Slashdot Mirror
Using Statistics to Cause Spammers Pain
mlamb writes "Statistical mail classifiers like PopFile save time on the part of their users, but don't do anything to actively combat spam. I just published an article that suggests a way to use classifier output against a spammer while they're connected to your SMTP server, and I'm launching a project called TarProxy to implement it."
But what if the spammer sends a message to a (good) SMTP server which haven't got the system, and the SMTP server in turn tries to deliver the "spammail" to the right SMTP server, won't that hurt the good SMTP server, who just tries to do it's job?
My <1000 UID is with a hot chick
This may be just a little off topic, but the thing is that I always have to go through all my mail by hand to make sure I didn't miss anything important anyways. No anti-spam software out there seems to save me this hassle... So to this day I haven't stuck with any. It doesn't look like this will be better.
I am a viral sig. Please help me spread.
Just one question... what if the spammer doesn't connect to your SMTP server to send billions of messages from it? What if the spammer (with half a brain, and some scripting ability), only sends a few emails through your SMTP server? Most SMTP servers are wide open still, and simply sending 10 emails on one server and moving on to another open server would be so low that statistical usage wouldn't show anything on the radar screen... or did I not understand what you are trying to do?
---
Programming is like sex... Make one mistake and support it the rest of your life.
That's great! Sign me up right away. Man, Linux IS cool.
That we need all these technicalities to try and fight spam... But this is just like people trying to fight piracy, there will always be a new way to get around security. Actually, what we needed was authenticated SMTP from the beginning...
Exactly how it should be.
Perhaps public floggings and other corperal punishment as well.
However I have to wonder if all spammers are really sane ... I just got an email about chicks who crave small penis's and those who crave big penis's and then emails about penis enlargement and viagra online purchases, it just seems weird that there is so much concern for my penis. Perhaps we should just imprison them on an island as they might find tar and feathering a bit kinky and enjoy it.
Ignore the "p2p is theft" trolls, they're just uninformed
tar pits do nothing new or exciting. so far the most optimal is bayesian or other algorithmic filtering. Its a shame Google won't release their search algorithm for spam :-)
But, but, but, why would they be connected and sending spam through your server? Unless you run an open relay. And you don't run an open relay, do you? Do you?!
There is no sig, there is only Zuul.
Injuring spammers is always +5 Funny.
I have a lot of experience in this area: "You know, Ralsky, 100% of spammers that I track down get castrated on the spot."
The simpler method is still SMTPAUTH. Now we just have to convince the world that this is a Good Thing.
This sig no verb.
TarProxy is written in Java,
Well, that's one way to do it.
The hurt-back part of the project is not new. Theo de Raadt is working on just that, in connection with an IP number list (much faster, so suitable for busy servers):
Very simply, this hangs the full list of ~12,000 spam-sending IP/mask entries listed at www.spews.org off a pf(4) rdr-anchor (which is only entered for port 25). When connections from these spammers arrive they are redirected to a daemon which minimally fakes the SMTP protocol with very low overhead -- for multiple connections at the same time -- and then the message is left on the sender's queue by providing a 550 return code.
The theory here is that most spam still comes in via open relays, and the only way we are going to convince them to clean up their act is to waste _their_ disk space, their time, and their network bandwidth more than they waste ours. For those spammers who drop messages when they received a 550, well, we have not wasted any further time or network bandwidth, and even in that situation I think some of the might remove an address if they receive a 550.
Napalm and lit matches!
Dip them all in gravy and lock them in a room with a dozen wolverines on PCP.
That can't possibly cause as much pain as the tried and true solutions to spam:
- Castration
- Firebombings
- Slow torture
- an intercontinental ballistic missle strike
This is the same thing as OpenBSD's spamd, which Theo de Raadt wrote specifically to cause spam relays pain. spamd uses some new features of pf and blacklists from Spews to create a tarpit for incoming messages from known spam relays. It was even discussed on Slashdot in this article. Also, Daniel Hartmeier, pf developer extraordinaire and all around good guy, wrote a little piece about annoying spammers using pf, spamd, and bmf.
authentication doesn't do much. Companies should at least try to adopt it. I think any windows user is competent enough to run windows update, and any unix user is competent to get a new client that supports it. I think IETF has a mail extentions , but I'm not sure. That is basically just for sending mail though.
turn off relays.
Perhaps you could scan the internet for open relays and notify the sys admin that someone is spamming from their network? And their ISP too? That might work to some extent.
Alot of spammers buy webhosting from people in korea and other asian countries cause the admins dont hawk like US providers do.
Maybe ICANN should implement something in the root DNS servers that force mail lookups through some blacklist?
I was hoping to get first post, but my connection got throttled back to nothing....
Nonsense. The spammer will just run the connections in parallel. The slower they get the more he'll run. He already does this to some extent. All this will accomplish is to tie up resources on YOUR mail server.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Instead, this is meant to be run on the incoming SMTP server, the one that receives the mail. It will only hurt the spammer if he's trying to send a bunch of spam to your domain, but every server running this can help.
"Evil company X is threatening to restrict our rights! Let's all get together to stop--OOOH! SHINEY!!!" -- AC
Daniel Hartmeier uses OpenBSD and packet filter to waste spammers time.
so exactly WHO are you hurting?
sure, the open relay deserves some pain. but you're naieve if you think that most spammers send from their OWN systems!
I have qmail running on my mail hub and I reject mail at the time of connect simply based on the receiver they're trying to send to. when they handshake (part of the HELO exchange) I detect the user they're trying to send to, and since I only have a handful of valid users, its easy to know if they're dictionarying me or not. once I know that, I immediately cut them off, AND add an ipfw (I run freebsd) rule to block all traffic from that IP to my port 25. not only do they NOT get to send any DATA to me, but they're for now on (until it ages out, automatically) forbidden from even connecting to my box. I know that's harsh but I can be that selective since its mostly just me on my mailhub.
but I don't think for a second that even tarpitting that source IP is punishing the spammer. they've most likely broken into (or found) an open relay and they're routing thru them. they don't even see the 'address not reachable' error due to my firewalling them.
--
"It is now safe to switch off your computer."
And them some flammibles...
Here are some more spam tarpits:
TarProxy
ChuckMail
OpenBSD's spamd (tarball)
Google Search Results
The poor shmucks who actually end up getting punished are the mail servers who are being hijacked to send the spam. The will never "feel" pain.
However, it is an interesting "pay to play" option as long as you have a direct feed to the net of somekind.
make a filter for email clients that automatically reject and delete ALL email which the sender is not in the addressbook or some database, simple effecient and fool-proof
Anyone know of a good open source POP & SMTP proxy that runs under MS Windows and is written in C or C++?
Thanks.
Opinions on the Twiddler2 hand-held keyboard?
Using a list of the spam-sending IP's and Bayesian methods, one could assign a high prior probability of a message being Spam. The affect would be to slow down the connection on less evidence if its from a suspect IP address, and to require more evidence if its from an IP address that you trust. Thus you preferentially slow-down suspect computers, and allow your friends to get away with more spam-like messages before tarring them.
Quack!Quack!.....QUACK!!
well, if the spammer starts getting tar all over himself, how does DoSing help?
we could setup a P2P DoS network for spammers!~
Is it possible to write some kind of program that has a detrimental yet still legal effect on the web sites (if any) featured in your spam?
If enough people run it, suddenly it may not be so effective to promote sites that way.
Other spam invites you to call toll-free numbers - I do, and politely let them know I don't need anything.
The easiest solution is to have no open relays. I know I know, it ain't gonna happen, but perhaps this could convince more of those relays to close their doors:
What we do is have a small app that plugs into eudora, outlook, evolution, kmail etc. Whenever you get a spam, you click a button, it scans the header, finds the smtp server that sent the spam and then sends them 1 email informing them of the fact that they are sending spam (of course you need a way of getting the sysadmin's email address).
If enough people did this then the bad relays would be swamped with emails informing them of the spam they've been relaying, and they might close their relay. And non-open relays that just allow spammers to spam might think about being less friendly to spammers.
What do people think, is it lame?
--- I used to moderate, then I read the -1 articles and decided having to filter through them was not worth it.
Here's what I propose: setup a large number of bogus email accounts. Broadcast them everywhere, and let them be honey-pots for spam. The point is, since you NEVER use this account for anything but dropping in spammable places, anything you receive on it *must* be spam. As soon as you get a connection from a mail server to one of these addresses, you *know* it's an open relay, and you put it in your database -- automatically, with no interaction required.
Step 2: You also do a "fingerprint" on the spam you get in your honeypot (you know the routine - what's the length, average use of the word "dildo", etc) so that you can identify this particular spam "copy" by the message -- NOT the header. This allows you to automatically filter out spam messages. If the spammers want to adapt, they have to rewrite their copy. As long as your signature algorithm is fairly lose -- that is, not a true hash algorithm -- they should have to do a total rewrite if they don't want to be detected. You can then filter these at the relays. Thus, once again, you raise the cost for them to do their spam. Since you are filtering by actual known-spam content -- that is, you're doing this like they do virus signatures -- you should get virtually no false positives.
And, anybody whose friends who are emailing them about penis enlargement doesn't really deserve email anyway.
Anyway, there's step 1 and 2. To summarize:
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Check out http://www.martiansoftware.com/nailgun/
Never let a lack of data get in the way of a good rant.
Step 1: sysadmins band together in a DDOSOR alliance. Step 2a: Spammer uses open relay for spam campaign. Step 2b: Alliance member starts to receive spam. Step 2c: DDOSOR alliance is notified immediately and starts one-hour DDOS attack on open relay. Step 2d: open relay can't finish sending spam. Step 3: Profit!
Don't use Java, it's proprietary language and
it really isn't all that good at cross box
compatibility.
That said, great idea.
I do not read or respond to AC's. If you want a discussion, log in. Otherwise, don't waste your time.
If these tarpits were ubiquitous, they could completely change the economics of spam, creating a scarcity of bandwidth experienced only by spammers.
/dev/kqueue under FreeBSD, for example; and you can do the same, but with a bit more CPU wasted, using plain old select() on almost any Unix.
:(
Err, I don't think so. This just requires spammers to use more simultaneous connections to overcome the slowdown; it doesn't really increase their network requirements much, only their host CPU requirements. 20,000 simultaneous TCP connections from one process is quite possible with
I also don't understand the rationale behind processing the message incrementally. Why not just do your processing before sending back the final 2xx response to the DATA command? Most spam software does not hang up right after sending the final "\r\n.\r\n" from what I've heard from people who run tarpits.
How about this instead: when you are confident you are receiving spam, you stop reading from the socket entirely, and send perhaps 10MB of data back on the other side of the connection. (If the other endpoint isn't reading, and consequently you can only send one window worth of data, then do something to get your TCP stack to generate a lot of useless ACKs, or send your trash back one octet at a time and push between them, or something.) The intent being that sending spam to a large number of MTAs configured in this manner rapidly just becomes a way to DDOS *yourself*. Probably this is too disruptive for most sites to want to bother implementing, though
I don't know exactly what the profit margin for spammers is like, but I'm not convinced a small multiplier in network costs is going to matter. Anyway, a lot of these "countermeasures" are mostly going to hurt maintainers of open relays, but if that means they actually fix them, I suppose that is almost as good.
Java: the COBOL of the new millenium.
i don't know why anyone here is giving this guy's idea a hard time! all i see are messages about why it wouldn't work...
even if it's not the best idea, at least he's trying to do something about it.
stupid slashdotters, all of you. quit being so hard on everyone. you know who you are.
Granted, it is unlikely to be *directly* throttling a spammers server.
Granted, what it *is* likely to throttle is some unsuspecting (we hope) person's open relay, and only one connection at a time.
The win comes when tarpits are widely distributed, thus raising the probability than *any* open relay is likely to get throttled as soon as it starts relaying spam. In the limiting case, most/all open relays are effectively useless to spammers. Now the probabilities work in favor of Good Folks (tm) and against spammers. The key to making this work is to have enough tarpits in place to capture all open relays quickly.
Note also, this is very low administration, requires zero active user intervention, and the cost of a false positive is quite low with no end user impact.
Easy to defeat, just use spamming software that dynamically increases it's connection pool whenever it encounters a 'slow' SMTP recipient. Even if a large part of the net population were running this, the spammer could just spawn thousands of simultanious (slowed down, yes) connections, and still maximize his bandwidth utilization. If it takes 2 minutes to send each message, it dosen't matter if he's sending 5000 messages at once!
I believe linux, for example, allows up to 8192 open sockets, and I think this can be changes with a sysctl command, and most definitely could be with a few changes to kernel headers.
Sure, it would take a machine with decent memory, but that's not too hard to find.
---
the pen is mightier than the sword, the sword is mightier than the court, the court is mightier than the pen.
...it'll slow them down by default!
MOD PARENT UP!!
Where did they get the idea?
This slowly replies to the spammer to hold open the connection, meanwhile it launches assorted scanning and attack tools against the originating IP...
The current version is quite primitive -- when it sees a new connection, it runs 'atq' to check if a job is pending, and if not, uses "sudo nmap -og -O" to determine the remote OS, then "at" to launch the appropriate attacks based on OS and open services.
qmail-spamthrottle is a patch to qmail which I have found quite helpful in fending off the high-volume spammers, particularly the "dictionary attack" type of spam run.
In a "dictionary attack", the spam sending software tries every likely recipient, from aabraham to zzebra. Usually they are looking more to generate a list of valid email addresses (these sell for a premium) than to actually deliver spam.
This causes a problem for qmail, as the default behavior is to accept any RCPT TO, then generate a bounce when the local delivery agent realizes the users does not actually exist.
I do not deploy Linux. Ever.
I mean -honestly- people. Spamminess? I understand what he's saying, and I suppose that _IS_ the point of language after all (to convey meaning)... but isn't there a way he could have said it without using the word "spamminess"? It's bad enough that English is so fscked to begin with, we don't need to make ourselves that much dumber.
-theGreater Esperanto Advocate.
Theo changed his mind about 550..
1 04 027378218501&w=4
It's now 450.. Hurts more..
http://marc.theaimsgroup.com/?l=openbsd-misc&m=
I'm thinking that using spamassassin along with qmail-qfilter and a small perl script to tie it together that envokes a sleep() loop for every spam-like message, that it could easily be used to do the same thing because spamassassin kicks back a score for the message's likehood of being spam...
cheers..
I want SPAMMER to moan for Hao. I want them all sucking my big toe for mercy. Hao takes no bribe. Hao accepts no compromise. NEVER!
Hao wants to watch those blood suckers to SQUIRM!
I suggest you read Slashdot
Why use statistics to cause pain to spammers when electrical shocks to the testicles work so much better?
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
If hurting spammers is really what we're after, why not just set up a bunch of honey-pots around the net? Publish this software with the ability to tag a specific username@address.com as a honey-pot (user configurable). Then sys-admins around the world can make fake web pages publishing the emails, bots can catalog them, and consequently get stuck in them.
This method is better in the sense that it doesn't mess with anyone's real e-mail address and capitalizes off the stupidity of spambots.
If you do an static word frequency list, spammers will pass around it (check in POPfile site for the latest spammers tricks), if is dinamic, then the users of your system must train it for a while (someone must tell that some message is spam or not, reading it). You must have another way to access your server for the training thing, and then another possible point of vulnerability.
And more than this, as it depend on the user, you should not use a common word frequency list, you should have one for each user, and check if the message is spam against destination word base.
At best, it will work for the users that care to train this server, for the other users that don't want to waste their time spam will be coming at the same speed as before. At worst, you'll be using a common list for all, and maybe slow down receptions of mailing lists or things like that, and people in your server could be unsubscribed from some of them.
Is a good idea, but there are some things that should be implemented with care, and should work only for the users that care about it, the others should not be slowed down because you can put obstacles in the reception of normal mail.
Anything that hurts spammers is a good thing(tm)
:)
I hope that I'll be able to use software like this in conjunction with spam assassin or messgewall, I use messagewall ( http://www.messagewall.org ) primarily in front of my MTA and it does a reasonable job of identifying obvious junk as well as doing basic virus scanning on incoming & outgoing email.
Amazing how much spam a few posts to some newsgroups generate, I create a new alias just for news every now and then to control the amount of spam I get, just delete the old alias and the spam bounces off the MTA..
I applaud the project, every cool idea!
If only we couldnt throw the spammers in the tar pit.. that'd slow em down
-- If at first you don't succeed, lie!
His approach is to intentionally throttle down the connection to the incoming SMTP if it's SPAM. But most spam currently is sent from Windows or through open relays on Windows... which means they're running Windows.
Windows ain't quick. Is it possible to make it slower?
I have several domain names that appear on many of the "million address" CDs and other popular spam lists, but which longer any legitimate recipients/users.
We are also working on obtaining access to true "realtime" RBL lists of currently abused open relay servers. Assistance would be appreciated.
The core of "stations of the cross" is a custom DNS server. This server is authoritative for these oft-spammed domains, and each time a request is made for an MX record, it returns (with a short TTL) a unique randomly generated list of MXes, each address on the list being a known open relay.
So when a spammer or relay first goes to deliver a message, the system will select an open relay off the list of MXes, and hands off the message to that host. Being an open relay, the host accepts the message for my domain, then goes to do a DNS lookup for the MX record. The relay receives a (different) list of other open relays...
Usually, you can get a message to traverse a dozen or more open relays (most sendmail systems default to a maximum "hop count" of 25), after which the message will bounce.
Since the only traffic my server has to deal with is DNS queries and responses, this is very low-overhead for me, but depending on the size of the spammail, very high overhead for the open relay servers.
I do not deploy Linux. Ever.
Nonsense. All you have to do is consider the spamminess of the IP address connecting, and either not allow it or start it off with the some "viscosity" based on its prior spaminess -- which is updated in realtime (thus not requiring a prior blacklist).
Or did you mean that the spammer would just send spam to 64k servers simultaneously? Either way, it doesn't really matter, because it is still putting a much lower upper limit on how much spam they can send in a given period.
This sort of thing would allow me to run an open relay. I would be able to send mail from where ever I want to whomever I want from my server without having to worry about my bandwidth being wasted by spammers. Sure, some of my bandwidth would be wasted, but if they can use at most 1200bps (the speed of my first modem), I don't really care. And hopefully the server I have to relay to has a similar tarpit, preventing my precious upstream bandwidth from being wasted relaying spam -- it's not like I care that it takes 10 minutes to deliver a single spam.
Folks, this is a good idea.But sometimes the good peoples are punish by the attitude of bad peoples.A clear example which we can quote is:Some broadband services blockade the access of some sites.This is my case.Im not Spammer, but i be punish by attitude of them.Unfortunatelly this happen.This a disadvantage of broadband connections.The incredible raise of the spammers bastards.Best regards. Blueice88
- Free: It's no good unless it's everywhere... or at least in lots of places. TarProxy is Open Source Software released under a BSD-style license and available on SourceForge (see project page for details).
- Platform Independent: TarProxy is written in Java, so it runs on Linux, Windows, Solaris, OS X, and any other operating system with a Java Virtual Machine available.
contradict one another, and therefore directly suggest incipient failure. Any program you want widely deployed had better not depend on having some buggy JVM installed.(Arguably that is the reason that Freenet has been a practical failure. Every time I have tried to use it, it has got stuck in an infinite loop, or consumed all my swap space, or crashed. I blame buggy JVMs.)
If you want software to be widely and successfully deployed, it should (must!) resemble the software that already has been. Almost all such code (99%+) has been in C or in C++. Are there any Free Software programs written in Java successfully deployed outside of Java development shops? (Rhetorical question; the answer is "not enough to matter".)
If you want portability to Unixes, to w32, and to Macosix, you already get that with Gcc and autoconf.
If it's in Java, I certainly won't run it as a daemon.
A 550 error is a permanent reject. The spam source knows that the mail cannot be delivered so it quits. A 450 error tells the connecting smtp server that your server is temporarily unable to deliver the mail, but that it's not a fatal error and delivery should be retried. This is much more likely to keep the message in the spammer's mail queue.
those bastards have been making us eat pink spongy meat. now they are gonna get a belly full of hot sticky black stuff!!!!!
"All stolen cars suddenly drive very very slowly."
That's why.
-dameron
Personally, the spam solution I like the best is to have procmail+formail or some other tool sitting on your mail server and making unknown senders go through a confirmation step. It doesn't work for everyone (for instance, people expecting email replies to résumés! NAGI...), but if it works for you it tends to work very well. It inconveniences everyone else, but hey, everyone else is not me. I can whitelist all the people I truly care about.
Either that or we should throw out SMTP, email RFCs, sendmail, etc. and build a spam-free system from the ground up. Yeah, right.
Washington, DC: It's like Hollywood for ugly people.
Module that accepts PHP scripts for the filter criteria, and filters themselves. (You've got Java in my PHP, You've got PHP in my Java!, two great languages that go great together!)
White list and Black List (some sites only send SPAM, and you don't want your backup mailserver, you do have another higher value MX in case your connection goes down don't you, to be slowed down).
Batch processing mode, or call it store and forward mode.
Make sure to put the spam score into an "X-" header.
Optionally add in an apparently to header to track down bcc'ed messages sent to mailing lists... please...
Cool stuff. Love Tar pits in general, this is the first ASTP (Application Specific Tar Pit) I have seen outside some work I started a while back. with a business partner before getting snapped up into the seamy corporate world of senior research scientist-dom for a not-quite-a-dot-com company...
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
lets set up 2 dozen mailservers or so, and then flood the internet with their mail addresses in all the *good* spam spots.
if we could get some percentage of spam going to those servers *we* want, then none would get to the servers the spammers want
Normally I troll this website, but for once, I will make a non-troll post.
I am currently working on an website called the Internet Spam Database. Essentially, it will be a giant list of websites that sell your e-mail addresses upon registering an account or whatever on their sites.
I started the project a month ago, but have been pretty sluggish on getting it started due other work I am working on.
If anyone has suggestions, beyond grammar and spelling issues, please reply.
How about a manual method where one creates a ficticious bounce message from spam that has made it to the mailbox?
The idea is the following: spam gets through whatever filter you might have, but you still want to reject it, and given that some spammers MIGHT be trimming their lists based on bounces, you forge a bounce message from the spam.
Does anyone know if this is possible with, eg, RMail or VM (or something else) running under Emacs?
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
Good, we need more of these - for some other prior art refer to:
http://www.benzedrine.cx/relaydb.html
What about if the connection speed is inversely proportional to the number of connections from a given server?
But a server of extreme virtue might relay the spammer's own test messages (and of course not relay any spam.) Do you see why that is so effective against the spammer?
Windows users can do it:
http://jackpot.uk.net/
from the Latin, meaning body; akin to corpse and corporeal.
For example, if your machine only receives a small amount of email per day, why not throttle them to take 10-20 minutes of connect time overall? If you only get two emails per day (one real and one spam), getting them 10 minutes later probably won't bother you too much, but could cost the spammer or his relay-helpers a 5 minute duration on a connection.
I receive about a hundred emails per day from a number of sources, and adding six to sixty seconds of delay per email wouldn't cause me any grief. But if everyone throttled their email, it might cause someone using their '250 million Valid! Tested! Opt-In!' email lists to have to upgrade their machine to half a million connections to process it in an hour.
I don't see that differential throttling has any benefit over a contant throttling rate. For a big site, the differentiation between spam and not-spam would probably cost you any load advantage you earned in slowing the spam, and for a small system, the delay would not be noticable.
Of course, big senders like AOL, prodigy, and yahoo, might have to upgrade...
In order to analyze the email and determine its rank as spam, wouldn't you first have to receive the email?
In which case, the remote end (the spammer) has pretty much completed its task and slowing down the connection at that point would have little to no effect since the only thing to send would be a signal to close the connection.
I must be missing something... Could someone elaborate?
-kidlinux.
I'm not saying that the recipient server tar-pitting is a bad idea, but I think that there are more effective ways of raising the cost for spammers. Blacklisting the entire /24 of anything supporting spam would pressure providers to nuke spammers (or at least pass on costs to spammers).
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Want to find open relays? Here's a nice simple way I implemented a couple of years ago, and ran for awhile. It's quite simple, and detects single stage relays rather quickly.
Write something that listens on port 25. When it receives a connection, connect back to the calling host on port 25. If the connection attempt succeeds, copy characters back and forth. Anything they send to you, you send to their port 25, and vice-versa.
If it's a true open relay, it will gladly accept the mail over and over again. I had a few mail servers looping THOUSANDS of times through me since they didn't check Received: headers. I also realize that it would be trivial to *ahem* "break" the Received: line such that it wouldn't increment the counter.
Granted, that sucks down bandwidth, so back to the point - proving that this is an open relay. What you do is stick a magic header in the message as it heads back to them. If you receive that header back from a host, it's something you've already looped, and they're an open relay.
Now you know they're an open relay, so you can add them to your MX lists. You can also then avoid letting them run through your looper, since it won't provide any more data.
The beauty of this plan is that you're only giving them what they pushed upon you first. If they leave you alone, you leave them alone. It's a nice implementation of a concept I wish more people would honor.
+0.644391703 Almost Funny
Would that work? Or would trying to keep track of 20,000 outgoing email's transmission rates simultaneousy cause more problems than its worth?
Read about a method to get SpamAssassin to execute at SMTP time in exim (I'm about to impliment this on my own mailserver) and read about teergrubing which is basically the same idea as a tarpit.
Unlike the original post, Marc seems to have a stable working version of this right now.
That said, this is probably the most realistic method of causing spammers pain that we have right now, short of changing the way mail works in a fundamental manner.
I'll definately be implimenting teergrubing/tarpitting. I might even impliment it on the multi-user hosting system that I helped to build. It probably wouldn't scale too well on a busy site though
I'm going back to splinter cell.
But its a lot cooler to think that your Bayesian TarPit JavaDaemon is reading your mail and slowly sqeezing the life out of the spammer.
Why don't we just get rid of email altogether, creating instead some kind of system that sets up "friends lists", whereby you could designate only certain people whom you could send messages to and who could send you messages? Perhaps you came across a person online with whom you'd like to have an extended conversation. You'd introduce yourself to that person via some web app, and exchange identities via your messaging app, and then you could readily converse with that person. Businesses could automatically exchange identities over their networks. This would eliminate spam, because it could not be sent or received without the clients at both ends "knowing" each other. Somebody get started on this.
This is a very interesting idea - HOWEVER, it overlooks something very simple: If EVERYONE is installing this program, why wouldn't they just properly secure their SMTP's? If everyone is using ESMTP, POP-before-SMTP or IP-based authentication, this isn't really needed on those systems in our scenario where everyone installs it. That means no more open-relay servers. As long as all ISPs are blocking outgoing SMTP connections, it means all mail has to be routed through their servers. If they were running it, they could take it a step further since they know the exact user sending the spam, and cut them off. That means no more spam, or at least a VERY reduced amount (as the people sending it get their accounts cut off). The problem here is which ISP is going to be the one to step up and deny access? Their spammer customers will seek another ISP that doesnt block the ports. Lets assume that ALL of the ISPs decide that they want to cut off some of their profits and block all spam. Then spammers will start getting their own servers. Of course, we can blacklist them. But if they setup a server, do a HUGE mass mailing all at once, then get blacklisted and move on, everyone is still going to get the spam from before they were blocked.
Speak before you think
This sounds on the surface like a good idea, but if many (most?) Sys Admins will not close their mail servers up to prevent relaying will they load this app? If I understand this right for this to be effective a lot of people would have to load this software. Given that many of the systems out there are corporate systems that run MS Exchange or Lotus Domino or Novell GroupWise will they even be able to load this? Just wandering thoughts.
Huh?
Since the spammers mostly use open relays, they won't be making the 250 million connections, they will distribute them to the open relays. However, the open relays will probably not reconfigure their servers to unusually large number of connections, so a general gumming-up of the connections will hit the open relays harder.
I don't think it would work, because the spammers mail to the open relays, and the open relays do the dirty work.
In my experience the strongest indication of spam is near the very end of a message, where is says something like, "click here to unsubscribe." If you've already accepted that much of the message, isn't it possible that the spammer will only have to wait for the message acknowledgement before it disconnects? What the spammer may see is either a normal or a slow acknowledgement. Is that enough to make a difference?
FP... again!
What, you want us to do your homework for you?!?!
Spamicide huh?
Ever heared about a spam-relay?
With this method you'll only get (most of the times) the relaying host and STILL the spammer doesn't get is.
i'd say read the e-mail and use whois and CALL THE FUCKERS. mail the registrants, complain about yahoo addresses for administrative contacts. waste their personal time. I wouldn't give a shit if it would take ond day to spam a lot of people or just one hour, but if i had to answer the phone all day without making any money...
Privacy is terrorism.
This won't work the way the author wants. Once the receiving SMTP server sends the 354 after the client issues a DATA command, there is no opportunity for the server to slow things down until it produces the 250 response at the end of the message. That is, at the application level, all the server can do is slow down the WHOLE message. During the transfer, the only way to slow things down would be to mess around with the TCP layer. The transport layer lives in the kernel. That means kernel module. That means not very portable. That means no Java. That means an SMTP server (by its nature a security risk) futzing with the security of the operating system itself.
You can slow things down by waiting before you produce the 250, but that is not at all a new concept. Several people have referenced Sendmail milters for that purpose already.
Using Statistics to Cause Spammers Pain
What about 5000 Volt electric shock for each email they send? I tihnk it would be more effective
-------
Support Indy Music. Buy
Anonymous, but a good idea for an improvement to the grandparent, at least on the surface.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Well, say your email server handles 300 users. It's better to use a solution that handles it on the server if at all possible, because it'll take forever to get each of those 300 users set up, but you can probably set up your server in 1 hr.
On the other hand, it is worth investigating any idea that will inflict *some* cost on the spammer, since it all adds up.
It's hard to outweigh the pretty dramatic income potentials of bulk email; they make enough money that it's worth it to purchase -- for example -- sophisticated tarpit-detection software if necessary.
Personally, I liked Larry Lessig's bounty idea: sending spam w/o a [ADV) header means, legally, that the first person who can prove you did it gets a $10K bounty out of your pocket)... but so far no one in govt has had any luck getting anything effective through.
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
why not create a program(or plugin/whatever) that will talk to other mail servers..and whenever a spammer sends mail, you can launch a multiple dos attack on the spammer. And since they are tresspassing on your property(at least in US legality) you can claim that they tresspassed you and you retaliated. Would it work? could it work? should we care a bit about legality in fighting spam?
I've been using qmail, qmail-scanner and SpamAssassin with a few very minor tweaks to deter spammers. Basically, qmail-scanner runs SpamAssassin, and if SA returns with a score above 15.0, instead of sending a "250 ok" to the spammer telling them the mail was accepted, I send back a "5.3.0 spam detected" -- this seems to have gotten me off a couple of spam lists where the spammers actually care enough to clean their lists.
... which I've done.
I made these tweaks because once the mail is sent and the spammer has disconnected, there really is no way of getting information back to them that you're rejecting their mail. So, you have to reject it at the time they've got the SMTP session established
TarPit seems like an exercise in overengineering with little proof that it'll do anything to hurt spammers -- they'll figure a way around the tarpit, somehow.
-- Dossy
Dossy's Blog
I get frequent spam messages to my primary account -- the message body ALMOST always follows the same layout. It involves "seks" and anything that could possibly gross you out. I filter my messages based on the seks flag, but I STILL get spam with derivations of the same message.
I am ready to shut my account off for a week so that all the spam bounces. It really pisses me off, there is NO way to get off this list of HELL.
I've been a user of SpamNet for a few months and it has been doing a half decent job of catching spam. I've just downloaded their SpamNet beta 8 (I was using beta 7 or something earlier) and on the surface, it seems like they've improved a lot of stuff.
Anyways, www.cloudmark.com. You know the drill.
I like the idea of going door to door and beating the shit out of every spammer.[Jay and Silent Bob Strike Back]
Lizard "Never let them set limits on your mind!"
Here's what I'm going to do. I'll download a copy of your Tarproxy and take it apart. I'll find the good words, the bad words, and all the other rules and exactly how everything is weighed. Then I'll sit down and carefully craft a message that will sneak under your spam filter, but will still manage to do a decent job of selling my penis enlargement device. Once that's done, I'll EMail the message off to 15 or 20 million of my closest friends.
I'm sure you'll get a chuckle out of the clever way I wrote "P3nis" instead of "Penis". And you'll probably modify your filters so that they look for that word from now on. But all that means is that I have to is download the new version and figure out some other way to sneak past it. Sure, your filter will get cleverer and cleverer, but I'll always have the advantage of knowing the rules beforehand and being able to try and retry and carefully craft my message until it works.
Will this work? Or am I missing something?
I am NOT a man!
I am a free number!
It probably won't work, since spammers are professional and very devious...Gosh what if it could work. The possibilities are endless...why, we could slow the entire cultural progress of entire nations like Taiwan!
Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
Well, that actually addresses startup time, which is pretty irrelevant for an SMTP server, I'd have thought. (The general problem is being tackled more thoroughly in a JSR for an isolation API.)
There's no reason why Java shouldn't be fine for this task.
Jon
Other messages have mentioned the formmail.cgi vulnerability, and my weblogs are full of requests from spammers spiders looking for this script.
/dev/null.
Presumably there are various ways to use a request for formmail.cgi in retaliation.
1. 404 the request, but then launch a massive DDoS attack on the sending IP, taking out their spider.
2. Accept mail and deliver it directly to
Trouble is,
(1) Is probably illegal - you can't shoot a burglar. (2) would consume lots of _your_ bandwidth, but undoubtedly keep some SPAM off the streets - lowering the spammers response rate at least.
Any thoughts?
Zones from the DSBL Project are available via rsync (bottom of page) as well as http.
Unselfish actions pay back better
Here's why: because that will penalize legitimate
but large-scale mail servers.
For instance, my ISP is a cable modem provider.
They have probably tens of thousands of clients
locally, all sharing an SMTP server. That SMTP
server is presumably busy all day delivering a
large volume of legitimate mail. If everything
is throttled, then it will become much harder to
run that server.
(And yes, you can increase parallelism, but
there is a limit to how much you can do that.
Each thread or process has a certain overhead,
and the maximum number you can have going at
once is probably smaller than you think.)
In your "if I were the spammer" scenario, you
say that you'd log an address as "do not spam
again".
So yes, I think the spammers can adapt, but if
they, by adapting, end up taking 99% of the
addresses off their lists, then suddenly they
are making 1% of the money they were making.
(I'm assuming they're paid by the address.)
So how is that a bad thing?
And the whole point is to change the economics,
so that, while spamming is still possible,
it's not an easy route to making money.
Then the losers who spam will look for some
other sleezy way to get rich.
Why not attack spammers in the reverse way. So, imagine for a moment that you are a spammer. You get paid more for more results, right. Well, imagine that I make an SMTP server that when you spam me, I search through your message, and start crawling all embedded links, until I've hit about 20 of them. But I don't stop there. I keep crawling. Maybe if there is a form on the site, I fill it out with bogus garbage, and submit it.
/. effect, but none of the traffic was genuine. You would be paying for lots of wasted bandwidth with less results. How could you distinguish good results from bad ones?
The idea would be that when someone sends out spam, this server would generate a flurry of activity. Suddenly, the spam would be so effective at bringing traffic, but not actually effective AT ALL at bringing valuable traffic. Imagine if you hired a spam company to promote your site, and suddenly, your site had the
If you want to stop spam, you have to attack the people who benefit from it, not the people who perform it.
if the tarpit is sensing that mail coming from your IP address has a high probabilty of being spam based on content signatures, it throtles down the bandwidth for your ip address, or at least that's the impression that I get.
My IP that are relatively clean may get 1.44 Mbs of bandwith, Evil-spammer only gets 14.4 Kbs. Evil-Spammer is getting blocked for all pratical resons because he's trying to send a Gigabyte of spams. It don't matter 1 thread gets 14.4 or 100,000 threads get 14.4Kbs. And all of this will change in real time.
Apocalypse Cancelled, Sorry, No Ticket Refunds
So the tarpit slows my smtp way down, unless I've attached a 15MB Mpeg to my Emails I'd never notice. It would be "Gee mail a bit slow" if I noticed at all. Sending a couple GBs of spam would be a different story. I though this thing was supposed to analise in real-time so it would only effect my spam and not real Email coming from the same IP address.
Apocalypse Cancelled, Sorry, No Ticket Refunds
The real trick is how to detect if the email is coming from an unknown open relay and if so block the email from arriving at a users email account.
How?
Sender smtp connects to receiving smtp, receiving smtp trys to relay an email back through the sender smtp if successful then you have an open relay.
This would detect truely open or misconfigured mail relays besides the pay for relays etc.
Discuss...
Hurting the spammer is good, but the main advantage is that this solution will lessen the load on my internet connection!
Just have to be careful to make an exception for my e-mail forwarders. Wouldn't want to punish my mail redirection servers.
This idea could be turned into a distributed project, much like distributed.net. The idea would be to create a new mail filter, or filtering plugin which would pass all URLs found in any mail message stored to spam folder to the distributed network. Each participant of the network would automatically start crawling the URLs submitted in an easy pace so as not to have an effect for the user. But the combined effect would be dramatic for the targetted websites. Anyone stupid enough to go seeking for their stuff would time out due to server load.
And of course, the User-Agent would be faked to be MSIE.
Since most spammers use open email relays to send spam, why not attack the open relays? There's no reason I can think of for leaving a relay open, so they must be open because of either lack of knowledge or because the admin wants people to be able to use it without authentication.
So why not create bots that scan for open relays and start DDOSing them once found. I doubt open relays have enough hardware to avert angry spam-recipients counter-attack.
And if the relays are open because of lack of knowledge, the DDOS attack could send some message like "Your relay is open and I like spam THIS much."
I understand this guys theory of operation, but I am not convinced of it's value for the following reasons:
With all that aside, there may be some points in this that are valid. But I'm not certain that the usage of mail servers by spammers is going to be entirely effected by this technique.
Wouldn't it be easier to simply challenge each incoming IP address to test it for being an open relay and if so, REJECT?
I think that the postfix group has a similar concept for testing any incoming email address in the MAIL FROM tag to see if that address can in turn accept mail.
This is a really hot idea - wouldn't take many of these to grind those 12k worth of open relays into the dust.
The affect would be
That made no sense.
Some people make no sense.
Fight off lawsuits???
Nobody... NOBODY... has the inalienable right to send me email. I am under no obligation to read any email, and my system is under no obligation to accept any bit of email.
Is there anybody with the stupidity to engage in such a lawsuit (Well, some lawyers DO have the requisite stupidity...)
This system seems to be based on the idea that these tarpits would be fairly prevalent. Just one or two wouldn't really do a whole lot, because as you say they don't really use up any bandwidth. But if you are a spammer using a mail server that can make 100 connections and say 50 of these are tied up indefinitely sending mail at 14.4k then you are going to have a definite reduction in the amount of spam that you can send. The more of these tarpits there are, the more a spamming server will be slowed down.
It'll save your bandwidth. Spam can be big.
If we have a way to approach 100% adoption and install software on everybody's server, lets install Spam Sleuth Enterprise or another similar tool and solve the problem completely.
We can't even get administrators to patch their systems. What are the odds on getting this thing widely used?
I got the same spam. No problem with my naive Bayesian filter: nrc 0.9322408 200 0.8996861 -0500 0.9530694 5329 0.9897271 u 0.9130855 s 7.409731E-02 communigate 0.9296147 contrast 4.253653E-02 codewks 0.9789982 f 0.9006658 nacjack 0.9789982 wlink 0.98057 cithara 0.9689967 feb 0.9688099 2003 0.9078071 Spam ratings:0.999999999999999 The headers are still comprpmising, and with no real English words, there's nothing to weight this message against being spam. Interestingly very few people sending me real email use the letters "f" and "u" on their own. :-)
Recycle PCs and build a wireless community network www.hillsborough.org.nz
We roil at the thought of RIAA and MPAA getting powers to vigilantee on the net. Yet a half baked scheme to annoy spammers is getting lauded? Remember blackhole lists. Get people on board use it. Ponder SMTPAuth. the world is full of bloodthirsty cretins, got a minute look in the mirror and u might see a few.
sa-exim already does this.
check out:
Exim SpamAssassin at SMTP time
http://marc.merlins.org/linux/exim/sa.html
The short of it is that there is no legal way to cause spammers pain.
I've been running a tarpit for the past six months. (Exim + SpamAssassin + SA-Exim) During that time, I've seen that roughly 5% of spammers will sit around for however long I feel like tarpitting them (my timeout is currently four days), while the rest of them are smart enough to disconnect from my tarpit when they see that I'm holding them open.
But the spammers are using open relays, and there's an infinite supply of open relays. If one of them gets bogged down, they'll just move on to another.
The especially interesting thing is that I've seen the amount of spam attempts on my server *triple* since I started tarpitting them, from 100/day last year to 300/day now! It's as if the spammers love to be tarpitted!
And I've found out there's absolutely no way to convince a spammer to remove me from his mailing list. Tarpit him, he doesn't care! Give him a 5xx error code, he doesn't care! Firewall his connection attempts, he doesn't care! It's easier for spammers to sell lists of five million addresses (4.99 million of which don't accept email) than it is to try to pay attention to error messages and failure states and weed out bad addresses. I've even seen spam addressed to the messageID's on Usenet news postings.
Or am I missing something? It seems to me that they will gladly loop, neither is an open server, and one (or both) will blacklist the other.
Pulp Audio Weekly - Geek News and Reviews
Easy for the spammer to defeat on a widespread basis, yes - but if I use the spam tarpit, my incoming mailserver's still protected against an incoming firehoseload of spam. That's what I care about - other admin's systems are their responsibility, not mine.
Spam tarpits are a think globally, act locally solution.
Just track down the sources of the spam, drive over to the building in which the computer(s) are housed, and toss a stick of dynamite through the window. Repeat.
After a few weeks of this you will no doubt be the subject of a massive nationwide manhunt, but it will be worth it. Spammers will live in terror, and the spam servers will go down faster than a hooker on the titanic.
Have a wonderful day.