Slashdot Mirror
Fighting the Hydra -- A Spam Warrior's Tale
Selanit writes "Salon has an interesting article about the battle against spam from the viewpoint of Suresh Ramasubramanian, a sysadmin working in Hong Kong. His most interesting complaint concerns the fragmentation of anti-spam forces: not only does he have to deal with spammers, but also with anti-spammers who assume because his company is Chinese that he isn't doing anything about spam. Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?"
I think this article does bring up a good point that people do tar Asia with the same brush in that you can just block them and have no problems. Its nice to see someone doing a decent job. For more fun on fighting spam see NANA
rus
Cheap UK and US VPS
No matter what he does, he can't please everyone. According to Tiffiany Mork, senior abuse engineer at Allegiance Internet, a very thick skin is a requirement for an abuse-desk worker. Her typical day includes verbal harassment, screaming, threats, and "all manner of nasty things."
Like that is different from working in any other kind of helpdesk!
... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?
Yes, it's like the horde of trolls striking while other people are trying to discuss the subject at hand.
This whole spammers versus spamblockers has proven to be a destructive arms race.
Many legitimate machines and users - even whole ISPs - unfairly end up on blacklists, while the spammers just find another way through.
The spamblocker tools and their heuristics get smarter, but don't forget that spammers keep up with these tools and constantly find new ways around them.
I was using Razor and SpamAssassin for months. Formidable combination - networked blocklists plus pattern matching. Gave me a bit of peace. Very few false negatives. But in the last month, I've seen a whole new generation of spam coming through that the filters don't even touch.
Peace has finally come from a package called Active Spam Killer, a package which works from a white list, and provides a convenient way for new correspondents to get themselves onto the whitelist.
There are other whitelist-based packages, such as TMDA, but ASK is simple and painless to set up.
Result?
Spams to my mailbox have gone from 40 a day to zero.
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
From the article: expert spammers can also switch IP addresses as quickly as the blocks are applied.
A honeypot for spam - mentioned here previously, I think - would be one answer. It would recognize a spammer and, instead of disconnecting, it would accept all the spam - very sllloooowwwly, then discard it. It's not a trivial programming task, since the spam would have to be recognized, then treated differently from that point on from regular email. But it's feasible, I think and would help fight the large scale attack noted at the beginning of the linked article.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
I don't see how anyone is going to trust the USA in an international treaty any time soon. The USA will simply opt out of any regulation as soon as it hampers their economic well-being. Since most of the spam originates in the USA, how likely is "USB"?
Hmm ... decentralized opponents striking from the shadows against quarreling allies. Does this sound familiar to anyone else?
I don't know if this is a "Lord of the Rings" reference or a "War on Saddam" reference.
Every day, 80 percent of all incoming mail to Outblaze is rejected as spam and filtered out before Ramasubramanian and his team have to deal with it. Out of the remaining 15 million messages per day that do pass through Outblaze servers
So if 15 million messages is 20% of what they get, they receive 75 million individual messages a day? That seems a little high...
Think about it...the dictionary spammers have not gotten as far as sramasubramanian@hotmail.com
Time for all responsible ISPs to assign their own anti spam reps, reach out, get a list of ALL isps, contact their anti spam reps and take action.
:]
Get organized and form a plan but first, get organized on a global level.
Then kick some ass and pool for legal action against the thieves.
- Zav - Imagine a Beowulf cluster of insensitive clods...
Just the thought of this makes me sick.. Almost as sick as those who make spamming profitable.
Now that I've thought about it. How is spamming still profitable? Are there that many people out there that are into having sex with farm animals? Or believe their are pills that increase life span? Who the hell are these people?
This is a funny mistake as the new word has a new meaning, although it doesn't make sense
It should be Sturmbannfuehrer.
Sturm -> storm
bann is a shortened form of banner, which is the same in english
fuehrer -> leader
--> storm banner leader
bahn is either course or a train running on the course/rail. I'd translate Sturmbahnfuehrer as storm train leader
More precisely a rank only used by the SS (Schutzstaffel) the regular army used Major
Now, some people may feel it's my own fault for taking advantage of the part of RFC 2821 which states that if a mailserver defers checking to see if it can relay or deliver the mail then "These servers SHOULD treat a failure for one or more recipients as a "subsequent failure" and return a mail message as discussed in section 6.".
But, I guess they feel that everyone runs sendmail, so every time they test my mailserver, I end up with another batch of relay rejected messages intended for them sitting in my postmaster mailbox.
There are two parts of this that bug me:
"There are other whitelist-based packages, such as TMDA, but ASK is simple and painless to set up."
And how do you feel about making all innocent senders of mail do extra work, while spammers simply ignore it and move on?
I simply cannot justify that, based on the redistribution of workload and increased aggravation - you send me a bounce message, I consider your email address invalid whether that bounce is "500 address unrouteable" (a valid, understandable error) *or* "500 I Don't Like You" - which I consider frankly offensive.
Go back to SpamAssassin, get 2.50 or better, which includes Bayesian analysis as well as all the above. Or just shove a Bayesian filter in the way after SA; here, I have outright regexp-based rejection and SA in exiscan, followed by bogofilter in procmail - very few spams get past the first hurdle (From: headers snarfed from Usenet) and those that do are caught either by SA and/or bogofilter.
This way happiness lies.
~Tim
--
Rushing on down to the circle of the turn
Yeah, these people blocking all mail from Chinese and korean subdomains are idiots. How are they supposed to work with anti-spammers there if they can't even talk to them?
I mean, I guess it'll help cut down on the spams they get, but it won't help stop the problem.
Anyway, the true way to stop spam is challange-response for the first message from a new person. Easy to implement, and it dosn't require any software for the sender.
autopr0n is like, down and stuff.
1) you would have their real email address and
2) you could use a 'what number is this a picture of' type questions. The problem is figuring out how to make it multilingual.
But really it dosn't need to be standardized at all, since these things are going to have to be handled by real people, rather then computers.
autopr0n is like, down and stuff.
If 50% of all mail in the US is spam, then the other 50% must be the bounces for all that undeliverable mail!
I run a mail gateway for a medium sized company, and although not on the scale of a large ISP, I see many of the same problems. Dealing with spam on a gateway level is quite different from dealing with a single personal mailbox. And spam flooding has gotten much worse in the last few months. Getting over a 1000 messages in under a minute can really start to tax your infrastructure. Actually from my own observations, I'd say that at least 75% of all mail is spam, and 80% of that is undeliverable.
Of course one of the big problems as Ramasubramanian points out is that spammers are getting very sophisticated at impersonating other entities. This results in a large number of bounces being directed back to the wrong guy. So not only are you getting spammed, but you are also indirectly spamming the poor guy who is being impersonated with your flood of bounces. And the bounces also cause other problems because it tends to fill up your outbound mail spools, as well as making the required postmaster account near useless sometimes.
One thing I've learned is that a mail administrator must be very careful about constructing blacklists and filters. I use sendmail and make heavy use of it's milter programatic filter interface. It's amazing how being able to analyze the mail at the protocol level (such as the HELO command) helps identify impersonated mail that can't just be done by only looking at mail headers or the message body. It is also possible to help correlate large volumes of nearly identical inbound mail from a large number of different servers, as well as correlate them with large number of undeliverable outbounds. I'm also very careful to check whois an other registrar databases before adding blacklist entries, to help prevent blacklisting the wrong guy. But I do admit that for a few of the most audacious flood attacks, I actually have to resort to iptables firewall blocks to stop it even before sendmail sees it. I really dislike having to disobey the SMTP standards, but spam floods are IMHO just as destructive as worms and viruses!
The thing I fear most as a mail administrator is not the inbound spam, but that some spammer may start impersonating my company! We'd start getting placed on blacklists and blocked, plus we'd start getting flooded with all those bounce messages (probably an order of magnitude more than direct spam). How can one possibly protect against that?
Let's hope so. Then I'd just accept all mail slowly and spam would go away!
Seriously there are flaws in this kind of defense. First, I'm already seeing several spammers who already send mail slowly, probably to avoid setting off statistical trappers and to make it harder to scan through log files. Also don't forget that the spammers usually have much more bandwidth than the recipient; you can never win by trying to fight the battle of resources!
BTW, this is NOT very tricky programming to do if you use the Milter programming interface to sendmail...in fact it is quite easy to do. But like I mentioned, you're sort of self defeating, because you burn your own resources by being slow.
<link rel="DoNotEmail" href="mailto:aa0u@kjernsmo.net" />
(yeah, that's a real, living trollbox, spambots, do your worst! :-) ) Very few users will ever see this, but the spambots will harvest it. It is clear that many of them do.
The other thing you mention, I think that is what is meant by a Teergrube. Marc Merlin has some good stuff on using Exim and SpamAssassin to reject messages or making spammers stick in a teergrube. He has some debs too.
Unfortunately, I haven't had time and I haven't been feeling adventurous enough to try all this, but clearly, it works well.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
I don't see how anyone is going to trust the USA in an international treaty any time soon. The USA will simply opt out of any regulation as soon as it hampers their economic well-being.
First.
Get off the USA bashing kick, all countries look after their own economic needs. (aka, sweat shops are illegal in the USA, but the WTO says that in 3rd world countries as its the only work available, they are legal...)
Second.
The USA (aka Federal Government) has nothing to do with Spam guidelines unless its a Federal Law. (Which could be considered a violation of Interstate Commerce, thats part of the reason no laws are passed at the Federal level... btw, IANAL...) This is also why we are trying to pass State level laws for Spam.
But, if ISPs who want to deal with SPAM can join blacklists, whitelists, coalition, etc. Nothing is stopping them. But on the Other side, there is money to be made in Spam, and companies willing to make a buck will do it. (All around the world, not just the USA or Hong Kong.)
I knew Suresh Ramasubramaniam personally a long time ago when he worked for Intel. Wow, I had no idea he was into spam-waring know.
Caution to all would-be spammers: Suresh is a guns and rifles enthusiast and has a very nice collection of assorted weapons and ammunition. Who knows what he might do to a spammer as a last resort...
I have found a truly wonderful proof of Fermat's Last Theorem, but unfortunately this sig is too small to contain it.
Shuresh is also a regular poster in the newsgroup news.admin.net-abuse.email, a discussion forum about e-mail abuse.
Check his postings from the Google Groups archive.
/me shudders
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
How do people feel about scripts to fill website logs with crap? Here's mine, quick and dirty, written in about 30 seconds because I was pissed off:
#!/bin/bashCOUNT=0
while [ $COUNT -lt 10000 ]; do
lynx -dump http://www.resumeagencies.com/recruiterspage.asp?
sleep 1
let COUNT=COUNT+1
echo $COUNT
done
Note the fact that I'm calling what I hope is a dynamic page, so with luck, I'm wasting their server's processor time. The script is otherwise, as you can see, completely unrefined.
Legality, anyone? Other problems (despite the obvious fact that I have to waste my bandwidth to fuck with spammers)? Obviously, it's a DoS attack of sorts, but then again, so is an unsolicited e-mail. If they want to challenge me legally on that point, then I will do the same to them. My website very clearly points to the policies which apply to all e-mails sent to my domain.
Fire and Meat. Yummy.
Suresh Ramasubramaniam must be a very comm... Right. As you were.
Government of the people, by corporate executives, for corporate profits.
There was something about the article that bothered me - perhaps it was just unclear reporting, or perhaps it wasn't.
According to the article, this guy is having to block off a flood of mail from spammers to his system. The way I read the article, this flood is not for Outblaze users, but just for relaying. Why the bleep does his mail server even accept this mail? Any modern sensible set up mail server should follow a ruleset like:
if (sender is one of my users)
accept
else if (recepient is one of my users)
accept
else
bugger off spammer
endif
Ideally, the mail server would log system that were trying to send mail that didn't pass that test and tell the router to drop packets from them for a few hours.
Bam! 90% of problem solved.
Having received spams relayed by Outblaze servers, I don't think that's what is happening. I think they are running open mail servers, and trying to keep the spammers from using them.
I could be wrong, but that's how I read the article.
www.eFax.com are spammers
"The challenge we face is the same challenge little Hans Brinker faced when he stuck his finger into that dam," Ramasubramanian said. "We know that as soon as we let our collective fingers slip out of the thousands of tiny holes we are plugging we will drown in a massive sea of spam."
Maybe that's exactly what we need to get the attention of the Governments of the world to get serious about spam. Let the dam break for a couple days all over the world. Don't block anything. When people get thousands of spam in their inbox a day and servers around the world slow to a creeping halt perhaps the powers at be will finally get serious to stop spammers.
Dirk
Which, of course, raises the possibility of dropping "bunker busters" on the offices of spammers. ;-)
I fully support this idea.
--- Ban humanity.
First, try to convince the server to give you a listing of
Then, turn it into a big list of URLs for pages and images, say "url_file_you_made". Finally, write a shell script to use that for nefarious purposes, like this:That one really can suck down some bandwidth, especially if you tweak the usleep. In this case, each download is forked off and lasts for at most 1 second, so with usleep at
Also if the form is POST, you can use good ol' curl again like this to poison it:note it isn't URL encoded. That's multipart. You can do URL encoded POST with
Fuck Beta. Fuck Dice
When I worked the PC support desk back in the late 90's, I never had a user give me lip. I think assuming that kind of behavior is normal or acceptable is half the problem.
The other half is that people tend to hire tech support based on technical knowledge without considering communication skills. During my relatively short tech support stint (5 years with different companies) I went to half a dozen communication classes. Validate, empathize, assert. Solves most problems and diffuses even the wrost attitude.
And say a spammer wants to send 10 million emails in a day. At 10 emails/open relay he/she would need to find 1 million open relays which isn't the easiest thing to do.
There are 2 kinds of people in this world: Those who write in decimal and those who don't
Heh...I run sendmail on a 486DX/33. I accept everything very slowly. :-)
But in all seriousness - I expect that some day, somebody will find a security hole which I've overlooked. However, when that day comes, my little 486 certainly won't be much of an asset. If a spammer finds a way to exploit sendmail, and tries to relay 5 bazillion e-mails, my box would certainly crash. I consider it a boon to the internet if I make myself very difficult to exploit, and sticking a just-barely-does-the-job server up there is a step in that direction. I'd rather have my home server fall on its sword than help fight a battle for the spammers.
My business relies on average people emailing me.
Then you can forget about my patronage, because I do not expose my email address in this manner.
(My slashdot-published email is a blackhole, so don't bother.)
And you can also forget about asking me to use my email address as a userID.
"Everybody who asks for my email address is a spammer until proven otherwise."
Yes, I have no problem isolating myself from the rest of the outside world, especially spammers, telelmarketers, and other advertizers of all types: "If you're one of my friends, relatives, or aquantiances, leave a message, preferably including your number, and I'll get back to you. If you're trying to _sell_me_something_, I either don't want it, can't afford it, or I've already got one."
It's MY email box, dammit. I'll accept or reject anything I please, from whomever _I_ choose!
Email, as it stands today, is useless as a business contact medium. A hundred spams a day forces one to dig a moat and lower the drawbridge only for known friends. Sorry if this interferes with your "business model". Tell it to the spammers who've ruined email.
Exceeding the recommended torque is not recommended.
You know this is trivial to defeat right?
Detect and run from, sure, but not _defeat_. (for a value or "defeat" == "get yer spam through")
Excessively slow server detection will be a standard feature of all next generation spam software.
Oh it is now. Has been, for at least a year. My buddy, who runs his own mail server, teergrubes anything he can detect as spam. The spammers flee, then remove him from their lists. He cares not whether this is automatic or requires manual effort on the part of the spammer. They go away.
I'd make it even simpler: teergrube _everything_, for about fifteen seconds a line. Legit mail has to tolerate these kinds of delays (and much worse, in fact) in order to get through to servers which are stuffed with spam traffic. A spammer can't afford to fool around for even one minute to send a message - he has to send a million a day in order to make money. Of course this probably wouldn't work for Mr. Ramasubramanian, but it will for my friend, and for me if I ever put up a mail server. You'd probably be pleasantly surprised at how many of those 32767+ connections will be dropped _immediately_ at the first continuation reply, no matter how short its delay.
I still think you can never win the resource battle
Sure we can. A thousand spammers facing 1,000,000 tarpits haven't a chance.
Exceeding the recommended torque is not recommended.