self-learning -- the more you get, the better it gets at finding them since the spam vocabularly gets even better defined.

Of course, I haven't worked out the scheme for matching new mail against the dictionary yet (either in a logical sense or an implementation sense), so it may prove much harder than it seems -- but the fact that Spam is spottable in the subject by me just reading it vs normal mail shows me that the vocabulary is significant.