Name and Shame Spam Senders With OpenBSD

Peter N. M. Hansteen writes "Once you've identified spam senders, OpenBSD provides all the tools you need to take one step further: exporting their addresses and publishing the evidence. You can even trap them yourself using known bad addresses. It's easy, fun and good netizenship."

Hmmm?

[BCW2]

Wouldn't it be more fun to go to their house and either serve them with a civil suit for a $Million+ or just beat their computer into a cube with a sledge hammer?

the known bad addresses part seems dangerous

[Trepidity]

I agree the vast majority of email sent to "known bad" addresses will be sent by spambots, and that'll probably be the exclusive source for never-published addresses. But in the case where they publish these known-bad addresses on a page that they hope spambots will index, it seems blacklisting based on them is vulnerable to abuse. If I want to get some server blacklisted, and I have any sort of access to send mail from it, I can just send mail to the known-bad addresses. For example, good way for mischievous students to cause mayhem by getting their university's mail servers blacklisted.

Not Really

[IsMyNameTaken]

I think someone tried the latter approach already and it didn't end up helping her much

I go with the unpopular GP comment

[DiegoBravo]

That form looks like a wise and economical approach, but what in the earth could pass clean that form? phone calls? SSL channels with certs? SMTP-Ajax(?)?

Re:I go with the unpopular GP comment

[DiegoBravo]

Maybe this is correct: a scheme that passes that "antispam-form", implies the end of spam.

But nobody has demonstrated that the end of the spam does require passing such form.

What protocol/scheme/solution is so perfect in that way? look at the imperfect (but working) TCP/IP. Maybe some people is precluding deployment of acceptable solutions because of that dogma-form.

Re:I go with the unpopular GP comment

[qieurowfhbvdklsj]

I'm sure we could have fixed spam by now, were it not for the type of people behind that form. I once saw a spam solution which, aside from irrelevant items such as "this is what I think about you," had nothing marked against it except for "it won't work for mailing lists." Well, fuck, why don't we replace mailing lists with something else? We could use RSS feeds instead, or create a special mailing list protocol (call it the newspaper protocol or something clever like that). ...but no, it seems the rule is that any solution to spam cannot involve changing anything.

Email was designed to be like real mail. Anyone can send anyone anything. So like real mail, email has its own version of junk mail, but email lacks the one thing that limits junk mail to acceptable levels: stamps. Now since no one wants to do that, we obviously need to change something else, otherwise we'll always have spam.

The problem is too many fucktards who get their panties in a knot whenever anyone talks about doing anything differently. For some reason they dream of an email system where everyone can send anything to anyone, but yet, no one can send certain things to everyone. It's dumb. If you want something to change, then obviously you're going to have to change something, but there are too many elitist morons with funny little forms for any real discussion to take place. No matter what you suggest changing, there's some dumbass somewhere who happens to like that aspect of email exactly the way it is, and he'll promtly append a new objection to that form.

Re:Easy, fun...

[Blakey+Rat]

That's why they do it.

Seriously, it's almost trivial to completely avoid spam now. All of the three major free email vendors, Yahoo, Microsoft and Google, all have excellent spam filters. Every mail client has excellent spam filters. In a world of streaming video being one of the most popular internet uses, the bandwidth consumed by spam isn't a huge deal anymore. (Bittorrent on the other hand...)

Point is, these "spam vigilantes" basically have to go out of their way to even see spam. They enjoy seeing the spam, because then they can get outraged and do stuff like this. It's basically a hobby at this point.

Re:Form response

[thePowerOfGrayskull]

Perhaps it drew some inspiration from this one.

Re:Asking for trouble

[troll8901]

Chances are high that anyone sending contracts has already sent previous messages, so the receipt of the contract would not be subject to any delay.

I did not have such luxury.

1. The mail daemon was proprietary, supported manual whitelist only.
2. Adding to the whitelist didn't seem to solve the problem.
3. The mail server was under the control of a third-party company. I was not supposed to touch it.
4. Due to some issues between the two companies, they've stopped providing support.
5. I can't route the mails to my own mail server, because the DNS record and server were under their control too.

So yes, I received Executive A's anger sometimes while not being able to do anything about it.

Re:Asking for trouble

[LackThereof]

also find it hard to believe that the spammers have not figured this out. It's not like they are stupid. They try very hard to deliver their payloads. It would be trivial to update their software to retry messages that receive those codes.

Most spam-sending agents are very simple, and don't even bother looking at the SMTP error codes. Which is pretty sensible, given that most of what they get is probably 550 for bad addresses in their lists. Why even bother spending the time parsing these errors - there's going to be a whole lot of them, and it's mostly trash because your mailing list is mostly trash.

But lets say a spammer does make a spambot that looks for 451 errors and properly tries again later. Many sites recommend a greylist delay of 1 hour, but many others recommend a super short one of 1 minute or less. The spambot will have to figure out what to do - it could simply hammer the mail server until the message is accepted, which would have the added bonus of simultaneously DDOSing every mail server that implements greylisting. It would also tie up the spambot, though, attempting to resend messages to what might actually be a mail server that's not greylisting, but isn't accepting any mail at all right now. This stuff works on high volume, you don't want to slow down your rapid-fire spamming with all these retries. So they'd probably rather queue up retries to go out after their initial batch is done.

That means they have to keep track of all this crap. Spambots use randomized From: addresses, but most greylisting implementations use the unique triplet of from address, to address, and senderIP to distinguish connections. If you just try and run the send again, you get a different random From:, and you're a new customer to the greylist again. So you have to start remembering the addresses used for every single mail until the error parsing is done, and then you have to store all the info for the retries somewhere. As you pointed out

Keeping track of thousands and thousands of IP addresses in a grey list to determine which one can communicate at what point is resource intensive.

You increase the size and complexity of your spambot, you increase the chance of it getting noticed. A spambot that the user notices is an uninstalled spambot. And that doesn't just mean less spam that you can send, that means your botnet just got smaller. You never want that. You want to protect the botnet at all costs. After all, it's not your spam, it's your client's spam, and there's no need to risk your botnet in order to get 1% more messages out for your client.

Re:that I think he's avoiding

[Dynedain]

And you missed the parent...

If a blackhat already has access to something like a university's mail system (say through someone's weak password), and sends a message to these known-bad addresses (aka, honyepot) through the university's mail system, then he's successfully blacklisted the university's mail servers.