Name and Shame Spam Senders With OpenBSD

Peter N. M. Hansteen writes "Once you've identified spam senders, OpenBSD provides all the tools you need to take one step further: exporting their addresses and publishing the evidence. You can even trap them yourself using known bad addresses. It's easy, fun and good netizenship."

"netizenship"

...NO!

Re:"netizenship"

[Dan541]

How can we be expected to take someone seriously when they invent more bullshit.

Re:"netizenship"

Wife is gone on a trip t mother-in-law, drinking a dead guy ale, contemplative and bored.

Burma shave.

Hmmm?

[BCW2]

Wouldn't it be more fun to go to their house and either serve them with a civil suit for a $Million+ or just beat their computer into a cube with a sledge hammer?

Re:Hmmm?

Wouldn't that require beating a million computers into a million cubes to take down their bot net? Perhaps hammering their toes would be better.

Re:Hmmm?

[cyphercell]

your quite right. The sledge hammer should be used to bust their jaw first.

Re:Hmmm?

[cp.tar]

Couldn't we do both?

Re:Hmmm?

[N1AK]

I'm glad no one modded you flame bait for this, as it's a contentious yet valid question.

Personally I think this point is important enough that 'fighting' spam shouldn't outright over-rule it. There are already many ways of fighting spam that don't require limiting peoples ability to 'speak':
1/ Using someone's computer without their permission is a criminal act (thus covering the use of Zombie networks).
2/ Using your own computers to serve spam email is costly due to the rate at which you'll have your nodes detected and blocked.
3/ Sites that offer referral payments can start requiring more identification when setting up accounts, leading to more chance people breaking the conditions not to use spam email could be caught.

Ultimately spam can be dealt with perfectly well without having to ban any form of message. Computers generating spam can have internet access limited to just anti-virus sites until they stop sending, the people controlling zombie boxes can be prosecuted for computer misuse and sites offering referrals to spammers can be blocked by an ISP controlled organisation.

Re:Hmmm?

[osgeek]

If your interpretation is so loose the the First Amendment gives a spammer the right to spam, then by that same logic the Second Amendment gives me the right to shoot them in the face.

Re:Hmmm?

[rts008]

Well, I don't know about that second amendment applying here.

But, If you shoot them in the face with style and good form, that should still be covered by the first for artistic expression, no? Just put a blank canvas behind them to be sure.

the known bad addresses part seems dangerous

[Trepidity]

I agree the vast majority of email sent to "known bad" addresses will be sent by spambots, and that'll probably be the exclusive source for never-published addresses. But in the case where they publish these known-bad addresses on a page that they hope spambots will index, it seems blacklisting based on them is vulnerable to abuse. If I want to get some server blacklisted, and I have any sort of access to send mail from it, I can just send mail to the known-bad addresses. For example, good way for mischievous students to cause mayhem by getting their university's mail servers blacklisted.

netizenship?

[thermian]

Sorry, I'd never claim citizenship on the internet, after all, who'd want to live in a place that was almost entierly composed of porn?

Oh wait...

Not Really

[IsMyNameTaken]

I think someone tried the latter approach already and it didn't end up helping her much

Re:Not Really

[Ethanol-fueled]

Are you kidding? She got to beat the shit out of a Comcast office while scaring away everybody inside!

Shaw received a three-month suspended sentence for disorderly conduct, a $345 fine in restitution and a year-long restraining order barring her from the Comcast office.

I assure you that if I could get away with that kind of punishment I'd do the same thing! Only I'd use a bat instead.

Form response

[carou]

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
(X) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Form response

[SSpade]

Summarhy for timmarhy: x x x xx xx x x xx x x x x

Re:Form response

[Jurily]

Whoosh.

That form is older than I am, and it still works perfectly.

Re:Form response

[pyrrhonist]

Dear Slashdot poster,

We're sorry to hear that you do not approve of the Universal Crackpot Spam Solution Rebuttal Form. As you are no doubt aware, per Slashdot rules this form must be posted in all articles pertaining to a spam solution. This form was carefully crafted by leading experts in their field, and has been serving the community well for almost a decade.

Your opinion is important to us, but please be advised that we cannot answer all inquiries or complaints personally. If you have questions concerning the Universal Crackpot Spam Solution Rebuttal Form or its use, please feel free to pipe your inquires to /dev/null. All inquiries will be processed in the order in which they are received.

Sincerely,
The Slashdot Community

Re:Form response

[Dogtanian]

mark poster as redundant [..] you must work in some kind of public service office pushing paper to think a form is a good way to express an opinion.

On the contrary. The fact that someone's argument can be criticised and/or refuted via such standardised means (*) shows that it fails in one or more now well-defined areas that previous "solutions" have exhibited and should have been considered this time round. And/or that this is merely an inadvertant repackaging of an older idea.

The slightly tongue-in-cheek form makes the point well, and far from being longwinded is shorthand compared to having a tedious and pointless rehash of previous discussions.

(*) As another poster mentioned, this "form" has been around for ages.

Re:Form response

[ivoras]

As Bill Gates and others have noticed previously, a very obvious solution to the whole spam and e-mail viruses problem would involve removing just one single line from this form:

( ) Sending email should be free

Though it is next to atrocious to admit for anyone who's using e-mail now, setting a $$$ cost to each message sent is probably the only way both first-level spammers and owners of infected machines would be forced to go off-line. This doesn't necessarily mean establishing a central authority - ISPs could simply analyze sent traffic.

But a "solution" like that will dramatically change the nature of Internet. It's really tough come up with a working solution that's not worse than the problem.

Re:Form response

[Tubal-Cain]

As Bill Gates and others have noticed previously, a very obvious solution to the whole spam and e-mail viruses problem would involve removing just one single line from this form:

( ) Sending email should be free

(x) Users of email will not put up with it
(x) Requires immediate total cooperation from everybody at once
(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
(x) Unpopularity of weird new taxes
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Countermeasures must work if phased in gradually

(x) Sorry dude, but I don't think it would work.

Re:Form response

[thePowerOfGrayskull]

Perhaps it drew some inspiration from this one.

Re:Form response

[dgatwood]

Actually, if email gets replaced by some other messaging system, it very easily could eliminate spam. The sole reason email spam can't be taken care of with a technological solution is that the infrastructure changes would be too massive and you couldn't get 100% opt-in for any new scheme by such a large number of players.

If SMTP were replaced by something else entirely, that whole problem goes away and you can design proper security into the protocol. All you really need is a protocol that enforces end-to-end authentication (and possibly encryption) and requires that every host involved in the transaction except for client machines sign every message that passes through and include a public key in their DNS record that can verify that signature. This would completely eliminate any possibility of endpoint forging, which would mean that spammers would have to keep registering domains to get new non-blocked source domains. Eliminate domain tasting, and those new domains = $$$ that the spammers would have to pay... frequently... all without introducing any per-message costs. If you take it one step further and require an SSL cert (not self-signed), that action by itself would be pretty much be the end of bulk spam as we know it, but would have the advantage of not harming legitimate business-to-user communication, email discussion lists, etc. like a per-message cost would.

Such a change would radically alter the balance of power in the spam wars. It would ensure that a spammer, once identified, could be trivially blocked, and would make it much harder and more expensive for the spammer to recover from such blocking. Unfortunately, while it would be possible to retrofit this onto SMTP, that compatibility with legacy systems would ultimately make it a waste of effort to do so; spammers would merely continue using the legacy compatibility mode to deliver the spam. It really has to be a clean break from SMTP for this to work and gain any traction whatsoever, and has to be 100% spam-free by design from day one.

Easy, fun...

[subreality]

They can call it easy, fun, and good netizenship... But I say they're just putting a friendly face on vigilanteism.

From a technical perspective this isn't that different from other collaborative filtering systems (though since the listing criteria is based on secondary sources, it's going to be susceptible to confirmation bias and other sampling errors, so this isn't likely to be a good one). I take big issue with the naming, though: Other collaborative filters say that "This machine is listed because it met these criteria", which you then make your own decisions on.

It crosses a line when you're saying they should be "shamed", especially when you're not taking extensive precautions to make sure you're not listing innocents.

Re:Easy, fun...

[Blakey+Rat]

That's why they do it.

Seriously, it's almost trivial to completely avoid spam now. All of the three major free email vendors, Yahoo, Microsoft and Google, all have excellent spam filters. Every mail client has excellent spam filters. In a world of streaming video being one of the most popular internet uses, the bandwidth consumed by spam isn't a huge deal anymore. (Bittorrent on the other hand...)

Point is, these "spam vigilantes" basically have to go out of their way to even see spam. They enjoy seeing the spam, because then they can get outraged and do stuff like this. It's basically a hobby at this point.

That's a really bad idea

If you want to "name and shame" someone, you need to be 100% sure you got the right person. E-Mail is such a vague and diverse system that you really need to know your network technologies to be able to find who's spamming you with any certainty. There's no automatism which can do it for you. Besides, you don't want to turn into one of those bitter and overzealous anti-spammer types, do you? Work with people who operate or host compromised computers which send spam, improve your spam classification systems, get on with your life.

Really?

[Darkness404]

Really is spam that big of a problem anymore? Ever since I've switched to Gmail all my spam has been blocked by it or blocked by a simple mail filter. Now then again, I don't give my real e-mail address to everyone and their brother, but individual spam blockers have come a long, long ways.

Re:Really?

[John+Hasler]

> Really is spam that big of a problem anymore?

For people who actually run email servers the fact that 99% of their traffic is spam is a problem, yes.

Re:Really?

[Brandybuck]

Really is pollution that big of a problem anymore? Ever since I've switched to BigAssFilter air conditioning system, all of the pollution has been filtered out of my home.

Re:Really?

[subreality]

You don't get spam because of a combination of anti-spam techniques similar to this one. We have to keep developing them, or else the spammers will get ahead.

YOU may not have much of a spam problem, but mail admins everywhere - including google's - most certainly do.

Shame!?

[Dahamma]

What's the point of trying to *shame* a spammer? You can't shame someone who has no shame.

Naming them is pointless, too. "Oh, hey, I found out it's a guy named Viktor in the Ukraine sending me all this spam!" Now what?

that I think he's avoiding

[Trepidity]

I could be misreading, but I think he's using the IP of the server that actually connects to his server and attempts to deliver mail, not the IP reported in the mail headers.

Re:that I think he's avoiding

[Dynedain]

And you missed the parent...

If a blackhat already has access to something like a university's mail system (say through someone's weak password), and sends a message to these known-bad addresses (aka, honyepot) through the university's mail system, then he's successfully blacklisted the university's mail servers.

Re:Missing a few addresses

You forgot a couple of his aliases:

dmcbride@sco.com
bgates@gatesfoundation.org
steveb@microsoft.com
jackpeace@comcast.net

I go with the unpopular GP comment

[DiegoBravo]

That form looks like a wise and economical approach, but what in the earth could pass clean that form? phone calls? SSL channels with certs? SMTP-Ajax(?)?

Re:I go with the unpopular GP comment

[techno-vampire]

what in the earth could pass clean that form?

Currently, nothing. If somebody ever does come up with something that will, it will spell the end of spam. I'm not holding my breath.

Re:I go with the unpopular GP comment

[DiegoBravo]

Maybe this is correct: a scheme that passes that "antispam-form", implies the end of spam.

But nobody has demonstrated that the end of the spam does require passing such form.

What protocol/scheme/solution is so perfect in that way? look at the imperfect (but working) TCP/IP. Maybe some people is precluding deployment of acceptable solutions because of that dogma-form.

Re:I go with the unpopular GP comment

[qieurowfhbvdklsj]

I'm sure we could have fixed spam by now, were it not for the type of people behind that form. I once saw a spam solution which, aside from irrelevant items such as "this is what I think about you," had nothing marked against it except for "it won't work for mailing lists." Well, fuck, why don't we replace mailing lists with something else? We could use RSS feeds instead, or create a special mailing list protocol (call it the newspaper protocol or something clever like that). ...but no, it seems the rule is that any solution to spam cannot involve changing anything.

Email was designed to be like real mail. Anyone can send anyone anything. So like real mail, email has its own version of junk mail, but email lacks the one thing that limits junk mail to acceptable levels: stamps. Now since no one wants to do that, we obviously need to change something else, otherwise we'll always have spam.

The problem is too many fucktards who get their panties in a knot whenever anyone talks about doing anything differently. For some reason they dream of an email system where everyone can send anything to anyone, but yet, no one can send certain things to everyone. It's dumb. If you want something to change, then obviously you're going to have to change something, but there are too many elitist morons with funny little forms for any real discussion to take place. No matter what you suggest changing, there's some dumbass somewhere who happens to like that aspect of email exactly the way it is, and he'll promtly append a new objection to that form.

Asking for trouble

[EdIII]

Most of the article is about grey listing. That's nearly suicidal for most mail server administrators. When I tried it, it did make a difference.

Of course, while it is working..........

Executive A, "This guy just sent me a contract 60 seconds ago. I keep clicking the damn send/receive button but it's not coming in. Are you a fucking moron or something? What the HELL is going on?!!"

Either paranoia, or people trying to send email with attachments to each other while *on the phone*, makes grey listing a huge hassle for the administrator. You just can't force a delay in email of 10 or 20 minutes for most users. The pitch forks and torches come out.

Once you do use it, you cannot control the duration of the delay either. The other mail server has its own settings on how often it retries mail as well. So yours is set to 3, theirs is set to 20. The delay is 20.

I also find it hard to believe that the spammers have not figured this out. It's not like they are stupid. They try very hard to deliver their payloads. It would be trivial to update their software to retry messages that receive those codes.

Oh, and if you have high volume get ready to drain some resources. Keeping track of thousands and thousands of IP addresses in a grey list to determine which one can communicate at what point is resource intensive.

Re:Asking for trouble

[troll8901]

Chances are high that anyone sending contracts has already sent previous messages, so the receipt of the contract would not be subject to any delay.

I did not have such luxury.

1. The mail daemon was proprietary, supported manual whitelist only.
2. Adding to the whitelist didn't seem to solve the problem.
3. The mail server was under the control of a third-party company. I was not supposed to touch it.
4. Due to some issues between the two companies, they've stopped providing support.
5. I can't route the mails to my own mail server, because the DNS record and server were under their control too.

So yes, I received Executive A's anger sometimes while not being able to do anything about it.

Re:Asking for trouble

[LackThereof]

also find it hard to believe that the spammers have not figured this out. It's not like they are stupid. They try very hard to deliver their payloads. It would be trivial to update their software to retry messages that receive those codes.

Most spam-sending agents are very simple, and don't even bother looking at the SMTP error codes. Which is pretty sensible, given that most of what they get is probably 550 for bad addresses in their lists. Why even bother spending the time parsing these errors - there's going to be a whole lot of them, and it's mostly trash because your mailing list is mostly trash.

But lets say a spammer does make a spambot that looks for 451 errors and properly tries again later. Many sites recommend a greylist delay of 1 hour, but many others recommend a super short one of 1 minute or less. The spambot will have to figure out what to do - it could simply hammer the mail server until the message is accepted, which would have the added bonus of simultaneously DDOSing every mail server that implements greylisting. It would also tie up the spambot, though, attempting to resend messages to what might actually be a mail server that's not greylisting, but isn't accepting any mail at all right now. This stuff works on high volume, you don't want to slow down your rapid-fire spamming with all these retries. So they'd probably rather queue up retries to go out after their initial batch is done.

That means they have to keep track of all this crap. Spambots use randomized From: addresses, but most greylisting implementations use the unique triplet of from address, to address, and senderIP to distinguish connections. If you just try and run the send again, you get a different random From:, and you're a new customer to the greylist again. So you have to start remembering the addresses used for every single mail until the error parsing is done, and then you have to store all the info for the retries somewhere. As you pointed out

Keeping track of thousands and thousands of IP addresses in a grey list to determine which one can communicate at what point is resource intensive.

You increase the size and complexity of your spambot, you increase the chance of it getting noticed. A spambot that the user notices is an uninstalled spambot. And that doesn't just mean less spam that you can send, that means your botnet just got smaller. You never want that. You want to protect the botnet at all costs. After all, it's not your spam, it's your client's spam, and there's no need to risk your botnet in order to get 1% more messages out for your client.

You're an idiot.

[Narcocide]

Wow you're an idiot and you don't understand email. He's using the TARGET address to blacklist the IP ADDRESS from the SMTP CONNECTION. That's the envelope sender, not the mail header's return address.

Do your research before you start casting wild allegations around.

But...

[Sigvatr]

... is it good Nietzscheanship?