Slashdot Mirror
Fighting Spam on the Home Front
Saint Aardvark writes: "Something interesting from the SecurityFocus Honeypot mailing list: a couple of honeypots for spammers. This message has a link to a how-to page for setting up a Sendmail honeypot to trap spammers, and the status page for a honeypot in Moscow that's trapped spam meant for >1.7 million recipients. The author mentions using a honeypot in conjunction with the Distributed Checksum Clearinghouse -- this seems like a great way identify both spammers and their messages."
And C-Moan writes: "Wireless spam volume is likely to increase in the coming years. But smart use of spam-fighting measures can go a long way toward eliminating the problem. This article provides info about the latest crop of e-mail filters and enhanced mail client options, as well as two roll-your-own programming platforms that could help keep your in-boxes spam free."
I run a fourth level .ca domain. It gets so much spam that the only solution for me was to put in firewall rules. TCP port 25 is open for my 5 friends, and a few mailing lists. For everyone else, it's closed.
I've got a longer rant on my web page, but I won't post it here, as the machine will die.
Suffix it to say that I can't afford 500k+ spams a day. The SMTP 'HELO', 'MAIL FROM', and 'RCPT TO' traffic for spam was getting to a gigabyte of
traffic every few days.
rbl doesn't work. The spammers that hit me aren't listed on it. 'teergrube' doesn't work. I can't afford the bandwidth or the CPU time to maintain millions of open connections.
When you get spam, if you do ANYTHING other than
drop the TCP SYN packet, you've lost.
I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.
"It is a greater offense to steal men's labor, than their clothes"
I like the idea with sendmail -bd, not delivering any mail, but surely spammers will simply assume that an "open" relay that takes 2 days to deliver their test message is being moderated as such by somebody running a honeypot. Unless you can identify, and forward spam tests as quickly as if the mailserver was running properly, then the spammers will soon catch on.
I read the article, and it seems to be based on this.
(1) Spammer sends bunch of stuff to someone who is throwing it away, unread
(2) ? ? ?
(3) Spammer is discouraged from sending spam
In other words, I understand that that spammer THINKS his spam is reaching endusers, when, in actuality, it is not. But I don't understand how that discourages or harms the spammer in any way.
God is real unless declared integer
This sounds alot like vipul's razor a fellow checksum'ing spam catcher. In addition to being free and open source, I think vipul's has been around longer than these other guys. They also use honeypots to catch lots of spam, but I believe not so much in the relay dept.
I ate my sig.
I've come to the realization that the solution to spam is political/legislative.
I use SpamAssassin and it blocks virtually all spam, but that doesn't really solve the problem. Most users can't use spam assassin, or other good spam blocking system. Spamcop is good too, but that's now $3/month. Why should I be forced to pay to haul the spam, and $3/month not to see it?
The solution as I see it is this. We need legislation that allows for damages from the beneficiary of the spam. Almost all of the spam I get comes from SMTP servers in China and Eastern Europe. Good luck getting these people shutdown. Or, it comes from an open relay. Again, it's useless to attack the unwitting/stupid party, although it might have some effect here. But the spam beneficiary almost certainly has a bank account in your country, or some bank funds transfer mechanism. If they want to do lots of business with the US or other countries, there's going to be somefinancial presence there. So, we now have money...just tap into that money, by making the beneficiary of spam a civil tort, and spam just gets more expensive to promote.
When the demand for spam drops, because it's too expensive, then the demand for the out of country spam services drops, and eventually, most spam stops.
There would need to be some way to keep companies from being "set-up" as spam beneficiaries, but I think that shouldn't be too hard of a problem to solve. (Who's going to pay a spammer to "set-up" someone else, when the risk could be quite high if you get caught?)
Anyway, I'm starting to print out the most scummy spams, Porn etc (Esp pictures) and I'm going to mail them to my Congressmen and Senators. I don't know that they care, but I can pretty much guarantee they're going to get sick of getting such sicko stuff in the mail. Perhaps they'll actually do something. I've even pondered sending it all to every congressman and every senator, but that's a bit costly!
Well, do your damage...
Cheers!
uce@ftc.gov is for this purpose.
UCE = Unsolicited Commercial E-Mail FTC = Federal Trade Commission
If you send it to someone like your congressman, YOU are spamming. If you do it often enough, I'm sure they will have a word or two with your ISP.
If someone sends you a letter filled with anthrax, forwarding it to the president will not make things better...
A monkey is doing the real work for me.
I've just rented a dedicated server running freebsd, and I get messages of relay denied daily, now I need to accept relay for my users... so i've been reading about pop before smpt, thats a good solution, since I am not used to sendmail, it has been very difficult to configure it for me...I think we need a document to configure sendmail "for dummies"...all the documentation ive found is not so easy to understand.
This kind of spam exists no more. How? It was made illegal practically overnight and that shut the bastards down.
The spam problem is a political problem. Until there is enough political will in your governments to crack down on the spammers HARD, the spam problem will be getting worse and worse.
It would be really cool to take the relay blackhole list to an extreme, and enhance it with something like LaBrea. That way, instead of just immediately refusing to accept spam, freeing the spammer to move on to the next host on the list, a "tarpit" relay would bog the spammer down, maybe slowing their spamstream down to the point that they're sending only one message per hour. If we could get just a small percent of the SMTP servers on the 'net running such a tarpit, that would reduce the amount of spam that we all get. That is, until the spammers rewrite their software to give up on slow relays.
The only real solution to the spam problem is to kill spammers brutally, horribly and publically -- placing their heads on pikes as a warning to others. The US should encourage foreign governments to do the same under threat of airstrikes (though said airstrikes should only be centered on the locations of known spammers).
Yes, I'm serious about this. I despise spam and wish all spammers DEAD.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
On another front, the FTC set up a special electronic mailbox reserved for UCE in order to assess, first hand, emerging trends and developments in UCE. With the assistance of Internet service providers, privacy advocates, and other law enforcers, staff publicized the Commission's UCE mailbox, "uce@ftc.gov," and invited consumers to forward their UCE to it. The UCE mailbox has received more than 2,010,000 forwarded messages to date, including 3,000 to 4,000 new pieces of UCE every day. Staff enters each UCE message into the database; UCE received and entered in the database within the preceding 6 months is searchable. Periodically, staff analyzes the data, identifies trends, and uses its findings to target law enforcement and consumer and business education efforts.
I decided that one day I would reply to all the spam that I received in my non-personal mailbox.
I did
I then received all the mail back as undeliverable.
I replied the same day it was received so what good are these spammers doing? I mean, how do they expect to make any money if they were not there to take mine?
www.slightlycrewed.com - Because aren't we all?
The most effective solution for fighting spam is NOT legal; it is also not honeypots, or open server bans. It's community action.
Did you receive a spam directing you to a website? Good. Surf there. Reload. Reload a few hundred times. 800 number? Call it and complain. When they hang up on you, call back.
Multiply this by even a small fraction of the people the company sent spam to and swamp their lines and slashdot their servers. They won't be making any sales, and any earnings they do make won't come close to paying their bandwidth or phone bills.
We first got a way that can punish spammers that dates back to the 1600's, and now a way that we can trap them. Just think, instead of locking up Bernard Shifman in a damp dungeon in England, we could honeypot his resume, then smear real honey all over Bernie and leave him near an anthill with a bunch of red ants.
I posted an article that deals with stopping spambots with common apache tools last week in the apache section of slashdot. hopefully some can find use of it here as well :)
here's the link directly to the article as well:
Stopping Spambots II - The Admin Strikes Back
Question: If this idea is viable, why don't ISPs implement it, too? For example, if AOL used this technique on a few of its dial-up (or cable) IP addresses, they could potentially make quite an impact. Futher, they could apply this technique across each of their address blocks. They could also rotate through the address block the particular addresses which act as the honeypot.
Now imagine that AT&T, Earthlink, MSN, and other ISPs implemented this, too, that should put a HUGE DENT in spamming.
Granted, this would chew up bandwidth on their network, but delivering spam chews it up, too.
Please, if there are mistakes in this, don't mod me down but instead point out what ISPs COULD DO to make this work. Thanks!
Get 1000 /.ers to setup a web page on a simple box they already have or on a free web server... in fact, setup hundreds of pages. Embed in the page every political email address you can find as well as a honeypot one you setup. Set the honeypot one up to forward to the political addresses as well (all of them).
After senator what's his face gets spammed by 10000+ p04n addresses a day for weeks on end he might take notice.
anyone ever responded to a spam pretending to be interested in the product? I get about a 20% turnaround on "serious inquiries". If I am using a real email address and look like a real customer, and they arent even writing back to me... they must be spamming several times what they could "legitimately" handle.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Maybe we can capitalize on the It's For The Children idiocy that seems so prevalant in government:
1) Have your 14-year-old kid set up and email account somewhere.
2) Help him/her write an innocent letter to your representative complaining about the inappropriate spam s/he is recieving.
3) Watch them trip over themselves to Save The Children =P
Checksumming strikes me as very easy to defeat. Just have the mailer append a random string to each message body. I've noticed most spam already does this with subject headers. Am I missing something?
This isn't flamebait, but what is the point of doing all of this?
So now the spammers have a lot of worthless addresses. Well let's think about that for a minute. Spam is built around a theory that next-to-no-one will reply anyway, so that doesn't matter much. Spammers also rarely pay for their own bandwidth, choosing instead to spoof unsecure machines to do their dirtywork. So in the long run, you only end up giving them more worthless addresses that creates more wasted bandwidth, neither of which really harms the people you are attempting to target.
------
Today's Top Deals
We do not need more laws "protecting" us! What we really need is a easy to use universal email crypto standard where everyone will sign thier email. Any mail not signed is immediatly suspect. Any keys you do not recognize are suspect.
Standard crypto would serve us much better then any new law (set of laws) and the possible abusive applications of said law(s). We would surly end up with all sorts of lawful and awful unintended consequences as a result af anything that is generated by any government.
~Sean
It uses a weighted score that derives it's values from a variety of sources including Razor and various Black Hole Lists.
The type of heuristics are along the lines of:
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (12.24 hits, 5 required)
SPAM: Hit! (1 point) From: contains numbers mixed in with letters
SPAM: Hit! (1.2 points) From: does not include a real name
SPAM: Hit! (1 point) 'Message-Id' was added by a relay (2)
SPAM: Hit! (1 point) Subject contains lots of white space
SPAM: Hit! (1 point) BODY: List removal information
SPAM: Hit! (1.56 points) Contains phrases frequently found in spam
SPAM: [score: 26, hits: accept credit, credit cards,]
SPAM: [fill out, for your, more information, our]
SPAM: [company, phone number, receive further, remove]
SPAM: [the, reply this, subject line, thank you, the]
SPAM: [subject, this email, wish receive, word remove,]
SPAM: [you for, you like, you wish, your]
SPAM: [email]
SPAM: Hit! (1 point) spam-phrase score is over 20
SPAM: Hit! (1 point) Received via a relay in inputs.orbz.org
SPAM: [RBL check: found 14.54.162.63.inputs.orbz.org.]
SPAM: Hit! (2 points) Received via a relay in relays.osirusoft.com
SPAM: [RBL check: found 6.223.155.212.relays.osirusoft.com., type: 127.0.0.9]
SPAM: Hit! (1.48 points) Subject contains a unique ID number
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------
I've occasionally replied to spam posing as a potential customer, usually when I want to know who's really behind a particular spam. I don't hear back from humans very often, either. I doubt it's that the spammer (or his client) doesn't want our "business." In most cases I think it can probably be explained by one of the following,
a) Spammer sent spam, checked for replies for awhile, then abandoned that dropbox for a fresh one. By the time I replied to his spam, he was no longer checking on that box.
b) Spammer sent spam, and because everything under the sun was in tune, someone with a clue was reading abuse@ and nuked his dropbox.
c) Spammer sent spam, got mailbombed with thousands of junk letters and didn't bother to clean the dropbox out. Both Hotmail and Yahoo - from my experience, anyway - will spool new messages for you even when you exceed your storage quota. Those messages won't show in your inbox until you delete some of the existing drek, but they don't bounce either; we could be sending order inquiries to a "full" dropbox that's never cleared.
Of course, we can always dream about
d) Spammer sent spam, was visited by a few guys with baseball bats, and was rendered physically unable to reply to our solicitations!
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
How's that going to help if the porn sites are in China? Passing a law won't change it, your Congressman and Senator would have to be willing to support some kind of "punishment" in the form of economic sanctions or something on the country as a whole.... If that... It's not going to happen, not by just passing a law.
If it were to be stopped by law, it would have to be an INTERNATIONAL law (funny how electrons in cables don't know to carry a passport and stop to check in with the Customs Officer when they cross a border).
And, EVERY country would have to support the law. Or else the spaming operations would just move to a country that allows it. Good luck getting every country in the world to agree to an international policy just to keep spam out of your inbox.
Sorry to rant, but it gets on my nerves when ANYONE thinks the USA has some right to make any Internet regulation at all.... because, they are trying to control something that extends way beyond the countrys borders.
Check out Rokso. This site maintains a database of well known spammers, as well as spam samples, MO's, partners in spam and, yes, personal info for many of the spammers.
Try going to SPEWS and searching on the IP addresses of any SMTP relays used in the mail. If you find a hit, view the evidence file. It will usually contain information about the sender of the spam, their ISP, and related domains.
Subscribe to news.admin.net-abuse.email via your news provider of choice, or search the archives at groups.google.com. If you type in some particulars about the spam - for example the domain being advertised, or maybe the email address listed on the whois for that domain - Google will usually bring up some pertinent matches from NANAE. When it's a new spam run, or a new spammer, remember that Google's archive is usually at least 12 hours behind.
If you don't find anything, or even if you do find something and you're in a sharing mood, post the spam you get to news.admin.net-abuse.sightings and if you've done any research into the spammer, include it at the top of your post.
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Their spam-software site is here. Scroll down to the bottom to see the (c) Elcomsoft.
Of course, the Slashdot editors rejected this story :-)
Oolite: Elite-like game. For Mac, Linux and Windows
Does anyone know the requlations regarding sending pornographic materials via the US Postal Service?
Yes, I'd like to know...
But, I think it would be very NEWSWORTHY for me to get "prosecuted" for sending porn in the mail to my representatives, when government refuses to do anything against the spammer and the beneficiary of the spam for sending it to me in th first place.
Plus, I think they would have a difficult time making it stick, as it would be the most protected speech. Speech to a representative for political discourse... (Or am I full of it?)
I would really hate the time spent fighting it, and the expense, but I could really raise the roof if I was able to get it in the press.
This is rather a cool idea. I might just "push the envelope" to see what a stink I can raise!
Any suggestions?
Cheers!
I'm far from a sophisticated programmer, but I can bang out the odd script in Perl and I use procmail.
I've been actually collecting Spam for an idea that I have -- Spam can be identified by the subject matter based upon the vocabulary. This weekend I hacked out a script that goes through a spam mbox and builds an index of words and two-word phrases.
I ran it against my main inbox and it generated an entirely different vocabulary than the one generated by my spam mailbox. This leads me to believe that a new mail message could be judged by subject alone to see if contained a lot of spam vocabulary, and if it did its words could get added to the dictionary.
The virtue of this is that its self-learning -- the more you get, the better it gets at finding them since the spam vocabularly gets even better defined.
Of course, I haven't worked out the scheme for matching new mail against the dictionary yet (either in a logical sense or an implementation sense), so it may prove much harder than it seems -- but the fact that Spam is spottable in the subject by me just reading it vs normal mail shows me that the vocabulary is significant.
What about the bounce message? When you use a good open relay blocking list (like ordb, my favorite), your mail server refuses to let the offending server send the message. The offending server reports back to the sender that the message did not go through. So, if Aunt Alice is sending out the message to Grandpa about the family reunion and receives a message back that the message couldn't be delivered... she'd just call him. The only really bad anti-spam technique is filtering that just discards messages. The sender doesn't know it wasn't delievered. With blacklists, the sender knows.
Portable versions of Firefox, GIMP, LibreOffice, etc
It isn't really fair to blame interns who happen to work for [insert name of evil corporation] for the company's possibly unethical behaviour. I doubt that many people here agree with everything their employer's does. (I know I disagree with my employer's decision not to promote me and give me a big fat pay rise...)
We had previously tried a number of anti-spam solutions, including combinations of RBL, ORBS, locally-maintained blacklists and lots of Sendmail hacks.
We had very little luck until November, when we implemented Spam Assassin on all of our mailboxes. After turning on Spam Assassin, the SPAM seemed to just go away. In the first day alone, we caught over 300 pieces of SPAM with ZERO false-positives with less than 10 pieces of junk making it through to the end user's mailbox. The program is, simply put, amazing.
It's multi-faceted approach works very well. It uses a combination of simple logical string checking, in addition to things like distributed databases like RBL and Razor.
The program can also place SPAM's in a dedicated mailbox file so you can see what got rejected. Each piece of rejected mail contains a report that includes the reasons that contributed to the rejection. Each reason has a weighted value that contributes to the final "good" or "bad" disposition. All of this is highly customizeable, but it does work very well out of the box without any tinkering.
I highly recommend this program. Take the time to sit down and install it on your mail server.