Slashdot Mirror
Spamholes Fighting Spammers
mike9010 writes "A person named I)ruid has come up with an ingenious way to combat those spammers. His program, spamhole, creates a false 'open relay' that the spammer thinks he/she can send messages through. The messages then get sent nowhere, and the spammer has no idea.
"spamhole is an open project. Hopefully, through user's and developer's contributions, we will amass a collection of spamhole implementations spanning all commonly used platforms, programming languages, etc. Ease of configuration and use are the primary objectives, for the easier to use by the non-techical layperson the implementations are, the more widely adopted and used spamhole will become.""
This sounds like a pretty interesting project. One question though, what happens when the spammers themselves get word of this? They will just relay a message through each open relay they find to an account they can check, to see if the message went through. If the message doesn't go through then its a 'blackhole' relay and they will find another one. I just don't see something like this working. Maybe it should save all of the spam and use the messages to update spamassassin filters or something like that. Otherwise it'll be useless. Just my thoughts.
I ran a very similar program to see what I would catch.. I caught my ISP, or rather they caught me - they thought I was running a deliberate open relay and sent an email warning me to shut it down. I was pretty surprised they were on to it so quickly (less than 24 hours).
This is basically a honeypot. Various other forms of this exist [like TCP keepalives for as long as possible]. The basic idea is you want to make sure the user thinks its working while wasting their time.
;-) [this last comment is aimed at the jerk who is sending the same spam twice to me about all sorts of increased sex crap. It's bad enough you send it once but twice in under 5 mins? In the ban list you go!]
The trick is much like the polution on P2P. People often complain that the stuff they download off P2P is either renamed [e.g. no the thing they were looking for] or of very low quality. This dissuades people from using P2P.
Likewise if lots of people setup fake SMTP servers that don't do anything it will polute the "scene". Possibly make it less attractive for spammers.
Of course what would be nicer is just to snipe the spammers and auction off their property for Quiznos money
Someday, I'll have a real sig.
Spam is moving off open relays and onto pirated home computers. Spammers and virus writers together have already designed a distributed architecture in which they can send emails from hundreds of thousands, possibly millions of 'owned' personal computers.
The solution is to accept that email will become 99.9(n) junk, and that the challenge then becomes to extract the signal, not filter the noise.
One solution I foresee is "data clearing houses" which store-and-forward email, using a reputation management system to rank and score email (and other data, for the problem is general).
Ceci n'est pas une signature
They're been relying more and more on trojan'd XP machines as well, they'll probably just stick to this method because they can have more machines than they ever wanted, and they can be sure it works (for some time at least.)
It makes me sort of sad. I'm in a unix sysadmin class, and we had a guest speaker in from a major ISP the other day, and to quote him "we've seen our email traffic quadruple over the last year, all spam" "spam is killing the internet."
Doubt if its as bad as all that, but again, the internet would be a heck of a lot better without it.
The snow doesn't give a soft white damn whom it touches. -- ee cummings
...has anyone been the target of a spammers affection?
I guess that as soon as they decide that your mail server is open to relaying they will pump their mails as quickly as possible trough to the server...
Wouldn't the bandwidth consumed while pumping all those pr0n mails trough to your server slow your xDSL (or whichever connection you have) to a grinding halt and thus make the project more suited towards those with a fat connection and something to prove?
We had a spammer exploiting an incorrectly configured formmail.pl on one of our servers. We didnt actually use it, so I replaced it with a fake version that accepted pretended to accept the mail and return 100mb of data as a reply.
Our provider gives us unlimited upstream bandwidth, so it had no real effect on us- however here would have been at least 50gb worth of data used by the time the spammer caught on, so hopefully that cost them some cash. (Although in all likelyhood it was only a minor inconvenience).
This is still the best method to "slow down" spammers. Having a listener on port 25 on un unadvertised box waiting for a connection from some random person, knowing this to be a relay checker and/or spammer, then holding onto the connection forever. This is what LaBrea does, but LaBrea does it on a larger scale, for entire subnets w/ open IP addresses, and any port.
if a bunch of spammers collect IP addresses of these spamholes and create a blacklist, does Spamhaus have a right to complain then?
...and that's the way the cookie crumbles.
While the concept is somewhat interesting at first glance, the people who run spamholes might end up with it costing them a lot of bandwidth and system resources.
In short, this idea might only work if somehow you could get more spamholes on the net than open relays, and even then it would have to be coordinated by real sysadmins who know their stuff. Clueless admins are (probably) in the majority and whether or not you agree with that little flippant comment, they will surely outnumber the people who have enough time, a spare machine, and bandwidth to run a spamhole.
This guy says that he has 'holed' over 50,000 spam messages. Well, not really. They will be retransmitted. Spending the energy on blocking spam from your users completely is a better bet, I think. Educating people and advocacy is a better bet. Spamholes will be just another 5 minute net curio.
Conversion Rate Optimisation French / English consultant
monkeys.com used to have one, until the spammers DDOSed him.
Several other people are still running proxy honeypots with great success. They are a great resource for finding out which ISPs harbor proxy hijacking criminals.
For all of you, who think spammers will check whether the proxy works first, spammers do no such thing. They actively scan for open proxies and immediately start blasting away. That's just like with spamming. You really think spammers check every Email address on their lists is real?
Proletariat of the world, unite to kill spammers. The more painful and slower, the better.
In Soviet Russia, I ruled you
Sophisticated spamware sends periodically control messages to a dropbox in hotmail/yahoo/whatever and alerts user if the open proxy appears not really working.
Open relay isn't the problem of net anymore, sophisticated spamware uses open proxies.
Open relays are these days hard to find as most smpt software ave sane defaults these days. OTOH With idiots like analogX proxy authors creating proxies with "default open world wide, not even dangerous ports closed" configuration, there is no sortage of open proxies.
If you really want to blackhole/track open proxy/relay abusers, look at BuggleGum proxypot instead. And prepare to hack it as as spamware tries to adapt the traps setup by people.
Since it seems that a lot spam I get comes from my e-mail address being on my homepage, I've toyed with the idea of putting two address up on the page
like dan@example.com and danc@example.com since danc only exists as a harvestable address any messages that show up at danc are compared to the messages in the spool for dan and a 95% or more match pushes them both to the trash. Has anyone else tried this or something similar?
Perhaps this can be used to trace them down, I am a tad doubtful that this would really work, however, it could be used to catch folks who test for these and try to use them, thereby identifying potential spammers. Perhaps, a follow up email to ISPs getting them disconnected for life (hehe)?
photoplankton
Everybody is complaining about spam. And at the same time almost everybody comes up with yet another brand-new-weired-looking workaround. Why the hell?
May I suggest just doing a few basic things:
1) Make a law (if your country doesn't have one already) which makes it illegal to send emails with forged FROM fields (= email addresses you don't own)
2) Slightly improve RFC2821 (smtp): Convert the optional ssl layer to a mandatory one. An smtp sender should only allowed to send mail to a server if
a) it uses an ssl encrypted connection and the Hostname in Reverse-DNS matches the name provided with the ssl certificate OR
b) it uses username and password to login into some kind of mailaccount
3) Sue spammers violating law 1) to hell. If you want to find them, you only have to look at the ssl certificate used for the connection.
Yes, I know this prevents everybody from having his own pretty little smtp server. No, I'm perfectly well with that. Use a provider.
Yes, ssl certificates are expensive for now. But any serious provider should be able to afford one.
there are two major issues unsolved by this.
This does nothing to address the traffic/bandwidth usage. I've seen spammers continue to hit mail servers for several years (yes YEARS) after they were locked out, they just don't care. The bandwidth costs become seriously problematic.
and the second thing, sort of the first, or related, is what the issue never getting addresses about EGRESS filtering.
Now if everyone, or at least every major ISP would actually use egress filtering, the spam problem would be reduced by, probably, at least 80%.
Here we are talking about this same stupid issue years later, with the same stupid suggestions and the same stupid ideas, over and over and over again. But no one listens.
The other way to combat spam is one I mentioned years ago, and on slashdot many times, in fact, almost every time this subject comes up, which, by the way, is getting more and more frequent. Anyhow, it was an online database of known spammers, by domain and IP. Two seperate lists, one IP, one domain. IPs are by class-C (/24) minimum. It would work if it was pseudo-public, and open, and everyone would keep updating it.
but no, people say "yeah, interesting" but does anyone really get involved? no.... sigh...
My predictions: we'll see this spam issue more and more often with more and more so-called "brillant" solutions like honeypots and crap like that. But will anyone really want to *DO* anything about it? nooooo..... and we'll keep talking about it for eons... nobody cares...
Spamhole is the name of a temporary e-mail redirection service, good for those times when you need to submit an address for a verification code but don't want the company's spam to fill your inbox afterward (why would you?).
As I'm sure many of us that run our own mail servers have found, I've got a good dozen addresses that have never existed to which spammers attempt to send mail. I get hundreds of attempts to send spam to these addresses each day. For a while, I was forwarding these messages to an RBL, but my mail queue just got too huge.
What I would like is a tool that hooks into Postfix (or whatever MTA; I use Postfix) that not only blacklists the sending IPs on my machine, but even reports the sending IP to an RBL. At a bare minimum, this would be a useful tool for me, since it would keep these spammers from proceeding to send spam to any other addresses on my server. At best, this simple method of confirming that a spammer is a spammer could help to reduce spam on the whole.
-Waldo Jaquith
It seems to me the reason people spam is because it is cheap to do. Sending out hundreds of thousands of emails for next to nothing.
What if everyone who got spam took 5 minutes a day and replied to a few? I am not saying they need to actually be interested in the pitch, but just send a nice polite letter saying you are. Could you send me some info by postal mail? Do you have an 800 number I can call? Could you contact me with greater detail to this question? Now, the spammer has to invest some time and possibly some money.
Millions of people get spam. If a small percentage would do this, would it deter spammers?
Doubt if its as bad as all that...
I don't. Spam eats up bandwidth just being delivered, even if it gets filtered at the end anyway. Then, you have the idiots that sit and open it and wait for images to load in their HTML-enabled mail clients. Despite this, from a technological standpoint, although it chews up and wastes valuable resources, it won't bring the Internet to a complete screeching halt.
However, look at all the time and money AOL puts out trying to block incoming spam. People always talk about making spam unprofitable for the spammers and someone invariably bitches about the ideas put forth, but how long will it be until there's so much and so varied spam that it's unprofitable to allow users to use e-mail? Eventually, we may well need so many people and tools that it will chew away profits just fighting spam.
That's why I think spammers need to be treated exactly for what they are - a parasitic infection. They just chew up resources but provide nothing in return. They must be inoculated. Make sending unsolicited e-mail a crime (our illustrous guvmint morons took a step in the totally OPPOSITE direction with their "yea, let's legitamize spamming" bill yesterday). If you're convicted of sending mass, unsolicited messages (that is, you can't prove that you were given EXPLICIT permission to send them), make it a felony and make one of the required sentences that you're not allowed to ever tough a computer again. The trick after that, of course, is to get all the spammy Asian and S. American countries to go along and punish spammers as well.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
The problem with this is that it does not solve the problem. It may hide it from you, but it does not solve it. Also, it somewhat requires that you don't need to be reliably contacted by people you don't know.
The actual problem is at least two-fold
1. The actual spam traffic slowing things down, costing core network operators, and this cost getting passed down to ISPs and ultimately end users.
2. The threat to home PCs that get hacked for the purpose of sending SPAM from them.
Filtering or hiding your e-mail may help *you*. But unless you expect every stupid average Joe to do it too, it will not discourage the spammer in the least so the real problem remains.
I don't believe honey pots will be able to solve the problem. I believe in attacking the economics of spam. Make it not worth their while to send it in the first place. Here's one case in point:
I have been the victim of a spam which used my e-mail in the forged From line. I have been receiving all the 'undeliverable' bounces as a result. Of course I got fed up and decided to do some research.
I picked out the origination IP from the header of the attached bounced mails (always valid) and did a port scan on then. I found most of them infected with the Jeem trojan.
Well, this explains the open relay. I gave up complaining to ISP's about their subscribers who have trojaned systems. They don't seem to care. I suppose it's time for vigilante justice.
The Jeem trojan opens up an e-mail relay on a random port and a control connection plus an http proxy on their own random ports. Time to fight fire using the same fire.
After 'safe browsing' the web sites listed in the spam mails, a lot of them have form information (usually requesting credit card info). Why not use a program that uses a trojaned system's HTTP proxy to send invalid data as the form contents. I was able to send URL encoded form content based on the form's fields which easily bypassed the form's javascript validations. In return, I get an expected confirmation screen. Hey, maybe they just got one invalid response.
Now, if this can be done often enough, maybe the ISP will see the traffic and suspend the account of the trojaned system. In the meantime, the source of the SPAM gets a lot of invalid info to filter through. When I say invalid data. I don't mean 'asldfhhfsdf' and such. I mean real looking names, addresses, CC numbers, etc.
I know there are flaws with this idea, but I don't see where it wouldn't start becoming a thorn in their sides. The Jeem trojan can be controlled remotely. I wish I knew the remote commands to turn them off. But, if we use their known trojans against them, maybe they'll turn them off for us.
It won't work, so instead of commenting on it, I will propose something new. We have tons of ways to know something is spam, but we just block it when we can. Some have suggested that we reply to spam, so spammers have to sift through more responses. I think we should combine these 2 efforts, and create a distributed spam clogging system. When you recieve spam, a window pops up with many possible replies to the spammer, submitted by other users. You pick one you like, edit it slightly, and send it in. In the case of bad return addresses, it posts the question to the web server of the spammer, loads (but doesn't display) their web page (the amount of times you specify) to waste bandwidth, and things like that. Lets turn this into a war. We can destroy this business model!
Well, it's just an idea a friend of mines had some time ago and that could possibly work.
The idea is that instead of filter and trash mails from spammers (with any antispam sw), these mail messages should be fed to a software that extracts all web sites mentioned into them. Some kind of P2P network could then exchange these lists of websites and attack them with DOS. If the system spreads enough, when a new message is sent by a spammer his website will be flooded by millions of bogus requests (slashdotted), this antispam agent should just open a connection and keep it open without doing much traffic.
--
This is not a sig.
I also find (or did a while back) that a lot of Spam originated in Taiwan.
.tw (or, at least from @yahoo.tw).
I just started auto-killing anthing from
Tiggs
"120 chars should be enough for everyone..."
This was a Slashdot article on November 17./ 17/22 47251
http://ask.slashdot.org/article.pl?sid=03/11
(sorry, I'm a text-mode bigot.) I'd been thinking about this concept for a few weeks, and about submitting it to Slashdot when someone beat me to the punch. IMHO, it can be developed into a great idea, but needs some work. (That's why I hadn't submitted it, yet.)
This is kind of like the War on Drugs. IMHO, the War on Drugs is more dangerous and has worse side-effects than the drugs, themselves. Current efforts to fight spam are focusing on the spam, and are just breeding more clever spammers.
We need to take the war to the folks who advertise through spammers.
We need to harness the Slashdot effect for Good, instead of Evil.
The purpose of spam is to connect me to someone selling something. So let's connect. Let's ALL connect. Imagine a client that can go through my Mozilla (or Thunderbird) spam folder, and start accessing, via email or http. They would not be prepared for the volume of response.
So let's take these poor folks who advertise through spam and HELP them get to their tarket audience more efficiently, primarily by not targeting so many people who don't want their advertising. So in the auto-response is some sort of tell-tale, "LEAVE ME ALONE!!!" words that they can understand. Kind of like a 'Do not call' list, but more like, 'Do not call, or else!'
There are two downsides:
1: It generates extra net traffic, and might be even worse than the spam itself, in this regard. Such a spam-auto-response client would have to be carefully tuned, initially on the light side, and ramping up.
1a: A variation on this might be the tar-client. It would take a fudged TCP stack, but imaging not ACKing packets, or delaying ACKs to slow the traffic and tie up the connection. Harder to do than a classic tarpit, but something might be possible.
2: I could see spammers adding extra response addresses in to their advertisements, just to discredit this type of effort. I could see them adding links to the likes of IBM, Microsoft, and US government institutions so users of the clients would be responsible for a DDOS attack. Some sort of whitelist or extra filtering step would be needed, and any sort of whitelist would come under attack by spammers. (THIS is why I never posted.)
The living have better things to do than to continue hating the dead.
coule be developed a bit more. We all install a spamhole on our PC and then they all P2P themselves together to form, what I have decided to call, a 'Spamnet'
When one of our servers detects a spammer it communicates this to all it's little peer friends and they launch a DDOS for a few minutes. If the same spammer hits the same (or another) node in the Spamnet he gets hit for longer etc.
It's not a perfect idea (and probably illegal) but it would certainly get the attention of whoever is responsible.
Two years ago i placed a fake formmail script on my website. Since then i've had over 100,000 emails attempted to be delivered through it. Sure, it's but a trickle in the grand scheme of spam, but it's a trickle worth stopping.
Yes, it's an arms race, but each new level makes things pricier for the spammer, making the model less tenable.
IMO, we should ramp the race right up, and make email encrypted by default. Think of the CPU cycles required to send every recipient encrypted mail!
Okay, that seems excessive at present, but this is a "tax" that cannot be ducked. Naturally, the problem remains that such a solution would in fact be illegal in France, and so might be impossible to implement.
Wikileaks, no DNS
It would be nice if webmail services has an option "Bounce this message", so the spammer will receive more and more bounces of actually good accounts.
Think about...
on yahoo mail "This message wasn't for you? Is it SPAM? _Bounce it_."
I think you're underestimating the difference in the average computer user between the strength of will to intelligence and the strength of belief in something for nothing by a longshot.
Maybe you spend some time detecting timeouts and avoiding hosts that don't respond quickly, but you can't overdo that or everybody will add that to their SMTP servers to discourage spammers. But even adding a second of delay at the end of a message is enough to crank your bandwidth drain down a lot and slow down the spammer's average load. And if the spammer is getting a 10:1 multiplier by feeding your relay 10 recipients per message, they won't be surprised if you're only accepting incoming spam at 10-12kbps because that'll fill up your average cable modem or ADSL upstream, and it'll happen by adding random delays to the response time. So go ahead and add a bunch of 100-200ms delays per packet (especially per RCPT TO or per line of message body, since SMTP handles data a line at a time.) If you want to add a bunch of longer delays, see how much you can get away with.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks