Fighting the Hydra -- A Spam Warrior's Tale

Selanit writes "Salon has an interesting article about the battle against spam from the viewpoint of Suresh Ramasubramanian, a sysadmin working in Hong Kong. His most interesting complaint concerns the fragmentation of anti-spam forces: not only does he have to deal with spammers, but also with anti-spammers who assume because his company is Chinese that he isn't doing anything about spam. Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?"

One way to slow a specific flood

[fanatic]

From the article: expert spammers can also switch IP addresses as quickly as the blocks are applied.

A honeypot for spam - mentioned here previously, I think - would be one answer. It would recognize a spammer and, instead of disconnecting, it would accept all the spam - very sllloooowwwly, then discard it. It's not a trivial programming task, since the spam would have to be recognized, then treated differently from that point on from regular email. But it's feasible, I think and would help fight the large scale attack noted at the beginning of the linked article.

Re:One way to slow a specific flood

[kasperd]

A honeypot for spam - mentioned here previously, I think - would be one answer.

I have previously mentioned a honeypot here, but not the one you are talking about. I try to receive the spam as fast as possible in the hope that every spam ending up in my honeypot is one less spam to end up elsewhere. But I feel it is getting harder to attract spam. Though I have been working hard to make my honeypot attract lots of spam, and in the process managed to get my IP on OpenRelayCheck, I only got 1.3 million yesterday. My record from october 2002 was 36 million in 4 days.

Re:One way to slow a specific flood

[flonker]

I run a program that just listen on port 25, pretending to be an open relay, and logs all relay tests to a file. I get scanned by testers using the following two email hosts constantly. The 21cn.com one has been using the same exact address for months now. Almost makes me want to mailbomb them.

Mar 27 08:07:18 [210.222.196.141:27910]
ehlo ll-nidaf2xx5kn9
Rset
Mail from:<china9988@21cn.com>
RCPT to:<china9988@21cn.com>
Data
From: china9988@21cn.com
Subject: 68.22.196.106
To: china9988@21cn.com
Date: Thu, 27 Mar 2003 23:20:51 +0900
X-Priority: 3
X-Library: Indy 8.0.25
t_Smtp.LocalIP
.
Quit

Mar 27 19:23:10 [210.222.196.133:58885]
HELO hanmail.net
MAIL FROM:<jkdsa@hanmail.net>
RCPT TO:<mg0108@hanmail.net>
DATA
Message-ID: <20820-2200335282014339@hanmail.net>
X-EM-Version : 6, 0, 0, 4
X-EM-Registration: #0010630410721500AB30
Reply-To: rolliey@hotmail.com
From: "good" <jkdsa@hanmail.net>
To: mg0108@hanmail.net
Subject: 68.22.196.106
Date: Fri, 28 Mar 2003 11:00:14 +0900
MIME-Version: 1.0
Content-Type: text/html; charset=KS_C_5601-1987
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
<META NAME=3D"GENERATOR" Content=3D"Microsoft DHTML Editing Control">
<TITLE></TITLE>
</HEAD>
<BODY>
<P></ P>
</BODY>
</HTML>
.
QUIT

Outblaze, huh?

[Pathwalker]

Those guys have to run the most annoying relay tester I've seen. Every time it tests you, it sends a burst of 30 messages or so, all with return addresses on the box they are testing so they don't have to deal with bounces.

Now, some people may feel it's my own fault for taking advantage of the part of RFC 2821 which states that if a mailserver defers checking to see if it can relay or deliver the mail then "These servers SHOULD treat a failure for one or more recipients as a "subsequent failure" and return a mail message as discussed in section 6.".

But, I guess they feel that everyone runs sendmail, so every time they test my mailserver, I end up with another batch of relay rejected messages intended for them sitting in my postmaster mailbox.

There are two parts of this that bug me:

1. If a mail server does not relay mail, it is rude for a test to result in mail to the administrators of that server
2. It is possible for the username they use in their test to actually deliver mail to a real user. I consider it as bad as spamming if their test drops dozens of messages in the account of an innocent user with no idea of what is happening, or control over the mail server.

Re:Another world group?

[BrookHarty]

I don't see how anyone is going to trust the USA in an international treaty any time soon. The USA will simply opt out of any regulation as soon as it hampers their economic well-being.

First.

Get off the USA bashing kick, all countries look after their own economic needs. (aka, sweat shops are illegal in the USA, but the WTO says that in 3rd world countries as its the only work available, they are legal...)

Second.

The USA (aka Federal Government) has nothing to do with Spam guidelines unless its a Federal Law. (Which could be considered a violation of Interstate Commerce, thats part of the reason no laws are passed at the Federal level... btw, IANAL...) This is also why we are trying to pass State level laws for Spam.

But, if ISPs who want to deal with SPAM can join blacklists, whitelists, coalition, etc. Nothing is stopping them. But on the Other side, there is money to be made in Spam, and companies willing to make a buck will do it. (All around the world, not just the USA or Hong Kong.)

Long time spamfighter

[tsvk]

Shuresh is also a regular poster in the newsgroup news.admin.net-abuse.email, a discussion forum about e-mail abuse.

Check his postings from the Google Groups archive.

Filling referenced website logs with crap?

[BigBlockMopar]

How do people feel about scripts to fill website logs with crap? Here's mine, quick and dirty, written in about 30 seconds because I was pissed off:

#!/bin/bash
COUNT=0
while [ $COUNT -lt 10000 ]; do
lynx -dump http://www.resumeagencies.com/recruiterspage.asp?Y OU_FILL_MY_MAILBOX_WITH_UNSOLICITED_CRAP_AND_I_WIL L_DO_THE_SAME_TO_YOUR_WEBLOGS
sleep 1
let COUNT=COUNT+1
echo $COUNT
done

Note the fact that I'm calling what I hope is a dynamic page, so with luck, I'm wasting their server's processor time. The script is otherwise, as you can see, completely unrefined.

Legality, anyone? Other problems (despite the obvious fact that I have to waste my bandwidth to fuck with spammers)? Obviously, it's a DoS attack of sorts, but then again, so is an unsolicited e-mail. If they want to challenge me legally on that point, then I will do the same to them. My website very clearly points to the policies which apply to all e-mails sent to my domain.