Slashdot Mirror
Spamholes Fighting Spammers
mike9010 writes "A person named I)ruid has come up with an ingenious way to combat those spammers. His program, spamhole, creates a false 'open relay' that the spammer thinks he/she can send messages through. The messages then get sent nowhere, and the spammer has no idea.
"spamhole is an open project. Hopefully, through user's and developer's contributions, we will amass a collection of spamhole implementations spanning all commonly used platforms, programming languages, etc. Ease of configuration and use are the primary objectives, for the easier to use by the non-techical layperson the implementations are, the more widely adopted and used spamhole will become.""
Spammer will just send email to himself to make sure relay works. The author claims that the defense against this is to allow the spammer limited access in the beginning, but there's no way to uniquely identify the spammer, and in any case, the spammer can just continue to include himself in the mailings, so he'll know when the relay has been configured to deny him access.
This system will only increase the number of open relays out there.
The story of the hare and the briar patch comes to mind. Is this the idea of a spammer who is pleading with us to please not create all these open rel..., er, um, spamholes?
Is this truly the only Earth I can live on?
This sounds like a pretty interesting project. One question though, what happens when the spammers themselves get word of this? They will just relay a message through each open relay they find to an account they can check, to see if the message went through. If the message doesn't go through then its a 'blackhole' relay and they will find another one. I just don't see something like this working. Maybe it should save all of the spam and use the messages to update spamassassin filters or something like that. Otherwise it'll be useless. Just my thoughts.
Stick it in your spamhole, pal!
Perfect...
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
It's not a cure but it's another small tool which might help a little.
Sig is taking a break!
This is not a bad idea though it could be abused. However what the author doesn't seem to realise that open relays may only account for 25% of spam. The rest comes via open proxys which mask the connection and mean that the mail server is receiving an SMTP session from a valid IP address. It might help a bit but at the end of the day the only good solution to fix spammers is hit them where it hurts in the pockets.
Of course that is easier said than done
Rus
Cheap UK and US VPS
Just watch the RBL's and ISP's shut down your IP block for having an open relay...
How are they supposed to know the difference between a spamhole and a real open relay?
"Kinky sex involves the use of duck feathers. Perverted sex involves the whole duck." - Lewis Grizzard
+ Five minutes to implement.
+ It will fool spammers for five minutes.
+ Your ISP will disconnect you after five minutes.
Let's chalk this one up as yet another "nice try, shame about the lack of planning".
If you were blocking sigs, you wouldn't have to read this.
I ran a very similar program to see what I would catch.. I caught my ISP, or rather they caught me - they thought I was running a deliberate open relay and sent an email warning me to shut it down. I was pretty surprised they were on to it so quickly (less than 24 hours).
i think it will not work for two reasons:
a) as mentioned before, it is easy to probe the hole to make sure it really works.
b) i seriuosly doubt that the security team of any university and / or company would enable such a hole because then they might get blacklisted and no more email for them...
OpenBSD's spamd actually tarpits the spammer down, then after a looooong held connection sends a 450 (by default) to the spammer to have the spammer-machine retry. I have it running with various autoupdated blackhole lists and very little spam sees my server anymore.
Trolling is a art,
This is basically a honeypot. Various other forms of this exist [like TCP keepalives for as long as possible]. The basic idea is you want to make sure the user thinks its working while wasting their time.
;-) [this last comment is aimed at the jerk who is sending the same spam twice to me about all sorts of increased sex crap. It's bad enough you send it once but twice in under 5 mins? In the ban list you go!]
The trick is much like the polution on P2P. People often complain that the stuff they download off P2P is either renamed [e.g. no the thing they were looking for] or of very low quality. This dissuades people from using P2P.
Likewise if lots of people setup fake SMTP servers that don't do anything it will polute the "scene". Possibly make it less attractive for spammers.
Of course what would be nicer is just to snipe the spammers and auction off their property for Quiznos money
Someday, I'll have a real sig.
Spam is moving off open relays and onto pirated home computers. Spammers and virus writers together have already designed a distributed architecture in which they can send emails from hundreds of thousands, possibly millions of 'owned' personal computers.
The solution is to accept that email will become 99.9(n) junk, and that the challenge then becomes to extract the signal, not filter the noise.
One solution I foresee is "data clearing houses" which store-and-forward email, using a reputation management system to rank and score email (and other data, for the problem is general).
Ceci n'est pas une signature
It won't work.
On a small scale it has no impact.
On a large scale the spammer will just send a few 'test' messages through your system and move on to the next. With a million spamholes, a spammer can send a million mails at the least. Great.
Also, you'll get yourself blocklisted by every major DNSBL very soon. They scan for open relays too...
This is your sig. There are thousands more, but this one is yours.
Slashdot, on the cutting edge of last year.
I can see this being a great "live" email harvesting tool for some spammers. Setup a spamhole and just sit back and collect the addresses that other spammers try to send to. A good majority of the addresses will be good and you don't even have to waste time harvesting. This could be a windfall for technically savvy spammers with a little time to waste. Good God. Here we go again...
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
...has anyone been the target of a spammers affection?
I guess that as soon as they decide that your mail server is open to relaying they will pump their mails as quickly as possible trough to the server...
Wouldn't the bandwidth consumed while pumping all those pr0n mails trough to your server slow your xDSL (or whichever connection you have) to a grinding halt and thus make the project more suited towards those with a fat connection and something to prove?
We had a spammer exploiting an incorrectly configured formmail.pl on one of our servers. We didnt actually use it, so I replaced it with a fake version that accepted pretended to accept the mail and return 100mb of data as a reply.
Our provider gives us unlimited upstream bandwidth, so it had no real effect on us- however here would have been at least 50gb worth of data used by the time the spammer caught on, so hopefully that cost them some cash. (Although in all likelyhood it was only a minor inconvenience).
If you put this on your site, and people complain about those 'let through' spams at the start, your entire netblock will be marked as a spammers paradise (and rightly so - how can the RBL's tell the difference?). Goodbye email.
...
Some RBL's do not allow changes to be made unless you pay a big fee, and you lose the fee if they consider the complaint genuine.
This sounds real risky to me
Simon.
Physicists get Hadrons!
This is still the best method to "slow down" spammers. Having a listener on port 25 on un unadvertised box waiting for a connection from some random person, knowing this to be a relay checker and/or spammer, then holding onto the connection forever. This is what LaBrea does, but LaBrea does it on a larger scale, for entire subnets w/ open IP addresses, and any port.
if a bunch of spammers collect IP addresses of these spamholes and create a blacklist, does Spamhaus have a right to complain then?
...and that's the way the cookie crumbles.
Some plant, some weed. All farm.
While the concept is somewhat interesting at first glance, the people who run spamholes might end up with it costing them a lot of bandwidth and system resources.
In short, this idea might only work if somehow you could get more spamholes on the net than open relays, and even then it would have to be coordinated by real sysadmins who know their stuff. Clueless admins are (probably) in the majority and whether or not you agree with that little flippant comment, they will surely outnumber the people who have enough time, a spare machine, and bandwidth to run a spamhole.
This guy says that he has 'holed' over 50,000 spam messages. Well, not really. They will be retransmitted. Spending the energy on blocking spam from your users completely is a better bet, I think. Educating people and advocacy is a better bet. Spamholes will be just another 5 minute net curio.
Conversion Rate Optimisation French / English consultant
That's not what a 'spamhole' is around *my* office. Pfft!
"Lawyers are for sucks."
- Doug McKenzie
I see two potential problems with this approach, one more insipid than the other.
Haven't you only succeeded in sponsoring a low volume spam relay that not only delivers spam, but at such a low per-boxen rate that no one will ever be the wiser for it.
I see that even on your homepage you mention that a few spam emails might get delivered, but you are acting as a relay for a few spam emails times 50,000. You will eventually get blacklisted via OpenRelay RBL's.
I think if you sit down for a day and just watch your email logs, you will find that a lot of spammers don't bother to test a connection for open relay status. They just test by pushing as much email through it that they can as quickly as possible. Daily I have hundreds of attempting mail relay deliveries.
monkeys.com used to have one, until the spammers DDOSed him.
Several other people are still running proxy honeypots with great success. They are a great resource for finding out which ISPs harbor proxy hijacking criminals.
For all of you, who think spammers will check whether the proxy works first, spammers do no such thing. They actively scan for open proxies and immediately start blasting away. That's just like with spamming. You really think spammers check every Email address on their lists is real?
Proletariat of the world, unite to kill spammers. The more painful and slower, the better.
In Soviet Russia, I ruled you
> only until it all goes offshore.
It already is. I live in the UK and the majority of junk emails I receive come from the US, or contain 'offers' from US based companies.
Since it seems that a lot spam I get comes from my e-mail address being on my homepage, I've toyed with the idea of putting two address up on the page
like dan@example.com and danc@example.com since danc only exists as a harvestable address any messages that show up at danc are compared to the messages in the spool for dan and a 95% or more match pushes them both to the trash. Has anyone else tried this or something similar?
Run an open relay, the ISP detects it, launches nastygrams and prepares to blast your ass to Mars. Complain to the average ISP about the average spammer, and the spammer is still spamming through the same ISP 6 months later. Hmmmm.
Perhaps this can be used to trace them down, I am a tad doubtful that this would really work, however, it could be used to catch folks who test for these and try to use them, thereby identifying potential spammers. Perhaps, a follow up email to ISPs getting them disconnected for life (hehe)?
photoplankton
Everyone being blacklisted for using this might have the nice side effect of making more effective blacklists :)
Well, here's what I've done and it hasn't gotten me on any black lists for running an open relay because I don't.
First, my mailserver runs OpenBSD, this allows me to use pf for my port filtering software. Then each user on the server has a copy of CRM114 installed. This is a very powerful and extremely accurate bayesian classifier. I've gotten 1 piece of spam in the last three months, 0 false positives and it blocks about 150 pieces of spam a day (for my account alone).
For each piece of mail that I receive, the relays involved are entered into relaydb. This wonderful little program logs each mail relay listed in the message. When a relay has 3 times as many bad messages as good messages it is added to the black list. Because I'm using pf, this blacklist is updated in real time to the mail server's pf configuration, which causes spamming hosts to be sent to the tar pits.
I'd estimate the total accuracy rate (defined as non-Type I and non-Type II errors) to be somewhere around 99.95%. User interaction is zero for most of the time, I've got a nice corpus that I train the accounts with. On the off hand that there is an error the user mails the message to themselves and it gets fixed.
So, to summarize:
This idea won't work, you'll get your host marked as an open relay.
This is what I did to kill spam and it does work.
My Slashdot account is old enough to drink...
Everybody is complaining about spam. And at the same time almost everybody comes up with yet another brand-new-weired-looking workaround. Why the hell?
May I suggest just doing a few basic things:
1) Make a law (if your country doesn't have one already) which makes it illegal to send emails with forged FROM fields (= email addresses you don't own)
2) Slightly improve RFC2821 (smtp): Convert the optional ssl layer to a mandatory one. An smtp sender should only allowed to send mail to a server if
a) it uses an ssl encrypted connection and the Hostname in Reverse-DNS matches the name provided with the ssl certificate OR
b) it uses username and password to login into some kind of mailaccount
3) Sue spammers violating law 1) to hell. If you want to find them, you only have to look at the ssl certificate used for the connection.
Yes, I know this prevents everybody from having his own pretty little smtp server. No, I'm perfectly well with that. Use a provider.
Yes, ssl certificates are expensive for now. But any serious provider should be able to afford one.
there are two major issues unsolved by this.
This does nothing to address the traffic/bandwidth usage. I've seen spammers continue to hit mail servers for several years (yes YEARS) after they were locked out, they just don't care. The bandwidth costs become seriously problematic.
and the second thing, sort of the first, or related, is what the issue never getting addresses about EGRESS filtering.
Now if everyone, or at least every major ISP would actually use egress filtering, the spam problem would be reduced by, probably, at least 80%.
Here we are talking about this same stupid issue years later, with the same stupid suggestions and the same stupid ideas, over and over and over again. But no one listens.
The other way to combat spam is one I mentioned years ago, and on slashdot many times, in fact, almost every time this subject comes up, which, by the way, is getting more and more frequent. Anyhow, it was an online database of known spammers, by domain and IP. Two seperate lists, one IP, one domain. IPs are by class-C (/24) minimum. It would work if it was pseudo-public, and open, and everyone would keep updating it.
but no, people say "yeah, interesting" but does anyone really get involved? no.... sigh...
My predictions: we'll see this spam issue more and more often with more and more so-called "brillant" solutions like honeypots and crap like that. But will anyone really want to *DO* anything about it? nooooo..... and we'll keep talking about it for eons... nobody cares...
It lets you set up a temporary forwarding address, which can be very useful for those "free registration" things that just scream "SPAM!".
Spamhole is the name of a temporary e-mail redirection service, good for those times when you need to submit an address for a verification code but don't want the company's spam to fill your inbox afterward (why would you?).
Some ISPs are very vigilant. They have a take-no-shit attitude towards SPAM and/or hacking. They'll actively watch for it, shut people down, respond to abuse complaints, etc. Some just don't give a fuck, and won't stop it unless it interferes with their network or someone comes after them with a big enough stick.
So just because you've dealt with an ISP that is in the "don't give a shit" category, doesn't mean there aren't other ones that will be very responsive.
So as the project grows, people will sell lists of these "open relay's" This way, spammers can use different SMTP servers to send there mail, making them more difficult to track. A few IPs and a few email accounts to check when the spam hole stops working, and they could actually use these to there advantage.
As I'm sure many of us that run our own mail servers have found, I've got a good dozen addresses that have never existed to which spammers attempt to send mail. I get hundreds of attempts to send spam to these addresses each day. For a while, I was forwarding these messages to an RBL, but my mail queue just got too huge.
What I would like is a tool that hooks into Postfix (or whatever MTA; I use Postfix) that not only blacklists the sending IPs on my machine, but even reports the sending IP to an RBL. At a bare minimum, this would be a useful tool for me, since it would keep these spammers from proceeding to send spam to any other addresses on my server. At best, this simple method of confirming that a spammer is a spammer could help to reduce spam on the whole.
-Waldo Jaquith
It seems to me the reason people spam is because it is cheap to do. Sending out hundreds of thousands of emails for next to nothing.
What if everyone who got spam took 5 minutes a day and replied to a few? I am not saying they need to actually be interested in the pitch, but just send a nice polite letter saying you are. Could you send me some info by postal mail? Do you have an 800 number I can call? Could you contact me with greater detail to this question? Now, the spammer has to invest some time and possibly some money.
Millions of people get spam. If a small percentage would do this, would it deter spammers?
The problem with this is that it does not solve the problem. It may hide it from you, but it does not solve it. Also, it somewhat requires that you don't need to be reliably contacted by people you don't know.
The actual problem is at least two-fold
1. The actual spam traffic slowing things down, costing core network operators, and this cost getting passed down to ISPs and ultimately end users.
2. The threat to home PCs that get hacked for the purpose of sending SPAM from them.
Filtering or hiding your e-mail may help *you*. But unless you expect every stupid average Joe to do it too, it will not discourage the spammer in the least so the real problem remains.
I don't believe honey pots will be able to solve the problem. I believe in attacking the economics of spam. Make it not worth their while to send it in the first place. Here's one case in point:
I have been the victim of a spam which used my e-mail in the forged From line. I have been receiving all the 'undeliverable' bounces as a result. Of course I got fed up and decided to do some research.
I picked out the origination IP from the header of the attached bounced mails (always valid) and did a port scan on then. I found most of them infected with the Jeem trojan.
Well, this explains the open relay. I gave up complaining to ISP's about their subscribers who have trojaned systems. They don't seem to care. I suppose it's time for vigilante justice.
The Jeem trojan opens up an e-mail relay on a random port and a control connection plus an http proxy on their own random ports. Time to fight fire using the same fire.
After 'safe browsing' the web sites listed in the spam mails, a lot of them have form information (usually requesting credit card info). Why not use a program that uses a trojaned system's HTTP proxy to send invalid data as the form contents. I was able to send URL encoded form content based on the form's fields which easily bypassed the form's javascript validations. In return, I get an expected confirmation screen. Hey, maybe they just got one invalid response.
Now, if this can be done often enough, maybe the ISP will see the traffic and suspend the account of the trojaned system. In the meantime, the source of the SPAM gets a lot of invalid info to filter through. When I say invalid data. I don't mean 'asldfhhfsdf' and such. I mean real looking names, addresses, CC numbers, etc.
I know there are flaws with this idea, but I don't see where it wouldn't start becoming a thorn in their sides. The Jeem trojan can be controlled remotely. I wish I knew the remote commands to turn them off. But, if we use their known trojans against them, maybe they'll turn them off for us.
1: They'll get blacklisted.
/dev/null.
2: The spammers will eventually be able to find a way to test it first (like they have with everything else.)
3: It'll just suck up bandwidth and dump it to
4: Even if the idea did work in theory, there won't be enough people believing in the idea to make it actually work.
-- I am. Therefore, I think!
I also find (or did a while back) that a lot of Spam originated in Taiwan.
.tw (or, at least from @yahoo.tw).
I just started auto-killing anthing from
Tiggs
"120 chars should be enough for everyone..."
try Enkoder (also available as an OS X app), which converts your mailto: link to a javascript thingy which works correctly but cannot be read by bots. It's free.
Science fiction for grown-ups...
coule be developed a bit more. We all install a spamhole on our PC and then they all P2P themselves together to form, what I have decided to call, a 'Spamnet'
When one of our servers detects a spammer it communicates this to all it's little peer friends and they launch a DDOS for a few minutes. If the same spammer hits the same (or another) node in the Spamnet he gets hit for longer etc.
It's not a perfect idea (and probably illegal) but it would certainly get the attention of whoever is responsible.
Google for 'honeypot' or 'proxypot.' In fact, Security Focus ran a series of comprehensive articles on honeypots, one of which is here. There's also a huge web site devoted to nothing but honeypots at this link.
Proxypots are a variation of the honeypot idea. A proxypot pretends to be an open proxy server which, instead of actually passing traffic sent to it, simply logs what's going on and sends the actual traffic to a specific destination specified by the proxypot operator. This can be Dave Null's in-box or anywhere else said operator wants.
Details of proxypots may be found here, and here, just to name a couple.
Keep the peace(es).
Bruce Lane, KC7GR,
Blue Feather Technologies
If you want to get fancy, you can also do a couple of hits on any URL mentioned in the email - you shouldn't robo-complain, because spammers often put real email addresses in the spam as well, but it gets a bit of bandwidth drain, exercises all the URLs that the spammer might be getting clickthrough from (which is likely to get the clickthrough vendor to stop paying the web site or spammer), and generally shakes things up a bit.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I have a web-form and use a simple PHP script that is hard coded to go through my mail server and my mail server requires a valid POP3 login from the username you plan to send e-mails with prior to being able to send e-mails with it. You get a short window of time once validated and even then you must send the e-mails from the same IP that validated the user name. So you can't figure out what e-mail address is being used, send a message from the form and then spam away with that e-mail address remotely.
And on top of that the function that sends the e-mail is seperate of the pop3 function so even if you managed to figure out how the script works, you still couldn't abuse it in any way shape or form. All the security depends on the mail server itself.
And then from my form the script that uses the SMTP/POP3 script can only send messages to a single hardcoded address. It also can't do BCC or CC's. I'm considering doing an anonymous e-mailer with it but I need to work out details before jumping off that cliff.
"that was an extra the customer had to pay for"
That should be an extra the customer has to pay to get ACCESS to. You should be logging regardless. It's just diskspace and if the customer isn't paying you can clear the old logs on a X day basis if nothing exciting is happening.
Setting up a secure form mailer is rediculously easy. And with PHP I can use my script anywhere. I don't need to set up funky permissions. I don't know what formmail is doing that could possibly allow it to be hacked in such a way that an attacker couldn't just go right to the mail server and accomplish.
Currently, my log analizer is custom made and logs all formmail attempts sorted by IP. It used to be pretty bad. So much so that I reported a number of people. That's died down now though since they've finally realized I don't have formmail on my server in any form. I don't even have Perl installed on my server anymore. PHP only.
Ben
Work Safe Porn
Maybe you spend some time detecting timeouts and avoiding hosts that don't respond quickly, but you can't overdo that or everybody will add that to their SMTP servers to discourage spammers. But even adding a second of delay at the end of a message is enough to crank your bandwidth drain down a lot and slow down the spammer's average load. And if the spammer is getting a 10:1 multiplier by feeding your relay 10 recipients per message, they won't be surprised if you're only accepting incoming spam at 10-12kbps because that'll fill up your average cable modem or ADSL upstream, and it'll happen by adding random delays to the response time. So go ahead and add a bunch of 100-200ms delays per packet (especially per RCPT TO or per line of message body, since SMTP handles data a line at a time.) If you want to add a bunch of longer delays, see how much you can get away with.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks