Slashdot Mirror
Spamholes Fighting Spammers
mike9010 writes "A person named I)ruid has come up with an ingenious way to combat those spammers. His program, spamhole, creates a false 'open relay' that the spammer thinks he/she can send messages through. The messages then get sent nowhere, and the spammer has no idea.
"spamhole is an open project. Hopefully, through user's and developer's contributions, we will amass a collection of spamhole implementations spanning all commonly used platforms, programming languages, etc. Ease of configuration and use are the primary objectives, for the easier to use by the non-techical layperson the implementations are, the more widely adopted and used spamhole will become.""
This is not a bad idea though it could be abused. However what the author doesn't seem to realise that open relays may only account for 25% of spam. The rest comes via open proxys which mask the connection and mean that the mail server is receiving an SMTP session from a valid IP address. It might help a bit but at the end of the day the only good solution to fix spammers is hit them where it hurts in the pockets.
Of course that is easier said than done
Rus
Cheap UK and US VPS
Just watch the RBL's and ISP's shut down your IP block for having an open relay...
How are they supposed to know the difference between a spamhole and a real open relay?
"Kinky sex involves the use of duck feathers. Perverted sex involves the whole duck." - Lewis Grizzard
+ Five minutes to implement.
+ It will fool spammers for five minutes.
+ Your ISP will disconnect you after five minutes.
Let's chalk this one up as yet another "nice try, shame about the lack of planning".
If you were blocking sigs, you wouldn't have to read this.
I ran a very similar program to see what I would catch.. I caught my ISP, or rather they caught me - they thought I was running a deliberate open relay and sent an email warning me to shut it down. I was pretty surprised they were on to it so quickly (less than 24 hours).
As the article says
When an SMTP client connects to our spamhole, we note the number of times it has connected before. If this number is below a configurable threshold, we simply redirect it's connection through the spamhole to a real SMTP server and allow it an unmodified session. This provides for any potential 'test' email the spammer may attempt to send through the 'open relay' to verify successful delivery to successfuly pass through the system and be delivered. Many spammers do this to validate their open relays prior to attempting bulk mailings. The downside to this is that a few SPAM emails may actually be delivered by your spamhole. Such is the price to pay for tricking the spammer into continued use of your 'open relay'.
So it's not quite just a dumb smtp receiver, but acts as a real one until the spam starts being sent.
i think it will not work for two reasons:
a) as mentioned before, it is easy to probe the hole to make sure it really works.
b) i seriuosly doubt that the security team of any university and / or company would enable such a hole because then they might get blacklisted and no more email for them...
OpenBSD's spamd actually tarpits the spammer down, then after a looooong held connection sends a 450 (by default) to the spammer to have the spammer-machine retry. I have it running with various autoupdated blackhole lists and very little spam sees my server anymore.
Trolling is a art,
Spam is moving off open relays and onto pirated home computers. Spammers and virus writers together have already designed a distributed architecture in which they can send emails from hundreds of thousands, possibly millions of 'owned' personal computers.
The solution is to accept that email will become 99.9(n) junk, and that the challenge then becomes to extract the signal, not filter the noise.
One solution I foresee is "data clearing houses" which store-and-forward email, using a reputation management system to rank and score email (and other data, for the problem is general).
Ceci n'est pas une signature
They're been relying more and more on trojan'd XP machines as well, they'll probably just stick to this method because they can have more machines than they ever wanted, and they can be sure it works (for some time at least.)
It makes me sort of sad. I'm in a unix sysadmin class, and we had a guest speaker in from a major ISP the other day, and to quote him "we've seen our email traffic quadruple over the last year, all spam" "spam is killing the internet."
Doubt if its as bad as all that, but again, the internet would be a heck of a lot better without it.
The snow doesn't give a soft white damn whom it touches. -- ee cummings
I can see this being a great "live" email harvesting tool for some spammers. Setup a spamhole and just sit back and collect the addresses that other spammers try to send to. A good majority of the addresses will be good and you don't even have to waste time harvesting. This could be a windfall for technically savvy spammers with a little time to waste. Good God. Here we go again...
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
We had a spammer exploiting an incorrectly configured formmail.pl on one of our servers. We didnt actually use it, so I replaced it with a fake version that accepted pretended to accept the mail and return 100mb of data as a reply.
Our provider gives us unlimited upstream bandwidth, so it had no real effect on us- however here would have been at least 50gb worth of data used by the time the spammer caught on, so hopefully that cost them some cash. (Although in all likelyhood it was only a minor inconvenience).
Stopping spam is never the point of any prudent anti-spam action. Instead, anti-spam actions work by reducing the value of spam to spammers. This can be done by reducing click-through, reducing traffic and filtering that traffic which is out there. Always, spam will get through. The only way to combat spam is to reduce the profit margin and increase the time expense so much that it is worthless, and simply bad business to spam.
#define DRM chmod 000
monkeys.com used to have one, until the spammers DDOSed him.
Several other people are still running proxy honeypots with great success. They are a great resource for finding out which ISPs harbor proxy hijacking criminals.
For all of you, who think spammers will check whether the proxy works first, spammers do no such thing. They actively scan for open proxies and immediately start blasting away. That's just like with spamming. You really think spammers check every Email address on their lists is real?
Proletariat of the world, unite to kill spammers. The more painful and slower, the better.
In Soviet Russia, I ruled you
Sophisticated spamware sends periodically control messages to a dropbox in hotmail/yahoo/whatever and alerts user if the open proxy appears not really working.
Open relay isn't the problem of net anymore, sophisticated spamware uses open proxies.
Open relays are these days hard to find as most smpt software ave sane defaults these days. OTOH With idiots like analogX proxy authors creating proxies with "default open world wide, not even dangerous ports closed" configuration, there is no sortage of open proxies.
If you really want to blackhole/track open proxy/relay abusers, look at BuggleGum proxypot instead. And prepare to hack it as as spamware tries to adapt the traps setup by people.
Doubt if its as bad as all that...
I don't. Spam eats up bandwidth just being delivered, even if it gets filtered at the end anyway. Then, you have the idiots that sit and open it and wait for images to load in their HTML-enabled mail clients. Despite this, from a technological standpoint, although it chews up and wastes valuable resources, it won't bring the Internet to a complete screeching halt.
However, look at all the time and money AOL puts out trying to block incoming spam. People always talk about making spam unprofitable for the spammers and someone invariably bitches about the ideas put forth, but how long will it be until there's so much and so varied spam that it's unprofitable to allow users to use e-mail? Eventually, we may well need so many people and tools that it will chew away profits just fighting spam.
That's why I think spammers need to be treated exactly for what they are - a parasitic infection. They just chew up resources but provide nothing in return. They must be inoculated. Make sending unsolicited e-mail a crime (our illustrous guvmint morons took a step in the totally OPPOSITE direction with their "yea, let's legitamize spamming" bill yesterday). If you're convicted of sending mass, unsolicited messages (that is, you can't prove that you were given EXPLICIT permission to send them), make it a felony and make one of the required sentences that you're not allowed to ever tough a computer again. The trick after that, of course, is to get all the spammy Asian and S. American countries to go along and punish spammers as well.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
reducing the value of spam to spammers. This can be done by reducing click-through, reducing traffic and filtering that traffic which is out there.
That points to an interesting idea. What if you left your relay open, but modified the messages slightly? Munge the URLs, kill the scripts and web-bug images, change all the phone numbers to 800-876-7060. You could even try to de-l33t the subject lines (turn V*1*A*3*R*A back into "viagra"), if possible.
Of course, you'd be violating any number of standards, plus you'd still get blackholed. So take it a step further... create a trojan that looks for open relays and turns them into spam-breaking open relays. Maybe you could then get someone to turn you in to Microsoft and split the reward.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
This system will only increase the number of open relays out there.
/24. It was horrible, we have hundreds of customers who could not get email from us or their clients.
Plus, for some of the more nazi-esque spam block lists, it can cause MAJOR havoc for your network. I can tell you that this will not be implemented on our network. We've delt with this already... One computer on our network had an open relay for a couple of days, and it caused *.rr.com (road runner cable, HUGE ISP on the right coast) to block ALL MAIL from our
And it was pulling teeth to get us off of that block list. Send email, get response "contact your ISP", sent email explaining we were the ISP, got email "contact your ISP", sent email madly declaring that we can fix it if they'd tell us what was wrong, but with more than 100 computers in that IP range, it was kind of hard to tell who was in trouble, got email "contact your ISP"... etc.
I'm NOT going to put anything on the network that deliberately sends spam, or even looks like an open relay. My business is too important to me.
Thanks, but, no thanks.
~Will
sig?
Just last weekend... this mea culpa might save someone in /. land some pain.
/. folks, I'd like to pass along some tips based on my experience.
Had a form.pl script handling all form submissions on our web site. The form submitted its info via sendmail, as well as logging to text files. While the address checking was pretty robust, someone figured out how to overload the contents in a manner that fooled the sendmail into thinking that the contents contained BCC: data.
Fortunately I caught it within about five minutes, thanks to the fact that all submissions are CC:'d to a real address, thus starting a flood of mail. I saw the classic pattern: a test message, a couple revisions, a final draft test message, then the flood of "real" messages. Since I saw it start, I was able to shut down the script (I just killed the Execute permissions).
After the initial test messages, I saw submissions from dozens of different IPs - I assume zombied PCs. It seems that the zombies were programmed to relay form POST submissions, instead of trying to relay mail directly. Smart, since that puts the mail load on a fast server, not a slow dialup PC.
But the really interesting thing was, even after shutting down the script, the flood of submissions continued. I tweaked the form.pl to bounce the requests to another page but the bounce was never followed - indicating to me that the program didn't bother to check the server response to the submission, even for a 404 or 302 response! This continued for around 14 hours, at a rate of about 20-40 hits per minute. Based on the first messages that got through, several hundred addresses were included in each BCC: field.
Suddenly at about T+14 hours, it simply stopped - cold. For the next several hours a few sporadic hits popped up. Haven't seen any since about T+18 hours.
Apparently the spammer assumed his script would succeed once it was successfully started (it WOULD have unless I'd been at the PC). He obviously ran through his entire mailing list "blind". I'm happy to say 13.8 of those 14 hours were wasted, preventing about 7 million spams (14 hrs, 40/minute, 200 addresses each).
As lessons learned, although I'm sure this is old news to most of the
1) The spammer used our web site's form to build his attack, but then took it to another machine. All subsequent submissions were using a POST method but not from our site's page. No surprise there, but simply checking $ENV{'HTTP_REFERER'} could have prevented 99% of this attack - if not making it pointless to begin with.
2) Sendmail can be fooled into reading BCC: addresses from information after the start of the message body. I don't understand the details, but an obvious preventative is to =~ s/bcc://gi on the message before sendmail gets it. Probably wouldn't hurt to do the same to To: and CC:.
3) Sendmail can be fooled into sending encoded text from an otherwise text-only form. Filter out "Content-Type:" or "Content-Transfer-Encoding:" or "multipart/mixed" or "text/html" before sendmail gets it.
4) If you're watching for abuse, don't rely on looking for multiple hits from one IP - it seems that once you become a target you will likely get a distributed attack.
5) Consider replacing all @ signs... do a s/@/-at-/g on all message fields before sending to sendmail (except of course whatever hard-coded To: is at the start of the message). If all other measures fail, at least you won't get blacklisted, although you might get 7 million "undeliverable" replies.
--Brandon / Split Infinity Music
This is a total Arms Race.
The initial test email would highlight the spammers test email address. All email to this address would then be allowed through the spamhole, giving the impression to the spammer that everything is hunky dory.
However, the spammer may use multiple test addresses, and the spamhole would not then be aware of these.
Therefore the spamhole could check for any addresses that were used frequently/periodically, and mark these as test addresses.
But the spammer could use a more complex set of test addresses.
The spamhole could use a combination of Bayesian filtering with Hidden Markov Models to renumerate potential test addresses with exponentially decreasing returns, such that the k-tuple value Z1 was never equal or above the Nth degree of reductionist SPAM (SPre). This would thus allow network strategist to implement a theory-based approach to network spam usage, thus continuing ad-infintum the ARMS RACE.
The result of this is that both spammers and anti-spammers remain in bussiness, spending exponentially increasing efforts attempting to thwart the efforts of the oposition.
Definition of a game: "A constructed conflict with quantifiable outcomes"
Ever get the feeling that the anti-spammers enjoy this whole malarky just as much as the spammers?
Maybe the answer to spam is this:
STOP wasting money and resources on using incresingly sophisticated anti-spam techniques. Re-direct this money into basic education for users, including short courses on:
1. How to identify a spam (People are proven to be far better at pattern recognition than Bayesian models).
2. How not to click on a spam.
3. How to delete a spam.
If AOL, MSN, and all other involved parties put a concerted effort towards this, then spam would soon get diminishing returns, and hence become increasingly unprofitable.
How about redirecting money into the hiring of Hit Men to get at the root of the problem? After two or three spam queens get knocked off, I think it may dawn upon the rest that spamming isn't such a good idea anymore...
Your brain is not a computer.