Slashdot Mirror
Spamholes Fighting Spammers
mike9010 writes "A person named I)ruid has come up with an ingenious way to combat those spammers. His program, spamhole, creates a false 'open relay' that the spammer thinks he/she can send messages through. The messages then get sent nowhere, and the spammer has no idea.
"spamhole is an open project. Hopefully, through user's and developer's contributions, we will amass a collection of spamhole implementations spanning all commonly used platforms, programming languages, etc. Ease of configuration and use are the primary objectives, for the easier to use by the non-techical layperson the implementations are, the more widely adopted and used spamhole will become.""
Spammer will just send email to himself to make sure relay works. The author claims that the defense against this is to allow the spammer limited access in the beginning, but there's no way to uniquely identify the spammer, and in any case, the spammer can just continue to include himself in the mailings, so he'll know when the relay has been configured to deny him access.
This system will only increase the number of open relays out there.
The story of the hare and the briar patch comes to mind. Is this the idea of a spammer who is pleading with us to please not create all these open rel..., er, um, spamholes?
Is this truly the only Earth I can live on?
This sounds like a pretty interesting project. One question though, what happens when the spammers themselves get word of this? They will just relay a message through each open relay they find to an account they can check, to see if the message went through. If the message doesn't go through then its a 'blackhole' relay and they will find another one. I just don't see something like this working. Maybe it should save all of the spam and use the messages to update spamassassin filters or something like that. Otherwise it'll be useless. Just my thoughts.
Stick it in your spamhole, pal!
Perfect...
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
This is not a bad idea though it could be abused. However what the author doesn't seem to realise that open relays may only account for 25% of spam. The rest comes via open proxys which mask the connection and mean that the mail server is receiving an SMTP session from a valid IP address. It might help a bit but at the end of the day the only good solution to fix spammers is hit them where it hurts in the pockets.
Of course that is easier said than done
Rus
Cheap UK and US VPS
Just watch the RBL's and ISP's shut down your IP block for having an open relay...
How are they supposed to know the difference between a spamhole and a real open relay?
"Kinky sex involves the use of duck feathers. Perverted sex involves the whole duck." - Lewis Grizzard
+ Five minutes to implement.
+ It will fool spammers for five minutes.
+ Your ISP will disconnect you after five minutes.
Let's chalk this one up as yet another "nice try, shame about the lack of planning".
If you were blocking sigs, you wouldn't have to read this.
I ran a very similar program to see what I would catch.. I caught my ISP, or rather they caught me - they thought I was running a deliberate open relay and sent an email warning me to shut it down. I was pretty surprised they were on to it so quickly (less than 24 hours).
i think it will not work for two reasons:
a) as mentioned before, it is easy to probe the hole to make sure it really works.
b) i seriuosly doubt that the security team of any university and / or company would enable such a hole because then they might get blacklisted and no more email for them...
OpenBSD's spamd actually tarpits the spammer down, then after a looooong held connection sends a 450 (by default) to the spammer to have the spammer-machine retry. I have it running with various autoupdated blackhole lists and very little spam sees my server anymore.
Trolling is a art,
This is basically a honeypot. Various other forms of this exist [like TCP keepalives for as long as possible]. The basic idea is you want to make sure the user thinks its working while wasting their time.
;-) [this last comment is aimed at the jerk who is sending the same spam twice to me about all sorts of increased sex crap. It's bad enough you send it once but twice in under 5 mins? In the ban list you go!]
The trick is much like the polution on P2P. People often complain that the stuff they download off P2P is either renamed [e.g. no the thing they were looking for] or of very low quality. This dissuades people from using P2P.
Likewise if lots of people setup fake SMTP servers that don't do anything it will polute the "scene". Possibly make it less attractive for spammers.
Of course what would be nicer is just to snipe the spammers and auction off their property for Quiznos money
Someday, I'll have a real sig.
Spam is moving off open relays and onto pirated home computers. Spammers and virus writers together have already designed a distributed architecture in which they can send emails from hundreds of thousands, possibly millions of 'owned' personal computers.
The solution is to accept that email will become 99.9(n) junk, and that the challenge then becomes to extract the signal, not filter the noise.
One solution I foresee is "data clearing houses" which store-and-forward email, using a reputation management system to rank and score email (and other data, for the problem is general).
Ceci n'est pas une signature
It won't work.
On a small scale it has no impact.
On a large scale the spammer will just send a few 'test' messages through your system and move on to the next. With a million spamholes, a spammer can send a million mails at the least. Great.
Also, you'll get yourself blocklisted by every major DNSBL very soon. They scan for open relays too...
This is your sig. There are thousands more, but this one is yours.
Slashdot, on the cutting edge of last year.
I can see this being a great "live" email harvesting tool for some spammers. Setup a spamhole and just sit back and collect the addresses that other spammers try to send to. A good majority of the addresses will be good and you don't even have to waste time harvesting. This could be a windfall for technically savvy spammers with a little time to waste. Good God. Here we go again...
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
...has anyone been the target of a spammers affection?
I guess that as soon as they decide that your mail server is open to relaying they will pump their mails as quickly as possible trough to the server...
Wouldn't the bandwidth consumed while pumping all those pr0n mails trough to your server slow your xDSL (or whichever connection you have) to a grinding halt and thus make the project more suited towards those with a fat connection and something to prove?
We had a spammer exploiting an incorrectly configured formmail.pl on one of our servers. We didnt actually use it, so I replaced it with a fake version that accepted pretended to accept the mail and return 100mb of data as a reply.
Our provider gives us unlimited upstream bandwidth, so it had no real effect on us- however here would have been at least 50gb worth of data used by the time the spammer caught on, so hopefully that cost them some cash. (Although in all likelyhood it was only a minor inconvenience).
This is still the best method to "slow down" spammers. Having a listener on port 25 on un unadvertised box waiting for a connection from some random person, knowing this to be a relay checker and/or spammer, then holding onto the connection forever. This is what LaBrea does, but LaBrea does it on a larger scale, for entire subnets w/ open IP addresses, and any port.
While the concept is somewhat interesting at first glance, the people who run spamholes might end up with it costing them a lot of bandwidth and system resources.
In short, this idea might only work if somehow you could get more spamholes on the net than open relays, and even then it would have to be coordinated by real sysadmins who know their stuff. Clueless admins are (probably) in the majority and whether or not you agree with that little flippant comment, they will surely outnumber the people who have enough time, a spare machine, and bandwidth to run a spamhole.
This guy says that he has 'holed' over 50,000 spam messages. Well, not really. They will be retransmitted. Spending the energy on blocking spam from your users completely is a better bet, I think. Educating people and advocacy is a better bet. Spamholes will be just another 5 minute net curio.
Conversion Rate Optimisation French / English consultant
That's not what a 'spamhole' is around *my* office. Pfft!
"Lawyers are for sucks."
- Doug McKenzie
I see two potential problems with this approach, one more insipid than the other.
Haven't you only succeeded in sponsoring a low volume spam relay that not only delivers spam, but at such a low per-boxen rate that no one will ever be the wiser for it.
I see that even on your homepage you mention that a few spam emails might get delivered, but you are acting as a relay for a few spam emails times 50,000. You will eventually get blacklisted via OpenRelay RBL's.
I think if you sit down for a day and just watch your email logs, you will find that a lot of spammers don't bother to test a connection for open relay status. They just test by pushing as much email through it that they can as quickly as possible. Daily I have hundreds of attempting mail relay deliveries.
monkeys.com used to have one, until the spammers DDOSed him.
Several other people are still running proxy honeypots with great success. They are a great resource for finding out which ISPs harbor proxy hijacking criminals.
For all of you, who think spammers will check whether the proxy works first, spammers do no such thing. They actively scan for open proxies and immediately start blasting away. That's just like with spamming. You really think spammers check every Email address on their lists is real?
Proletariat of the world, unite to kill spammers. The more painful and slower, the better.
In Soviet Russia, I ruled you
> only until it all goes offshore.
It already is. I live in the UK and the majority of junk emails I receive come from the US, or contain 'offers' from US based companies.
Since it seems that a lot spam I get comes from my e-mail address being on my homepage, I've toyed with the idea of putting two address up on the page
like dan@example.com and danc@example.com since danc only exists as a harvestable address any messages that show up at danc are compared to the messages in the spool for dan and a 95% or more match pushes them both to the trash. Has anyone else tried this or something similar?
Run an open relay, the ISP detects it, launches nastygrams and prepares to blast your ass to Mars. Complain to the average ISP about the average spammer, and the spammer is still spamming through the same ISP 6 months later. Hmmmm.
Well, here's what I've done and it hasn't gotten me on any black lists for running an open relay because I don't.
First, my mailserver runs OpenBSD, this allows me to use pf for my port filtering software. Then each user on the server has a copy of CRM114 installed. This is a very powerful and extremely accurate bayesian classifier. I've gotten 1 piece of spam in the last three months, 0 false positives and it blocks about 150 pieces of spam a day (for my account alone).
For each piece of mail that I receive, the relays involved are entered into relaydb. This wonderful little program logs each mail relay listed in the message. When a relay has 3 times as many bad messages as good messages it is added to the black list. Because I'm using pf, this blacklist is updated in real time to the mail server's pf configuration, which causes spamming hosts to be sent to the tar pits.
I'd estimate the total accuracy rate (defined as non-Type I and non-Type II errors) to be somewhere around 99.95%. User interaction is zero for most of the time, I've got a nice corpus that I train the accounts with. On the off hand that there is an error the user mails the message to themselves and it gets fixed.
So, to summarize:
This idea won't work, you'll get your host marked as an open relay.
This is what I did to kill spam and it does work.
My Slashdot account is old enough to drink...
Everybody is complaining about spam. And at the same time almost everybody comes up with yet another brand-new-weired-looking workaround. Why the hell?
May I suggest just doing a few basic things:
1) Make a law (if your country doesn't have one already) which makes it illegal to send emails with forged FROM fields (= email addresses you don't own)
2) Slightly improve RFC2821 (smtp): Convert the optional ssl layer to a mandatory one. An smtp sender should only allowed to send mail to a server if
a) it uses an ssl encrypted connection and the Hostname in Reverse-DNS matches the name provided with the ssl certificate OR
b) it uses username and password to login into some kind of mailaccount
3) Sue spammers violating law 1) to hell. If you want to find them, you only have to look at the ssl certificate used for the connection.
Yes, I know this prevents everybody from having his own pretty little smtp server. No, I'm perfectly well with that. Use a provider.
Yes, ssl certificates are expensive for now. But any serious provider should be able to afford one.
Some ISPs are very vigilant. They have a take-no-shit attitude towards SPAM and/or hacking. They'll actively watch for it, shut people down, respond to abuse complaints, etc. Some just don't give a fuck, and won't stop it unless it interferes with their network or someone comes after them with a big enough stick.
So just because you've dealt with an ISP that is in the "don't give a shit" category, doesn't mean there aren't other ones that will be very responsive.
As I'm sure many of us that run our own mail servers have found, I've got a good dozen addresses that have never existed to which spammers attempt to send mail. I get hundreds of attempts to send spam to these addresses each day. For a while, I was forwarding these messages to an RBL, but my mail queue just got too huge.
What I would like is a tool that hooks into Postfix (or whatever MTA; I use Postfix) that not only blacklists the sending IPs on my machine, but even reports the sending IP to an RBL. At a bare minimum, this would be a useful tool for me, since it would keep these spammers from proceeding to send spam to any other addresses on my server. At best, this simple method of confirming that a spammer is a spammer could help to reduce spam on the whole.
-Waldo Jaquith
It seems to me the reason people spam is because it is cheap to do. Sending out hundreds of thousands of emails for next to nothing.
What if everyone who got spam took 5 minutes a day and replied to a few? I am not saying they need to actually be interested in the pitch, but just send a nice polite letter saying you are. Could you send me some info by postal mail? Do you have an 800 number I can call? Could you contact me with greater detail to this question? Now, the spammer has to invest some time and possibly some money.
Millions of people get spam. If a small percentage would do this, would it deter spammers?
I don't believe honey pots will be able to solve the problem. I believe in attacking the economics of spam. Make it not worth their while to send it in the first place. Here's one case in point:
I have been the victim of a spam which used my e-mail in the forged From line. I have been receiving all the 'undeliverable' bounces as a result. Of course I got fed up and decided to do some research.
I picked out the origination IP from the header of the attached bounced mails (always valid) and did a port scan on then. I found most of them infected with the Jeem trojan.
Well, this explains the open relay. I gave up complaining to ISP's about their subscribers who have trojaned systems. They don't seem to care. I suppose it's time for vigilante justice.
The Jeem trojan opens up an e-mail relay on a random port and a control connection plus an http proxy on their own random ports. Time to fight fire using the same fire.
After 'safe browsing' the web sites listed in the spam mails, a lot of them have form information (usually requesting credit card info). Why not use a program that uses a trojaned system's HTTP proxy to send invalid data as the form contents. I was able to send URL encoded form content based on the form's fields which easily bypassed the form's javascript validations. In return, I get an expected confirmation screen. Hey, maybe they just got one invalid response.
Now, if this can be done often enough, maybe the ISP will see the traffic and suspend the account of the trojaned system. In the meantime, the source of the SPAM gets a lot of invalid info to filter through. When I say invalid data. I don't mean 'asldfhhfsdf' and such. I mean real looking names, addresses, CC numbers, etc.
I know there are flaws with this idea, but I don't see where it wouldn't start becoming a thorn in their sides. The Jeem trojan can be controlled remotely. I wish I knew the remote commands to turn them off. But, if we use their known trojans against them, maybe they'll turn them off for us.
1: They'll get blacklisted.
/dev/null.
2: The spammers will eventually be able to find a way to test it first (like they have with everything else.)
3: It'll just suck up bandwidth and dump it to
4: Even if the idea did work in theory, there won't be enough people believing in the idea to make it actually work.
-- I am. Therefore, I think!
try Enkoder (also available as an OS X app), which converts your mailto: link to a javascript thingy which works correctly but cannot be read by bots. It's free.
Science fiction for grown-ups...
coule be developed a bit more. We all install a spamhole on our PC and then they all P2P themselves together to form, what I have decided to call, a 'Spamnet'
When one of our servers detects a spammer it communicates this to all it's little peer friends and they launch a DDOS for a few minutes. If the same spammer hits the same (or another) node in the Spamnet he gets hit for longer etc.
It's not a perfect idea (and probably illegal) but it would certainly get the attention of whoever is responsible.
Google for 'honeypot' or 'proxypot.' In fact, Security Focus ran a series of comprehensive articles on honeypots, one of which is here. There's also a huge web site devoted to nothing but honeypots at this link.
Proxypots are a variation of the honeypot idea. A proxypot pretends to be an open proxy server which, instead of actually passing traffic sent to it, simply logs what's going on and sends the actual traffic to a specific destination specified by the proxypot operator. This can be Dave Null's in-box or anywhere else said operator wants.
Details of proxypots may be found here, and here, just to name a couple.
Keep the peace(es).
Bruce Lane, KC7GR,
Blue Feather Technologies