Slashdot Mirror
Fighting Spam on the Home Front
Saint Aardvark writes: "Something interesting from the SecurityFocus Honeypot mailing list: a couple of honeypots for spammers. This message has a link to a how-to page for setting up a Sendmail honeypot to trap spammers, and the status page for a honeypot in Moscow that's trapped spam meant for >1.7 million recipients. The author mentions using a honeypot in conjunction with the Distributed Checksum Clearinghouse -- this seems like a great way identify both spammers and their messages."
And C-Moan writes: "Wireless spam volume is likely to increase in the coming years. But smart use of spam-fighting measures can go a long way toward eliminating the problem. This article provides info about the latest crop of e-mail filters and enhanced mail client options, as well as two roll-your-own programming platforms that could help keep your in-boxes spam free."
I run a fourth level .ca domain. It gets so much spam that the only solution for me was to put in firewall rules. TCP port 25 is open for my 5 friends, and a few mailing lists. For everyone else, it's closed.
I've got a longer rant on my web page, but I won't post it here, as the machine will die.
Suffix it to say that I can't afford 500k+ spams a day. The SMTP 'HELO', 'MAIL FROM', and 'RCPT TO' traffic for spam was getting to a gigabyte of
traffic every few days.
rbl doesn't work. The spammers that hit me aren't listed on it. 'teergrube' doesn't work. I can't afford the bandwidth or the CPU time to maintain millions of open connections.
When you get spam, if you do ANYTHING other than
drop the TCP SYN packet, you've lost.
I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.
"It is a greater offense to steal men's labor, than their clothes"
I like the idea with sendmail -bd, not delivering any mail, but surely spammers will simply assume that an "open" relay that takes 2 days to deliver their test message is being moderated as such by somebody running a honeypot. Unless you can identify, and forward spam tests as quickly as if the mailserver was running properly, then the spammers will soon catch on.
This sounds alot like vipul's razor a fellow checksum'ing spam catcher. In addition to being free and open source, I think vipul's has been around longer than these other guys. They also use honeypots to catch lots of spam, but I believe not so much in the relay dept.
I ate my sig.
I've come to the realization that the solution to spam is political/legislative.
I use SpamAssassin and it blocks virtually all spam, but that doesn't really solve the problem. Most users can't use spam assassin, or other good spam blocking system. Spamcop is good too, but that's now $3/month. Why should I be forced to pay to haul the spam, and $3/month not to see it?
The solution as I see it is this. We need legislation that allows for damages from the beneficiary of the spam. Almost all of the spam I get comes from SMTP servers in China and Eastern Europe. Good luck getting these people shutdown. Or, it comes from an open relay. Again, it's useless to attack the unwitting/stupid party, although it might have some effect here. But the spam beneficiary almost certainly has a bank account in your country, or some bank funds transfer mechanism. If they want to do lots of business with the US or other countries, there's going to be somefinancial presence there. So, we now have money...just tap into that money, by making the beneficiary of spam a civil tort, and spam just gets more expensive to promote.
When the demand for spam drops, because it's too expensive, then the demand for the out of country spam services drops, and eventually, most spam stops.
There would need to be some way to keep companies from being "set-up" as spam beneficiaries, but I think that shouldn't be too hard of a problem to solve. (Who's going to pay a spammer to "set-up" someone else, when the risk could be quite high if you get caught?)
Anyway, I'm starting to print out the most scummy spams, Porn etc (Esp pictures) and I'm going to mail them to my Congressmen and Senators. I don't know that they care, but I can pretty much guarantee they're going to get sick of getting such sicko stuff in the mail. Perhaps they'll actually do something. I've even pondered sending it all to every congressman and every senator, but that's a bit costly!
Well, do your damage...
Cheers!
uce@ftc.gov is for this purpose.
UCE = Unsolicited Commercial E-Mail FTC = Federal Trade Commission
If you send it to someone like your congressman, YOU are spamming. If you do it often enough, I'm sure they will have a word or two with your ISP.
If someone sends you a letter filled with anthrax, forwarding it to the president will not make things better...
A monkey is doing the real work for me.
This kind of spam exists no more. How? It was made illegal practically overnight and that shut the bastards down.
The spam problem is a political problem. Until there is enough political will in your governments to crack down on the spammers HARD, the spam problem will be getting worse and worse.
On another front, the FTC set up a special electronic mailbox reserved for UCE in order to assess, first hand, emerging trends and developments in UCE. With the assistance of Internet service providers, privacy advocates, and other law enforcers, staff publicized the Commission's UCE mailbox, "uce@ftc.gov," and invited consumers to forward their UCE to it. The UCE mailbox has received more than 2,010,000 forwarded messages to date, including 3,000 to 4,000 new pieces of UCE every day. Staff enters each UCE message into the database; UCE received and entered in the database within the preceding 6 months is searchable. Periodically, staff analyzes the data, identifies trends, and uses its findings to target law enforcement and consumer and business education efforts.
The most effective solution for fighting spam is NOT legal; it is also not honeypots, or open server bans. It's community action.
Did you receive a spam directing you to a website? Good. Surf there. Reload. Reload a few hundred times. 800 number? Call it and complain. When they hang up on you, call back.
Multiply this by even a small fraction of the people the company sent spam to and swamp their lines and slashdot their servers. They won't be making any sales, and any earnings they do make won't come close to paying their bandwidth or phone bills.
(2) Spammer sees .01% response rate drop to .0000001% response rate (finding open relays, spidering email addresses, etc). Looks at books and sees that he spent 10 hours getting everything together to spam. Additionally, he spends 30 hours dealing with people who call pretending to be interested, keep him on the line, and then say that their credit card number is "spammers suck." So he spent 40 hours and only sold one widget, that he gets a $5 profit on. Realizes that he could have made more money working 40 hours at Mcdonalds, and there are nicer customers to boot.
The reason people spam is the cost is low. Increase the cost of doing business and they will reevaluate.
Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
We first got a way that can punish spammers that dates back to the 1600's, and now a way that we can trap them. Just think, instead of locking up Bernard Shifman in a damp dungeon in England, we could honeypot his resume, then smear real honey all over Bernie and leave him near an anthill with a bunch of red ants.
I posted an article that deals with stopping spambots with common apache tools last week in the apache section of slashdot. hopefully some can find use of it here as well :)
here's the link directly to the article as well:
Stopping Spambots II - The Admin Strikes Back
Get 1000 /.ers to setup a web page on a simple box they already have or on a free web server... in fact, setup hundreds of pages. Embed in the page every political email address you can find as well as a honeypot one you setup. Set the honeypot one up to forward to the political addresses as well (all of them).
After senator what's his face gets spammed by 10000+ p04n addresses a day for weeks on end he might take notice.
anyone ever responded to a spam pretending to be interested in the product? I get about a 20% turnaround on "serious inquiries". If I am using a real email address and look like a real customer, and they arent even writing back to me... they must be spamming several times what they could "legitimately" handle.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Maybe we can capitalize on the It's For The Children idiocy that seems so prevalant in government:
1) Have your 14-year-old kid set up and email account somewhere.
2) Help him/her write an innocent letter to your representative complaining about the inappropriate spam s/he is recieving.
3) Watch them trip over themselves to Save The Children =P
2) at times HTML emails contain images located on a server. This allows them to track if a message has been read and which message.
o urisp.com"
This is exactly that, most HTML e-mail messages you get contain an image. Alot of those images are formatted in such a way like:
img src="http://www.spammersite.com/spampic.jpg?you@y
So the image display's, and they now have a list of e-mail addresses of people who looked at the message.
So now you don't even have to click anything, they know you are looking at the message just by your mail client opening the picture.
Do you Gentoo!?
This isn't flamebait, but what is the point of doing all of this?
So now the spammers have a lot of worthless addresses. Well let's think about that for a minute. Spam is built around a theory that next-to-no-one will reply anyway, so that doesn't matter much. Spammers also rarely pay for their own bandwidth, choosing instead to spoof unsecure machines to do their dirtywork. So in the long run, you only end up giving them more worthless addresses that creates more wasted bandwidth, neither of which really harms the people you are attempting to target.
------
Today's Top Deals
It uses a weighted score that derives it's values from a variety of sources including Razor and various Black Hole Lists.
The type of heuristics are along the lines of:
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (12.24 hits, 5 required)
SPAM: Hit! (1 point) From: contains numbers mixed in with letters
SPAM: Hit! (1.2 points) From: does not include a real name
SPAM: Hit! (1 point) 'Message-Id' was added by a relay (2)
SPAM: Hit! (1 point) Subject contains lots of white space
SPAM: Hit! (1 point) BODY: List removal information
SPAM: Hit! (1.56 points) Contains phrases frequently found in spam
SPAM: [score: 26, hits: accept credit, credit cards,]
SPAM: [fill out, for your, more information, our]
SPAM: [company, phone number, receive further, remove]
SPAM: [the, reply this, subject line, thank you, the]
SPAM: [subject, this email, wish receive, word remove,]
SPAM: [you for, you like, you wish, your]
SPAM: [email]
SPAM: Hit! (1 point) spam-phrase score is over 20
SPAM: Hit! (1 point) Received via a relay in inputs.orbz.org
SPAM: [RBL check: found 14.54.162.63.inputs.orbz.org.]
SPAM: Hit! (2 points) Received via a relay in relays.osirusoft.com
SPAM: [RBL check: found 6.223.155.212.relays.osirusoft.com., type: 127.0.0.9]
SPAM: Hit! (1.48 points) Subject contains a unique ID number
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------
Am I missing something?
Yes. The DCC page states that they use a 'fuzzy' checksumming algorithm that doesn't just checksum the whole message, and that the algorithm is evolving as spam evolves.