Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spamholes Fighting Spammers

Posted by CmdrTaco on from the simple-and-clever dept.

mike9010 writes "A person named I)ruid has come up with an ingenious way to combat those spammers. His program, spamhole, creates a false 'open relay' that the spammer thinks he/she can send messages through. The messages then get sent nowhere, and the spammer has no idea. "spamhole is an open project. Hopefully, through user's and developer's contributions, we will amass a collection of spamhole implementations spanning all commonly used platforms, programming languages, etc. Ease of configuration and use are the primary objectives, for the easier to use by the non-techical layperson the implementations are, the more widely adopted and used spamhole will become.""

4 of 396 comments (clear)

  1. Re:How can this work? by Amiga+Lover · · Score: 5, Informative

    As the article says


    When an SMTP client connects to our spamhole, we note the number of times it has connected before. If this number is below a configurable threshold, we simply redirect it's connection through the spamhole to a real SMTP server and allow it an unmodified session. This provides for any potential 'test' email the spammer may attempt to send through the 'open relay' to verify successful delivery to successfuly pass through the system and be delivered. Many spammers do this to validate their open relays prior to attempting bulk mailings. The downside to this is that a few SPAM emails may actually be delivered by your spamhole. Such is the price to pay for tricking the spammer into continued use of your 'open relay'.

    So it's not quite just a dumb smtp receiver, but acts as a real one until the spam starts being sent.

  2. Nahh, spamd. by grub · · Score: 5, Informative


    OpenBSD's spamd actually tarpits the spammer down, then after a looooong held connection sends a 450 (by default) to the spammer to have the spammer-machine retry. I have it running with various autoupdated blackhole lists and very little spam sees my server anymore.

    --
    Trolling is a art,
  3. Re:How can this work? by zerocool^ · · Score: 5, Informative

    This system will only increase the number of open relays out there.

    Plus, for some of the more nazi-esque spam block lists, it can cause MAJOR havoc for your network. I can tell you that this will not be implemented on our network. We've delt with this already... One computer on our network had an open relay for a couple of days, and it caused *.rr.com (road runner cable, HUGE ISP on the right coast) to block ALL MAIL from our /24. It was horrible, we have hundreds of customers who could not get email from us or their clients.

    And it was pulling teeth to get us off of that block list. Send email, get response "contact your ISP", sent email explaining we were the ISP, got email "contact your ISP", sent email madly declaring that we can fix it if they'd tell us what was wrong, but with more than 100 computers in that IP range, it was kind of hard to tell who was in trouble, got email "contact your ISP"... etc.

    I'm NOT going to put anything on the network that deliberately sends spam, or even looks like an open relay. My business is too important to me.

    Thanks, but, no thanks.

    ~Will

    --
    sig?
  4. Re:Hmm.... by Goldenhawk · · Score: 5, Informative

    Just last weekend... this mea culpa might save someone in /. land some pain.

    Had a form.pl script handling all form submissions on our web site. The form submitted its info via sendmail, as well as logging to text files. While the address checking was pretty robust, someone figured out how to overload the contents in a manner that fooled the sendmail into thinking that the contents contained BCC: data.

    Fortunately I caught it within about five minutes, thanks to the fact that all submissions are CC:'d to a real address, thus starting a flood of mail. I saw the classic pattern: a test message, a couple revisions, a final draft test message, then the flood of "real" messages. Since I saw it start, I was able to shut down the script (I just killed the Execute permissions).

    After the initial test messages, I saw submissions from dozens of different IPs - I assume zombied PCs. It seems that the zombies were programmed to relay form POST submissions, instead of trying to relay mail directly. Smart, since that puts the mail load on a fast server, not a slow dialup PC.

    But the really interesting thing was, even after shutting down the script, the flood of submissions continued. I tweaked the form.pl to bounce the requests to another page but the bounce was never followed - indicating to me that the program didn't bother to check the server response to the submission, even for a 404 or 302 response! This continued for around 14 hours, at a rate of about 20-40 hits per minute. Based on the first messages that got through, several hundred addresses were included in each BCC: field.

    Suddenly at about T+14 hours, it simply stopped - cold. For the next several hours a few sporadic hits popped up. Haven't seen any since about T+18 hours.

    Apparently the spammer assumed his script would succeed once it was successfully started (it WOULD have unless I'd been at the PC). He obviously ran through his entire mailing list "blind". I'm happy to say 13.8 of those 14 hours were wasted, preventing about 7 million spams (14 hrs, 40/minute, 200 addresses each).

    As lessons learned, although I'm sure this is old news to most of the /. folks, I'd like to pass along some tips based on my experience.
    1) The spammer used our web site's form to build his attack, but then took it to another machine. All subsequent submissions were using a POST method but not from our site's page. No surprise there, but simply checking $ENV{'HTTP_REFERER'} could have prevented 99% of this attack - if not making it pointless to begin with.
    2) Sendmail can be fooled into reading BCC: addresses from information after the start of the message body. I don't understand the details, but an obvious preventative is to =~ s/bcc://gi on the message before sendmail gets it. Probably wouldn't hurt to do the same to To: and CC:.
    3) Sendmail can be fooled into sending encoded text from an otherwise text-only form. Filter out "Content-Type:" or "Content-Transfer-Encoding:" or "multipart/mixed" or "text/html" before sendmail gets it.
    4) If you're watching for abuse, don't rely on looking for multiple hits from one IP - it seems that once you become a target you will likely get a distributed attack.
    5) Consider replacing all @ signs... do a s/@/-at-/g on all message fields before sending to sendmail (except of course whatever hard-coded To: is at the start of the message). If all other measures fail, at least you won't get blacklisted, although you might get 7 million "undeliverable" replies.

    --
    --Brandon / Split Infinity Music