OK, I miscounted the packets to proxy ports - there were more than three (fifteen, in fact.) I find these three interesting:
FWIN 3/30/2005 9:17:04 AM -6:00 GMT 66.35.250.150 slashdot.org 39285 192.168.123.19 N/A 1080 TCP (flags:S) No
FWIN 3/30/2005 9:17:10 AM -6:00 GMT 66.35.250.150 slashdot.org 39289 192.168.123.19 N/A 3128 TCP (flags:S) No
FWIN 3/30/2005 9:17:18 AM -6:00 GMT 66.35.250.150 slashdot.org 39297 192.168.123.19 N/A 8080 TCP (flags:S) No
My guess is that slashdot is checking to see if my IP addess has an open proxy so that they can know to reject my postings (on the theory they are bogus postings through the open proxy.)
(Unlike many I don't get bent out of shape over tests directed at my IP address.)
If a host begins talking on port 25 did a worm just start spamming or did the user sign up for a new e-mail account?
What's the destination of the port 25 packets? In general I don't wish to examine packet contents, only size and ports and IP addresses. For abuse packets my feeling is that the ISP has a complete right to fully examine them - the ISP is acting to protect itself and is not intercepting valid traffic.
The easiest traffic to spot is the worm propagation traffic that compromises machines in the first place.
I won't argue, although a bunch of port 25 traffic going elsewhere shouldn't be that hard to spot. If the spammers spread the zombies out so much that each need only carry a tiny bit of spam traffic (keeping the volume down and making it less detectable from port 25 volume) they also potentially hit more IP addresses for which port 25 traffic volume isn't the only criterion. In any case I think they hit zombies less hard than they used to hit open relays and open proxies, although that is an opinion backed by no data at all (other than what I know about how heavily they hit some open relay honeypots.)
The trick is making it cost effective for ISPs to notify users.
I'd like to see far more effort by ISPs to notify the ISPS of the sources of the abuse. Which appears to be (in part) the nature of this new plan, if the source ISP is a participant. Spam abuse is an internet-wide problem, not a single ISP problem. There needs to be effective cooperation and timely sharing of information about abuse as it happens.
Some countries are starting government agencies to deal with spam and worms. ISPs can easily provide them with a list of infected hosts that they can contact with the appropriate worm remedy.
Ah. Exactly.
The problem is mostly logistics and funding, the technical part has been solved for a long time. I see this as the most realistic solution to spam zombies.
I think the biggest problem, dwarfing logistics and funding, is the human problem. It is in fact very difficult to get those in charge of security to look outside their own domains, to consider anything beyond what they've already chosen to do. Most prefer a combination of blocking and of sternness towards their own users who operate compromised machines. This after the ISP blithely, inattentively, and unconcernedly delivered the packets that caused the infection. "All the fault lies in the users" could be their motto, "never in us."
System administrators almost all treat spam as a single-system problem to be handled at the destination server (the single system.) It is nearly impossible to persuade anyone to act against spam earlier in the spam path (and when they do act it is almost entirely a combination of blocking and "blame their own customer for the abuse committed by the spammer.") You can see the result: spam continues to flow.
Thanks again for your comments. Do note that I'm strictly a loudmouth: I'm doing nothing at all to fight spam. I gave it up in January.
OK, I did something incredibly tiny: I just looked to see if ZoneAlarm was still logging proxy port attempts (which could indicate a continuing volume of open proxy spam: if it is spammers looking for proxy ports they're doing it to find a way to send their spam.) I found 3, all to port 8080.
(I have a hardware firewall. It passes packets to open proxy ports so that I can log them using ZoneAlarm.)
"Spam currently follows a pretty recognizable pattern on the internet. That does not mean zombies could not be programmed to send spam in a less recognizable way, or in a way that mimics normal e-mail usage. This could slow down spam, but I doubt it is a good long term solution."
It's always going to be packets in to some IP address, always going to be packets out to port 25 at some other IP address. The nastiest technique would be to have a local network of zombies so that the incoming packets go to a different IP address from the source of the outgoing packets to port 25 - and at some appreciable time delay after the receipt of the packets that control the zombies. That's part of why I think that an ISP-level counter-attack is needed - single IP address monitoring might be inadequate.
If spam were a low-level abuse then that would be a fairly formidable problem. With the huge volume of spam as it is detecting the abuse is far easier, is it not?
The article talks of sharing the "fingerprints" of the abuse, which seems to indicate that one of the design goals is to anticipate and provide for a constantly-changing pattern of abuse rather than assume a fixed pattern.
In any case the mere fact that the proposed solution is based on a cooperative approach rather than on a collection of individual approaches is, IMHO, a step forward.
If they would but do it this coalition could expand their concern to the detection and prevention of zombie spam (that is, abuse of systems within each provider's IP space as zombies) they could begin the process of eliminating spam. Not dealing with spam, eliminating spam. It's long past time for that.
The great unexploited opportunity for eliminting spam is at the intermediate level (that is, ahead of the destination server for the spam.) If they had been implemented in sufficient numbers at the appropriate time (with "sufficient numbers" being below 1% of all IP addresses) open relay and open proxy honeypots could have eliminated spam - before the spammers had a chance to advance to zombies.
The great anti-spam opportunity is still at the intermediate level (where distinguishing spam from valid email isn't necessary - no valid email follows the path spam takes.) At the intemediate level anti-spam actions can easily be 100% effective, 100% accurate. No spam delivered, no valid email (of which there is none using that path) wrongly stopped.
All it would take would be for ISPs and others to detect the abuse and then act against it - in all the ways they can or in all the ways they choose (some, for instance, might cling to the "only blocking is good" philospohy. OK, let them only block - it still is productive, even though it's way less so than interception, since the spammers can simply choose another abuse path when they experience blocking. For interception the spammers first need to learn that the spam is bieng intercepted. It's always good to make life harder for the spammers, to add to their burden.)
"While your techniques will all stop spam, they will also stop a great deal of legitimate mail (ham). Stopping spam is not the hard problem Stopping spam while letting ham through is the hard problem."
Yes, that's the problem with almost every anti-spam solution.
Not with mine. Everyone else tries to stop the spam at or after the destination server, after it is mixed in with valid email. I take advantage of the fact that before then spam is taking a different route from the route any valid email takes (and for most spam this is true.) So I can stop anything that takes such a route and not risk stopping any valid email. 100% accuracy, no false positives, I don't even have to think. Note that I just stop spam, not spam aimed at me. That's fine. Get enough peole doing this (wherer "enough" isn't really a huge number) and the spammers really suffer. It should be obvious that stopping the spam is just one of the things that can be done when you trap it in mid-stream. If the spammer is fool enough to send direct to a trap (many are) then you know his IP address and can get him booted, if his ISP is 1/4 reputable. That's because you are reporting both spam and attempted abuse to the ISP. Spam he cna slough off. attmepted abuse puts the entire matter into a different category.
While I talk of "my" solution all the actual work done in creating software for this (and most of the positive results) are the work of others. See, for example, www.jackpot.uk.net/ and http://www.proxypot.org/
(If there is spam sent direct from the spammer's IP address to the destinaiton server, no gimmicks in betwen, then a simple blocklist will defeat him.)
"Technology hasn't been able to help that much yet."
That's not really true. The problems with the technology that works are:
(1) It's too easy. That's right, too easy.
(2) Too few make use of the easy technology. This means most spammers escape any consequences because they never hit a trap. Result: what you see.
Take a look at: http://www.proxypot.org/
(3) The technology works against spam but it isn't targeted on the spam coming to a specific entity or server. People want to fight spam but that translates to fighting "their spam" - the spam directed at them. I stopped spam to millions of recipients (I not among them) with a simple SMTP honeypot. Others did even more. That's because my target was spam, not spam sent to me (or to my users.)
[It was as much as anything revenge for their having abused my open relay. It still looked open, but wasn't.]
Spam (most of it) is sent via abuse. Stop the spam at the abuse level and you stop it where it's easy. How hard is it to understand that if no valid email whatsoever is sent via open proxies then any email found that is sent by such a route is invalid precisely because it is taking that route? You don't even need to think.
But that's too simple.
Stopping spam sent through spam zombies is somewhat harder but the same thinking applies: if it comes that way it's invalid. No thinking needed: see it and you know it's bad.
Interesting note in the article : "For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do. "
Agreed. On a volume basis it's likely that most abuse is committed by spammers. They've suurvived for years precisely because they have not been watched in any manner (at the abuse level - all the attention is focused at and after the destination server.) Do even the crudest honeypot you can think of as an anti-spammer tool and you very likely will succeed in gathering information the spammer would rather you not have. Set up an MTA that doesn't ever deliver anything - you'll trap the test messages sent by spammers (mostly in China, Taiwan, and Korea now.) (Guess how I know.) What the heck, here's one: the spammer sends his test messages to a231.b233@msa.hinet.net. A US spammer has sent tests to smtps1@transedge.com, another to meristar1@cox.net.
A more complete open relay honeypot can collect spam evidence as well. All the spam that comes ot the honeypot is spam that doens't get delivered independently of whether the intended victim has any protection mechanisms in place or not.
Then there's open proxy honeypots. A few people have done honeypot-like things with wpam zombie servers. It's still a field in which very useful things can be done...
I think your example is probably close to what the book says (not having seen the book.) It's also a rather improbable scenario and seems to imply that if your honeypot/honeynet is vulnerable you bear some sort of liability that you wouldn't if it was just your desktop system that was abused in the same way. I don't understand that, and I also don't think such liability has ever been asserted in any case nor found to have existed by any court. I'm guessing the lawyer is Richard Salgado, who's issued this warning before. Notice that the nature of the warning he gives is that someone succeeds in committing abuse through your honeypot, which is not the goal when you set up the honeypot and is not normally what happens when you set up a honeypot. I think Salgado tries far too hard to find a problem where none exists - but then he's the lawyer, I'm not. (come to think of it, though, that's just how lawyers are.)
I don't think the wiretap laws apply: you aren't tapping a wire, you're watching traffic deliberately sent to your system. Your system, let me repeat.
I don't think entrapment applies (not even for law enforcement) the honeypot/honeynet is simply created, not advertised, and the felons seek it out on their own. That is not suggesting to someone that they commit a crime and then arresting them when they do. It's less a crime than for a shapely policewoman to wear a revealing red dress in a bar and then arrest a john who propositions her. If LEAs are worried about entrapment let them not set up honeypots. The book is for non-LEA people anyway.
P.S. I think that, many years ago, I saw that policewoman. Seriously.
"Vigilante justice is worse than the original crime. Let the proper authorities deal with it before it turns into one big mess."
If the proper authorities aren't all spending their entire shifts at a Krispy-Kreme it's hard to see anything that indicates it.
ISPs have TOS - Terms of Service. Is it vigilantism for an ISP to enforce its TOS? Is it vigilantism for someone to notify an ISP of TOS violations?
Yes, a DDOS in response to spam might actually be worse than the crime commited by the spammer. So don't do DDOS. Not all vigilante actions are reprehensible - don't do the reprehensible ones.
"Online mobs are inherently imbalaced, and can result in the equivalent of beheading people for misdemeanors."
We already have online mobs: they're called newsgroups. The mob-acting newsgroup uses the same type of mob logic as an honest-to-goodness real mob surging through a street - it's just done electronically rather than verbally. That slows action and communication - but the dynamics are still those of a mob.
There can be one-person posses, and the incentive to quit for the ones I'd favor would be the end of the abuse being targeted. "Quit" is a bit misleading - the person can continue to watch for abuse aimed at his system, the "quitting" comes from his not having any on which to act. Then he stops being a vigilante, starts being a private sentry.
I have been puzzled for years. Why do people refuse to gather the evidence about spammers that the spammers provide to them when the spammers probe for vulnerability? Why is it insisted that the thing to do is to block the abuse and ignore it? Heck, even the destination email addresses for spammer open relay tests are useful information. Why don't people grep their sendmail logs to find them (with a similar question for the logs of other MTAs)? If the ISP of the email address is anti-spam it can do a lot on the basis of that information for the email adresses in its own space.
Honeypot operators watch for abuse rather than simply secure against it. They can take some actions (perfectly legal and legitimate) against the abusers (mostly spammers) they find, they can initiate actions against the abusers.
It continually amazes me that so many people are highly irate about net abuse and yet do so little to stop it when they could. Honeypot evidence could be used to convince ISPs that there's plenty they could be doing, too, without violating any laws and without violating any of their own restrictions.
Spam is abuse that goes through other systems (for the most part.) Just about every system with a permanent connection is a candidate "other system" for the spammers. The vigilante who operates a honeypot watches for that abuse and works to thwart it (if nothing else, captured spam stops dead at the honeypot. That in itself is good. Get enough doing it and the ones who pay to have their product or service spammed could be told that a large number of the spam messages never got delivered. The idea of that is to get them demanding a refund from the spammer. The idea behind not telling them the number is to make the negotiation between spammer and customer more difficult, more heated.
I watch a honeypot. It traps some oriental spam (from/to oriental email addresses), some US open relay tests. Even today there are spammers doing open relay abuse. You can learn a lot about the abuse using a simple trap. Knowing more about the abuse gives you greater power against the abuse.
Linux operators, in particular, can run open proxy honeypots ( "in particular" because a free download to do just that already exists.) There's probably much more open proxy abuse these days than open relay abuse. Create enough irritant sites (honeypots) and the spammers will be greatly inconvenienced.
If you've ever had a system abused by spammers to relay spam there may be no greater feeling of satisfaction than watching more spam come in and knowing that it stops dead with your system. The more the spammer gloats (you don't get to see it but you can assume it) that he's found a superb abusable system the more you gloat that he is wasting all the effort and bandwidth he's using to send the spam through your honeypot.
It doesn't hurt to run the honeypot like you're a greenhorn, either. Let the spammer think he's found a big fool. The more like a big fool you look to him the longer he'll actually be a big fool. Simulate a clogged system, simulate crashes, go offline for hours (or simply change IP address - that's offline as far as the IP address you were using is concerned.) how you do it and what you do aren't that important - the important thing is to create noise so that the spammer has a far more difficult time telling abusable systems from secure ones. If you could do anything about the abusable systems you'd secure them - but you can't. To confuse the spammer you have to make secure systems look insecure. Plus, the more obscure your location (that is, boonies.com vs. bigisp.net, for example) the more likely the spammer is to look at your IP addresss (the system attached) to see if it is abusable.
"Should there be a police organization specifically for the net which might have the authority to hack someone's machine if they are breaking the law with it?"
Let that wait. The police should have the authority to request (and receive) a search warrant that allows them to monitor and log the traffic form the suspect site. Having the authority to search an 80 gig hard drive might lead to a lot of work. Having the authority to monitor the traffic could turn out to be ridiculously easy. In addition, the logs prove the offense. Proving law violation just by waht's on the hard drive could be difficult.
"Since a design assumption has been fundamentally broken, it needs to be redesigned."
First of all you need to think about trust a little more - who can trust whom?
I'll bet you've never thought about it but the spammers can trust the rest of us with close to 100% accuracy. Does that help? Do we really want to be that reliable for the spammers? Spammers do things that decent users don't do. If you set up a system to deceive just those who do the indecent things then you injure the spammers without touching anyone else. All those probes for vulnerability - those are opportunities to strike back. If it's a probe by a spammer you should strongly wnat to strike back: they're scum, they're dirtying the internet, they're the biggest group of abusers (and even biger, if you measure the economic harm.)
One of the worst ways they can trust us is that if a system looks like it's insecure it is insecure. we're so proud of our security we advertise it. That's wrong. An alternative to changing the design of SMTP is to protect it. (Note, too, that spammers abuse other than SMTP ports to send spam.) If the spammers can't figure out which systems are insecure and which are not they sort of have to give up, don't they?
If it isn't clear what I am advocating is that secure systmes look insecure to the spammers. Best would be systems set up specifically for that purpose. Spammers do bulk abuse and can't afford to spend much time checking to see whether or not the systems that look like they can be abused really can be abused. Even if the main effect is to force spammers to spend more time checking that is a giant step forward in the fight against spam. Note, too, that if you are set up to detect spammer abuse tests you have information on them from the test alone - there is no way to do a stealth test. At best they can test through other abused systems, but get any useful number of trap systems set up and the spammers face a greater risk from doing multi-hop abuse. It's another way in which they'll lose.
Yes, by golly, you can think of things the spammers could do to counter such an approach. A few people use such an approach, a few spammers do use crude countermeasures. Having to continually change hasn't bothered the filter advocates. The blocklist advocates have also changed what they do with time (probably not enough, not nearly as fast as spammers change tactics.) Having to refine the fake abusable systems from time to time is a cost of taking that approach. The cost is far less than the benefit. Do it.
If you manage a block of IP addresses one of your goals should be that every spammer in the world know that attempting to abuse a system under your control will lead to consequences he doesn't like. (Best would be that the consequences are so severe he doesn't even have the option of doing more abuse: he's jailed.) That's not a change in the SMTP protocol, that's a change in behavior - YOUR behavior. The old security model (the one, unfortunately, that is still pushed) is one that protects (as much as it does) individual systems. Take a look, darn it: spam is an abuse that targets multiple systems - the spam recipient's email server is just the last in the chain. The single-system security model works to protect single systems but is failing to stop spam. Spam is not only a single-system abuse issue. Quit pretending it is, quit putting all the effort into single-system-abuse based approaches. The spammers laugh at how easy it is to succeed because of that unfortunate bias toward the single-system security model. Turn that laugh into a howl of pain - and make them howl louder with time.
Check www.proxypot.org for some ideas. Traffic analysis (which is ideal for ISPs) can be used with devastating effect, too.
Chase them down, destroy their anonymity (which is 1% their cleverness, 99% their good fortune of having the abuse ignored.)
No positive cash flow, but devastating effects against spammers. On the brighter side, no time spent with lawyers and courts: it's all Linux. The bigger goal is to end spam. Collecting cash settlements (which proably drive the spammers into bakruptcy) are just one aspect of the larger battle.
You've got to look at:
http://www.proxypot.org/reports/pacman
This is how spam fighting is done. At the intermediate level, not at the final server. (Sure, keep on blocking and filtering - but if you don't see by now that those two approaches together haven't ended spam you aren't looking very well.)
They don't sue the people (yet), but they do try to get ISPs and LEAs interested in the evidence collected. Often the ISP approac succeeds. It is also useful to create a list of ISPs who will not act on abuse reports.
As a bonus, none of the spam that the spammers try to send through them reaches any victim.
For this approach "popular mail client" is meaningless. Spammers don't start with a list of mail servers, they start with the IP address space and go looking for abuable servers (for proxypots the abusable entities are open proxies.) What is run doesn't have to be a real MTA (or real proxy server), just look enough like one that the spammers accept it as one. For the cleverer spammers it is useful for it to look exactly like some historic abusable MTA, like many of the earlier versions of Sendmail. Whether you need to gear your attack to defeating the cleverer spammer isn't known, but it's probable that you can have a huge effect just by going after the dumbest spammers (that's a big group.)
It shocks me that (1) so many people don't know how spammers operate and (2) so many of those who do know (that is, recognize that spammers have to look for systems to abuse) never seem to be able to grasp the importance of that knowledge. It's like knowing a burglar favors basement windows but doing nothing to set a trap for a basement window burglar - just bitch about all the people with insecure basement windows. Stake out a few basement windows and some evening soon you may be face-to-face with he burglar. Stake out a few IP addresses and some time soon you may gather information that leads directly to the spammer's IP address. Poof! There went the supposed anonymity.
"Of couse, this won't solve the bandwidth/ressource theft problem..."
No, it won't.
Obviously, to solve that problem you need to act earlier in the spam path.
Spammers abuse systems because they look for vulnerable systems and can find them, can distinuish them from secure systems. Think about that - it's true.
Securing systems (as a solution to spam) is based on the ridiculous notion that enough can be secured so that the spammers can't find them. Won't happen. But "distinguish them from secure systems" is still left. What can be done with that?
Well, if secure systems didn't look secure to the spammers they'd not be able to distinguish them and they'd try to abuse systems that can't be abused. That would mean they'd send the spam to traps and that the traps would not deliver any spam other than to what can be determined to be the spammers' own addresses, used to test whether the spam sent gets through (in other wordsd, to re-test to see whether the system is or isn't vulnerable to abuse.)
That's easy to understand, isn't it? If you want to stop the bandwidth theft youre almost surely going to have to act against he banwwidth theft. What's described above is a way to make bandwidth theft not work as well. Break bandwidth theft sufficiencently and the spammers won't get enough return on the spam to pay for sending it (or the ones paying the spammers won't get sufficient return - it's the same idea either way.)
With a single ancient Vaxstation and an obsolete MTA I stopped spam to millions of recipients elsewhere: AOL, Hotmail, a large number of destinations. To top it off that Vaxstation was a real email server, so it did two things (and it was slightly harder to stop the spam.) SEt up a fake server and everything that comes to it is some form of abuse: none need be delivered as though it is valid email (it isn't valid email. Of course you'd want to deliver the spammers' own test messages: that's what lets them fool themselves into thinking they've found an open relay.) Nowadays this idea works better if you fake an open proxy: open relay abuse is finally on the decline.
If you're an ISP with IP addresses that the spammers check for abusability or with IP addresses that have been abused you can do more than shut off the IP address (and please, I beg of you, do more. Find out where the abuse packets originate that come into the abused system and do whatever you can to get that abuse stopped. If you, for instance, disconnected the abused system and set up something that accepted the incoming abuse packets but sent out no spam that would be helpful. What you can do depends on the abuse and on the spammer - but the main point is that you don't have to only shut off access, you can do more. Why not do more? You are against spam, and doing more stops some spam. That's in the right direction.
"I'm not familiar with Ron's post actually. DO you know where I could find a copy? I work for a regional ISP and anything we can do to stop spam would be something we would be willing to do."
Ron ran a string of open proxy honeypots. He captured open proxy abuse attempts and reported those to the ISP where they originated. He got over 100 spammer accounts closed in under 3 months. That's a lot more effective than what most people who complain about spam typically achieve in the same time.
As a regional ISP you should be able to see, if any spammer is doing it, attempts to find vulnerable systems in your space. (If you have some spare IPs one or two could be set up as honeypots.) If ever a spammer does find a vulnerable system in your space you of course want to get rid of the vulnerability - but you can also do things in addition. One would be to change the IP number of the vulnerable system and intercept the incoming traffic to it. Simpler is to simply see where the control traffic to the hijacked system is originating. If it's a reputable ISP's space notify the ISP. If not, see if thee's any law enforcement agency interested in going after that ISP for conspiring with the spammers.
I run an SMTP "server" that traps all incoming email. No real email clients, no problem - but if a spammer is looking for an open relay he may try to relay a test message through that "server." I capture that, I see the source IP of the email and the dropbox address for the test.
Years ago I stopped spam to millions of recipients. I'd deliver the relay tests but captured the spam that followed. Others have done the same, including Michael Tokarev, who I mentioned. He gave it up because of the cost but while he was running he had the experience of shutting down a spammer's entire Dallas operation one weekend. The spammer used throwaway accounts in the spam-sending scheme and probably figured he'd lose one every week or so. Michael had a web page that showed the incoming spam by IP address and that was updated in near real time. By sending the URL to the ISP where the spam appeared to originate that ISP was enabled to easily see the IP numbers in its space where abuse was originating and to terminate the accounts. The spammer lost all his throwaway accounts on three different ISPs that way.
All that came from watching for the abuse, which is a watch pretty much guaranteed to turn up something. The open proxy honeypots and the open relay honeypot were secure - but the important point is that they looked insecure to the spammer, based on the tests then being used by the spammer to tell insecure systems from secure ones. If I were to deliver open relay test messages many spammers would think that they had found another open relay. Nope, it just looks to them like one.
Not only does it stop spam and find the IP addresses used by spammers (although some do double-hop abuse so what you see is the IP address of another abused system) it's funny to do and to watch. How often do people have the chance to laugh at the spammers at the spammers' expense?
"If more thought were put into a system that made spamming much more difficult, as well as easier to track and punish the abusers, I don't think we would have much of a problem..."
Exactly right. With 10's of millions of spam messages sent each day there are millions of abuse events. It takes as little as one strong report of abuse to get a spammer's account removed. (A "strong report" means that the complaint to the ISP says that abuse came from the ISP's customer and that abuse was used to send spam.) That can happen for spam that never reaches the victim because it was stopped by someone alert and active.
The complaint is seen over and over that spammers hide the spam source. Yes, the source is hidden from the final victim. Why is it assumed that the final victim or the final victm's ISP are the only ones who can/should/may act against the spammer? (There's no good answer.) There are millions of abuse events daily used to sned spam. Go after those. That's where the spammers are vulneable.
Far more analysis can be done to show why going after the abuse is effective. Are you familiar with Ron Guilmette's "Who's Spamming You?" posts to news.admin.net-abuse.email? He was tremendously powerful in getting spammer accounts canceled. Such activity needn't be limited to just one or a few active people: many are situated to do it.
Whoa there. I'm guessing that you are just ranting in general. Considering half of the comments you "rebuffed" in my post were NOT even mentioned in my post, I'm hoping that you weren't personally attacking me, because I largely agree with you.
Excellent guess. I used your post as a springboard from which to launch my diatribe. If you believe all those silly fables then it's directed at you - but I hope you don't believe them.
I've had good success against spammers using anti-abuse methods and others (Micheal Tokarev, Ron Guilmette, to name two) have had superb success. The methods are horribly neglected and terribly under-appreciated. The way to stop almost any abuse isn't to make everyone immune to it, it's to go after the abusers. It's smart to protect your wallet in various ways against pickpockets - but methods that target pickpockets work against them. Telling everyone to "secure your wallet" but never watching for, never arresting and trying pickpockets would mean that the pickpockets were being given a free ride and could pick pockets safely as long as there were pockets to be picked. That would be terrible - but change the discussion to spam and you have ASTA advising everyone to do the equivalent of "secure your wallet" and saying everyone should simply not watch for any signs of pickpockets - it's the fault of the victims when they get robbed. There's a slight difference - but it doesn't destroy the value of the example.
"Until a method is found that kills or significantly makes spam nearly impossible to send or makes the profits significantly less than the costs of operating, all legislation will do is drive the spammers further and further underground..."
No, a method has to both be found and recognized as such by enough of those who can effectively use the method to make it succeed. That could start by someone doing an actual analysis of the spam problem, not one of those fake analyses that SURPRISE! leads to the conclusion that whatever the person doing the analysis favors is the right solution. You know: filters, or blocklists, or sender verification - those things, the "analyses" that lead to them.
I look at the current spam problem, I see it is mostly abuse, I conclude methods that target the abuse (and that don't wait until the spam has reached the destination email server) have promise. Where do you see any authority even mention such an approach?
Spammers are anonymous? Then how is it I know the name (Dave Patton) of one who sent out open relay test messages - just from the test messages? I don't know the name but someone is sending open relay test messages to smtps1@transedge.com from dialups at preserv.net. Is that a hard lead to follow?
The sad truth is that most people, and that includes ASTA and the ASRG of the IETF, don't do adequate analysis before beginning to "design." ASTA, for crying out loud, is still pushing "secure your open relay" when RFC 2505 (which describes WHY open relays should be secured) says doing that is not a way to end spam. ASTA makes other "secure your system" recommendations and those, too, will not work to end spam nor to even cripple it. ASTA realizes that and puts its real hope in changing the email protocol. Meanwhile all the rest of us are supposed to busy ourselves with meaningless effort - while the world continues to lose $25 billion/year on spam.
At that cost wouldn't you think somebody would do a full analysis and come up with all the kinds of abuse used by the spammers and all the ways that the abuse can be countered? OK, how about just one way - who do you see showing that? (Securing systems does NOT counter abuse - don't waste my time by naming that one. It is good practice but it is not a way to end spam - and after the system is secure is a good time to begin thinking of ways to use that secure system to fight spam, not merely to move it out of the "abusable system" category.) Secure systems don't bother spammers, and most of them are good enough to tell the spammer they are secure so the spammer knows instantly to not waste any time on them and to instead look for another insecure system. Quit kidding yourself about "secure your systems."
(Heck, if you're doing an analysis, figure out how spammers could use blocklists to find the abusable systems not yet listed so that spam can be sent to through those abusable systems to the mailboxes protected by the block lists.)
"What we need for what you propose to work is law enforcement (in all the countries involved) that is engaged and willing to help out and use the data that we can collect from regular logs on mailservers that are not configured as open relays."
To which I add fake open relays. All I have is a system that accepts anytihng for relay - but delivers nothing. I trap relay test messages. If I'd deliver them then I'd get spam, which I wouldn't delivver. both ways I have evidence and would dearly love for law enforcement agencies and ISPS to understand the significance of the evidence.
"Why take the risk of keeping a system that is proven to be abusable when you don't have to?"
As I say, securing the system is the right thing for the administrator of the system to do. It is the right thing to do. I don't question that.
Blaming him (and all the others) doesn't end spam. Failing to tell him what he could do that is more effective once he has secured the system (and failing to do so oneself) prolongs spam. That's my real message. The effective weapon against open relay abuse is not securing open relays.
While law enforcement participation would be very helpful action by ISPs that do oppose spam could be very effective. They could also watch their incoming traffic, watch particularly the traffic in to IP addresses from which spam is seen to be emanating, could run their own honeypots. They could get a reputation among spammers as an ISP not worth risking anything with: too sharp, too likely to hit back. But they don't.
Thanks for your support. So you accept spam forever but are angry about open relays because they enable spam. Curious.
"The best that can be done is to make what spam remains traceable and act against the spammers using relevant meatspace laws..."
That's what I say, too. The fact is most spam is traceable - if you start tracing earlier and if ISPs cooperate in the tracing. If you start tracing earlier then "most" spam doesn't matter - the spam you trace gives enough evidence to get rid of the spammers who sent it.
"Open relays, zombie systems, and other 'workarounds' make this more difficult, so keep your doors locked, your systems patched, and your relays closed."
When spammy comes sniffing for an open relay, etc., detect him and use the meatspace laws: he's committing a crime. If all those things are used to send spam then there's a proportional amount of abuse. That's a huge portion of the internet traffic. Spammy can't hide his traffic: it's massive. That the traffic isn't detected isn't because it is hidden, it's because fewer than one in 10 million look. Tremendously effective things have been done against spammers by individual honeypot operators. It's good advice to secure open relays but securing open relays is an ineffectual approach to dealing with spam. The effective strategy is to go after the open relay abuse committed by the spammer. That works pretty much in direct proportion to the number of practicioners. Securing open relays has no practical effect on spam volume until open relays are either too scarce to find or are so clogged with spam it all can't get through. So far that hasn't happened (although the spammers have lowered the load on the pool of open relays by using other techniques. The net spam load has gone up tremendously since the time when open relays were the predominant spam pathway.)
Honeypots aren't the only way to watch for abuse traffic but they are a way that many individual users can combat spammers. Honeypots exist for open relays and for open proxies. Some reports haveeven been made of honeypot-type activity against zombie-using spammers.
Every complaint against open relays implies that the spamemrs are still looking for open relays to abuse. that may mean they are checking your IP. when they do they may give away information about who and where they are (a few years ago they were blatant enough to test for open relays from their own systems. So few people paid attention that they could do that, didn't even have to think about doing it stealthily. That's a disgrace.)
Forget the disgrace, remember that a spammer might today attempt to test your system and by so doing give himself away. Doesn't it make sense to detect such attempts and to campaign to get the meetspace laws that apply enforced?
"In meatspace there is a term for things analogous to open relays. That is 'attractive nuisance'. Usually used to refer to such things as unsecured structures that could attract trouble."
I'm aware of "attractive nuisance" but that is more like an unfenced swimming pool that attracts its victim. Even though the victim suffers damage because of the victims own actions the owner of the attractive nuisance bears liability because he didn't properly anticipate and protect against the damage.
"In meatspace the owner of an "attractive nuisance" bears some responsibility for the misuse of the property if they do not show that they have made a reasonable effort to prevent such, like using locks on the doors and monitoring the property."
Get over it. The fault lies with the spammers, not the hapless operators of open relays. The cure is to get rid of the spammers.
There is an RFC that describes why open relays should be secured: RFC 2505. That RFC says that securing open relays won't work to end spam nor to control spam. Find it, read it.
Your "attractive nuisance" misconception is founded in the idea that if all operators of abusable systems everywhere were to secure their systems then no more of the abuse through such systems will occur. That's valid logic but it's useless: all operators are not going to do it, one of the premises fails. No combination of hissy fits and snotty behavior toward operators of open relays (or spam zombies) and their ISPs will turn the "secure the systems" approach into an effective tool. If it were to work then all the blather about completely changing the SMTP protocol to end spam would pointless: securing the systems was the solution.
RFC 2505 is from February, 1999. Open relays are still a problem: I trapped an open relay test message yesterday evening (they do come less often now.) That's over 5 years of "secure your open relay" and open relay abuse continues.
If the ones who are so adamant about securing open relays would bother to do an analysis they'd see that if they simulated open relays (enough to fool the spammers or even only enough to trap open relay test messages) they could take advantage of spammer behavior to cause damage to the spammers.
There's two ways to attack the open relay problem. The way that is good for the individual system operators is to secure their open relays. That keeps them from being sites of abuse - but it doesn't stop spam. The other way is to make it no longer pay for the spammers to do open relay abuse, without fretting about how many open relays there are. That works instantly to help end spam.
What's the goal? "Secure the open relays" or "end the spam"? I aim at "end the spam." Once the spam is ended then it's like it was originally: open relays aren't a problem. That was a nice time, a spam-free time, and it had open relays. They weren't the problem, the spammers were the problem. Still are. Ending spam by eliminating all possible points of abuse is hard. Eliminating spam by eliminating spammers isn't nearly as hard. Why choose the harder method, why be so confoundedly insistient on a failed approach?
The open relay test message I trapped yesterday was from slip-12-65-150-128.mis.prserv.net, to smtps1 AT transedge.com. There's useful anti-spam information in those facts, particularly the latter. Transedge.com seems to have links to a lot of spammish places.
"Level 3 is NOT an ISP they are a backbone provider based in Broomfield, CO http://www.level3.com/. PLEASE do some research before you post info here. BTW I am NOT an employee of Level 3 just some one who is interested in truth."
The IP address is in Level 3's space. Either someone at Level 3 is the perpetrator or they do have customers with IP addresses. If that's not an ISP what is, and what does it matter?
Level 3 is also frequently named as a spam-friendly provider by folks who tend to know such things, is number 8 on the Spamhaus top 10 list:
Slashdot Mirror
OK, I miscounted the packets to proxy ports - there were more than three (fifteen, in fact.) I find these three interesting: FWIN 3/30/2005 9:17:04 AM -6:00 GMT 66.35.250.150 slashdot.org 39285 192.168.123.19 N/A 1080 TCP (flags:S) No FWIN 3/30/2005 9:17:10 AM -6:00 GMT 66.35.250.150 slashdot.org 39289 192.168.123.19 N/A 3128 TCP (flags:S) No FWIN 3/30/2005 9:17:18 AM -6:00 GMT 66.35.250.150 slashdot.org 39297 192.168.123.19 N/A 8080 TCP (flags:S) No My guess is that slashdot is checking to see if my IP addess has an open proxy so that they can know to reject my postings (on the theory they are bogus postings through the open proxy.) (Unlike many I don't get bent out of shape over tests directed at my IP address.)
Screwed up the italics, didn't I?
Sigh.
If a host begins talking on port 25 did a worm just start spamming or did the user sign up for a new e-mail account?
What's the destination of the port 25 packets? In general I don't wish to examine packet contents, only size and ports and IP addresses. For abuse packets my feeling is that the ISP has a complete right to fully examine them - the ISP is acting to protect itself and is not intercepting valid traffic.
The easiest traffic to spot is the worm propagation traffic that compromises machines in the first place.
I won't argue, although a bunch of port 25 traffic going elsewhere shouldn't be that hard to spot. If the spammers spread the zombies out so much that each need only carry a tiny bit of spam traffic (keeping the volume down and making it less detectable from port 25 volume) they also potentially hit more IP addresses for which port 25 traffic volume isn't the only criterion. In any case I think they hit zombies less hard than they used to hit open relays and open proxies, although that is an opinion backed by no data at all (other than what I know about how heavily they hit some open relay honeypots.)
The trick is making it cost effective for ISPs to notify users.
I'd like to see far more effort by ISPs to notify the ISPS of the sources of the abuse. Which appears to be (in part) the nature of this new plan, if the source ISP is a participant. Spam abuse is an internet-wide problem, not a single ISP problem. There needs to be effective cooperation and timely sharing of information about abuse as it happens.
Some countries are starting government agencies to deal with spam and worms. ISPs can easily provide them with a list of infected hosts that they can contact with the appropriate worm remedy.
Ah. Exactly.
The problem is mostly logistics and funding, the technical part has been solved for a long time. I see this as the most realistic solution to spam zombies.
I think the biggest problem, dwarfing logistics and funding, is the human problem. It is in fact very difficult to get those in charge of security to look outside their own domains, to consider anything beyond what they've already chosen to do. Most prefer a combination of blocking and of sternness towards their own users who operate compromised machines. This after the ISP blithely, inattentively, and unconcernedly delivered the packets that caused the infection. "All the fault lies in the users" could be their motto, "never in us."
System administrators almost all treat spam as a single-system problem to be handled at the destination server (the single system.) It is nearly impossible to persuade anyone to act against spam earlier in the spam path (and when they do act it is almost entirely a combination of blocking and "blame their own customer for the abuse committed by the spammer.") You can see the result: spam continues to flow.
Thanks again for your comments. Do note that I'm strictly a loudmouth: I'm doing nothing at all to fight spam. I gave it up in January.
OK, I did something incredibly tiny: I just looked to see if ZoneAlarm was still logging proxy port attempts (which could indicate a continuing volume of open proxy spam: if it is spammers looking for proxy ports they're doing it to find a way to send their spam.) I found 3, all to port 8080.
(I have a hardware firewall. It passes packets to open proxy ports so that I can log them using ZoneAlarm.)
"Spam currently follows a pretty recognizable pattern on the internet. That does not mean zombies could not be programmed to send spam in a less recognizable way, or in a way that mimics normal e-mail usage. This could slow down spam, but I doubt it is a good long term solution."
It's always going to be packets in to some IP address, always going to be packets out to port 25 at some other IP address. The nastiest technique would be to have a local network of zombies so that the incoming packets go to a different IP address from the source of the outgoing packets to port 25 - and at some appreciable time delay after the receipt of the packets that control the zombies. That's part of why I think that an ISP-level counter-attack is needed - single IP address monitoring might be inadequate.
If spam were a low-level abuse then that would be a fairly formidable problem. With the huge volume of spam as it is detecting the abuse is far easier, is it not?
The article talks of sharing the "fingerprints" of the abuse, which seems to indicate that one of the design goals is to anticipate and provide for a constantly-changing pattern of abuse rather than assume a fixed pattern.
In any case the mere fact that the proposed solution is based on a cooperative approach rather than on a collection of individual approaches is, IMHO, a step forward.
Thanks for your comment.
If they would but do it this coalition could expand their concern to the detection and prevention of zombie spam (that is, abuse of systems within each provider's IP space as zombies) they could begin the process of eliminating spam. Not dealing with spam, eliminating spam. It's long past time for that.
The great unexploited opportunity for eliminting spam is at the intermediate level (that is, ahead of the destination server for the spam.) If they had been implemented in sufficient numbers at the appropriate time (with "sufficient numbers" being below 1% of all IP addresses) open relay and open proxy honeypots could have eliminated spam - before the spammers had a chance to advance to zombies.
The great anti-spam opportunity is still at the intermediate level (where distinguishing spam from valid email isn't necessary - no valid email follows the path spam takes.) At the intemediate level anti-spam actions can easily be 100% effective, 100% accurate. No spam delivered, no valid email (of which there is none using that path) wrongly stopped.
All it would take would be for ISPs and others to detect the abuse and then act against it - in all the ways they can or in all the ways they choose (some, for instance, might cling to the "only blocking is good" philospohy. OK, let them only block - it still is productive, even though it's way less so than interception, since the spammers can simply choose another abuse path when they experience blocking. For interception the spammers first need to learn that the spam is bieng intercepted. It's always good to make life harder for the spammers, to add to their burden.)
"While your techniques will all stop spam, they will also stop a great deal of legitimate mail (ham). Stopping spam is not the hard problem Stopping spam while letting ham through is the hard problem." Yes, that's the problem with almost every anti-spam solution. Not with mine. Everyone else tries to stop the spam at or after the destination server, after it is mixed in with valid email. I take advantage of the fact that before then spam is taking a different route from the route any valid email takes (and for most spam this is true.) So I can stop anything that takes such a route and not risk stopping any valid email. 100% accuracy, no false positives, I don't even have to think. Note that I just stop spam, not spam aimed at me. That's fine. Get enough peole doing this (wherer "enough" isn't really a huge number) and the spammers really suffer. It should be obvious that stopping the spam is just one of the things that can be done when you trap it in mid-stream. If the spammer is fool enough to send direct to a trap (many are) then you know his IP address and can get him booted, if his ISP is 1/4 reputable. That's because you are reporting both spam and attempted abuse to the ISP. Spam he cna slough off. attmepted abuse puts the entire matter into a different category. While I talk of "my" solution all the actual work done in creating software for this (and most of the positive results) are the work of others. See, for example, www.jackpot.uk.net/ and http://www.proxypot.org/ (If there is spam sent direct from the spammer's IP address to the destinaiton server, no gimmicks in betwen, then a simple blocklist will defeat him.)
"Technology hasn't been able to help that much yet."
That's not really true. The problems with the technology that works are:
(1) It's too easy. That's right, too easy.
(2) Too few make use of the easy technology. This means most spammers escape any consequences because they never hit a trap. Result: what you see.
Take a look at: http://www.proxypot.org/
(3) The technology works against spam but it isn't targeted on the spam coming to a specific entity or server. People want to fight spam but that translates to fighting "their spam" - the spam directed at them. I stopped spam to millions of recipients (I not among them) with a simple SMTP honeypot. Others did even more. That's because my target was spam, not spam sent to me (or to my users.)
[It was as much as anything revenge for their having abused my open relay. It still looked open, but wasn't.]
Spam (most of it) is sent via abuse. Stop the spam at the abuse level and you stop it where it's easy. How hard is it to understand that if no valid email whatsoever is sent via open proxies then any email found that is sent by such a route is invalid precisely because it is taking that route? You don't even need to think.
But that's too simple.
Stopping spam sent through spam zombies is somewhat harder but the same thinking applies: if it comes that way it's invalid. No thinking needed: see it and you know it's bad.
Interesting note in the article : "For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do. " Agreed. On a volume basis it's likely that most abuse is committed by spammers. They've suurvived for years precisely because they have not been watched in any manner (at the abuse level - all the attention is focused at and after the destination server.) Do even the crudest honeypot you can think of as an anti-spammer tool and you very likely will succeed in gathering information the spammer would rather you not have. Set up an MTA that doesn't ever deliver anything - you'll trap the test messages sent by spammers (mostly in China, Taiwan, and Korea now.) (Guess how I know.) What the heck, here's one: the spammer sends his test messages to a231.b233@msa.hinet.net. A US spammer has sent tests to smtps1@transedge.com, another to meristar1@cox.net. A more complete open relay honeypot can collect spam evidence as well. All the spam that comes ot the honeypot is spam that doens't get delivered independently of whether the intended victim has any protection mechanisms in place or not. Then there's open proxy honeypots. A few people have done honeypot-like things with wpam zombie servers. It's still a field in which very useful things can be done...
I think your example is probably close to what the book says (not having seen the book.) It's also a rather improbable scenario and seems to imply that if your honeypot/honeynet is vulnerable you bear some sort of liability that you wouldn't if it was just your desktop system that was abused in the same way. I don't understand that, and I also don't think such liability has ever been asserted in any case nor found to have existed by any court. I'm guessing the lawyer is Richard Salgado, who's issued this warning before. Notice that the nature of the warning he gives is that someone succeeds in committing abuse through your honeypot, which is not the goal when you set up the honeypot and is not normally what happens when you set up a honeypot. I think Salgado tries far too hard to find a problem where none exists - but then he's the lawyer, I'm not. (come to think of it, though, that's just how lawyers are.)
I don't think the wiretap laws apply: you aren't tapping a wire, you're watching traffic deliberately sent to your system. Your system, let me repeat.
I don't think entrapment applies (not even for law enforcement) the honeypot/honeynet is simply created, not advertised, and the felons seek it out on their own. That is not suggesting to someone that they commit a crime and then arresting them when they do. It's less a crime than for a shapely policewoman to wear a revealing red dress in a bar and then arrest a john who propositions her. If LEAs are worried about entrapment let them not set up honeypots. The book is for non-LEA people anyway.
P.S. I think that, many years ago, I saw that policewoman. Seriously.
"Vigilante justice is worse than the original crime. Let the proper authorities deal with it before it turns into one big mess."
If the proper authorities aren't all spending their entire shifts at a Krispy-Kreme it's hard to see anything that indicates it.
ISPs have TOS - Terms of Service. Is it vigilantism for an ISP to enforce its TOS? Is it vigilantism for someone to notify an ISP of TOS violations?
Yes, a DDOS in response to spam might actually be worse than the crime commited by the spammer. So don't do DDOS. Not all vigilante actions are reprehensible - don't do the reprehensible ones.
"Online mobs are inherently imbalaced, and can result in the equivalent of beheading people for misdemeanors."
We already have online mobs: they're called newsgroups. The mob-acting newsgroup uses the same type of mob logic as an honest-to-goodness real mob surging through a street - it's just done electronically rather than verbally. That slows action and communication - but the dynamics are still those of a mob.
There can be one-person posses, and the incentive to quit for the ones I'd favor would be the end of the abuse being targeted. "Quit" is a bit misleading - the person can continue to watch for abuse aimed at his system, the "quitting" comes from his not having any on which to act. Then he stops being a vigilante, starts being a private sentry.
I have been puzzled for years. Why do people refuse to gather the evidence about spammers that the spammers provide to them when the spammers probe for vulnerability? Why is it insisted that the thing to do is to block the abuse and ignore it? Heck, even the destination email addresses for spammer open relay tests are useful information. Why don't people grep their sendmail logs to find them (with a similar question for the logs of other MTAs)? If the ISP of the email address is anti-spam it can do a lot on the basis of that information for the email adresses in its own space.
Honeypot operators watch for abuse rather than simply secure against it. They can take some actions (perfectly legal and legitimate) against the abusers (mostly spammers) they find, they can initiate actions against the abusers.
It continually amazes me that so many people are highly irate about net abuse and yet do so little to stop it when they could. Honeypot evidence could be used to convince ISPs that there's plenty they could be doing, too, without violating any laws and without violating any of their own restrictions.
Spam is abuse that goes through other systems (for the most part.) Just about every system with a permanent connection is a candidate "other system" for the spammers. The vigilante who operates a honeypot watches for that abuse and works to thwart it (if nothing else, captured spam stops dead at the honeypot. That in itself is good. Get enough doing it and the ones who pay to have their product or service spammed could be told that a large number of the spam messages never got delivered. The idea of that is to get them demanding a refund from the spammer. The idea behind not telling them the number is to make the negotiation between spammer and customer more difficult, more heated.
I watch a honeypot. It traps some oriental spam (from/to oriental email addresses), some US open relay tests. Even today there are spammers doing open relay abuse. You can learn a lot about the abuse using a simple trap. Knowing more about the abuse gives you greater power against the abuse.
Linux operators, in particular, can run open proxy honeypots ( "in particular" because a free download to do just that already exists.) There's probably much more open proxy abuse these days than open relay abuse. Create enough irritant sites (honeypots) and the spammers will be greatly inconvenienced.
If you've ever had a system abused by spammers to relay spam there may be no greater feeling of satisfaction than watching more spam come in and knowing that it stops dead with your system. The more the spammer gloats (you don't get to see it but you can assume it) that he's found a superb abusable system the more you gloat that he is wasting all the effort and bandwidth he's using to send the spam through your honeypot.
It doesn't hurt to run the honeypot like you're a greenhorn, either. Let the spammer think he's found a big fool. The more like a big fool you look to him the longer he'll actually be a big fool. Simulate a clogged system, simulate crashes, go offline for hours (or simply change IP address - that's offline as far as the IP address you were using is concerned.) how you do it and what you do aren't that important - the important thing is to create noise so that the spammer has a far more difficult time telling abusable systems from secure ones. If you could do anything about the abusable systems you'd secure them - but you can't. To confuse the spammer you have to make secure systems look insecure. Plus, the more obscure your location (that is, boonies.com vs. bigisp.net, for example) the more likely the spammer is to look at your IP addresss (the system attached) to see if it is abusable.
"Should there be a police organization specifically for the net which might have the authority to hack someone's machine if they are breaking the law with it?"
Let that wait. The police should have the authority to request (and receive) a search warrant that allows them to monitor and log the traffic form the suspect site. Having the authority to search an 80 gig hard drive might lead to a lot of work. Having the authority to monitor the traffic could turn out to be ridiculously easy. In addition, the logs prove the offense. Proving law violation just by waht's on the hard drive could be difficult.
"Since a design assumption has been fundamentally broken, it needs to be redesigned."
First of all you need to think about trust a little more - who can trust whom?
I'll bet you've never thought about it but the spammers can trust the rest of us with close to 100% accuracy. Does that help? Do we really want to be that reliable for the spammers? Spammers do things that decent users don't do. If you set up a system to deceive just those who do the indecent things then you injure the spammers without touching anyone else. All those probes for vulnerability - those are opportunities to strike back. If it's a probe by a spammer you should strongly wnat to strike back: they're scum, they're dirtying the internet, they're the biggest group of abusers (and even biger, if you measure the economic harm.)
One of the worst ways they can trust us is that if a system looks like it's insecure it is insecure. we're so proud of our security we advertise it. That's wrong. An alternative to changing the design of SMTP is to protect it. (Note, too, that spammers abuse other than SMTP ports to send spam.) If the spammers can't figure out which systems are insecure and which are not they sort of have to give up, don't they?
If it isn't clear what I am advocating is that secure systmes look insecure to the spammers. Best would be systems set up specifically for that purpose. Spammers do bulk abuse and can't afford to spend much time checking to see whether or not the systems that look like they can be abused really can be abused. Even if the main effect is to force spammers to spend more time checking that is a giant step forward in the fight against spam. Note, too, that if you are set up to detect spammer abuse tests you have information on them from the test alone - there is no way to do a stealth test. At best they can test through other abused systems, but get any useful number of trap systems set up and the spammers face a greater risk from doing multi-hop abuse. It's another way in which they'll lose.
Yes, by golly, you can think of things the spammers could do to counter such an approach. A few people use such an approach, a few spammers do use crude countermeasures. Having to continually change hasn't bothered the filter advocates. The blocklist advocates have also changed what they do with time (probably not enough, not nearly as fast as spammers change tactics.) Having to refine the fake abusable systems from time to time is a cost of taking that approach. The cost is far less than the benefit. Do it.
If you manage a block of IP addresses one of your goals should be that every spammer in the world know that attempting to abuse a system under your control will lead to consequences he doesn't like. (Best would be that the consequences are so severe he doesn't even have the option of doing more abuse: he's jailed.) That's not a change in the SMTP protocol, that's a change in behavior - YOUR behavior. The old security model (the one, unfortunately, that is still pushed) is one that protects (as much as it does) individual systems. Take a look, darn it: spam is an abuse that targets multiple systems - the spam recipient's email server is just the last in the chain. The single-system security model works to protect single systems but is failing to stop spam. Spam is not only a single-system abuse issue. Quit pretending it is, quit putting all the effort into single-system-abuse based approaches. The spammers laugh at how easy it is to succeed because of that unfortunate bias toward the single-system security model. Turn that laugh into a howl of pain - and make them howl louder with time.
Check www.proxypot.org for some ideas. Traffic analysis (which is ideal for ISPs) can be used with devastating effect, too.
Chase them down, destroy their anonymity (which is 1% their cleverness, 99% their good fortune of having the abuse ignored.)
Win. Enjoy the win. It's easy.
MS probably sued as the owner of Hotmail.
The Linux community can run a proxypot:
http://www.proxypot.org/
No positive cash flow, but devastating effects against spammers. On the brighter side, no time spent with lawyers and courts: it's all Linux. The bigger goal is to end spam. Collecting cash settlements (which proably drive the spammers into bakruptcy) are just one aspect of the larger battle.
You've got to look at:
http://www.proxypot.org/reports/pacman
This is how spam fighting is done. At the intermediate level, not at the final server. (Sure, keep on blocking and filtering - but if you don't see by now that those two approaches together haven't ended spam you aren't looking very well.)
It's unclear what you mean, but have you seen:
http://www.proxypot.org/ ?
They don't sue the people (yet), but they do try to get ISPs and LEAs interested in the evidence collected. Often the ISP approac succeeds. It is also useful to create a list of ISPs who will not act on abuse reports.
As a bonus, none of the spam that the spammers try to send through them reaches any victim.
For this approach "popular mail client" is meaningless. Spammers don't start with a list of mail servers, they start with the IP address space and go looking for abuable servers (for proxypots the abusable entities are open proxies.) What is run doesn't have to be a real MTA (or real proxy server), just look enough like one that the spammers accept it as one. For the cleverer spammers it is useful for it to look exactly like some historic abusable MTA, like many of the earlier versions of Sendmail. Whether you need to gear your attack to defeating the cleverer spammer isn't known, but it's probable that you can have a huge effect just by going after the dumbest spammers (that's a big group.)
It shocks me that (1) so many people don't know how spammers operate and (2) so many of those who do know (that is, recognize that spammers have to look for systems to abuse) never seem to be able to grasp the importance of that knowledge. It's like knowing a burglar favors basement windows but doing nothing to set a trap for a basement window burglar - just bitch about all the people with insecure basement windows. Stake out a few basement windows and some evening soon you may be face-to-face with he burglar. Stake out a few IP addresses and some time soon you may gather information that leads directly to the spammer's IP address. Poof! There went the supposed anonymity.
"Of couse, this won't solve the bandwidth/ressource theft problem..."
No, it won't.
Obviously, to solve that problem you need to act earlier in the spam path.
Spammers abuse systems because they look for vulnerable systems and can find them, can distinuish them from secure systems. Think about that - it's true.
Securing systems (as a solution to spam) is based on the ridiculous notion that enough can be secured so that the spammers can't find them. Won't happen. But "distinguish them from secure systems" is still left. What can be done with that?
Well, if secure systems didn't look secure to the spammers they'd not be able to distinguish them and they'd try to abuse systems that can't be abused. That would mean they'd send the spam to traps and that the traps would not deliver any spam other than to what can be determined to be the spammers' own addresses, used to test whether the spam sent gets through (in other wordsd, to re-test to see whether the system is or isn't vulnerable to abuse.)
That's easy to understand, isn't it? If you want to stop the bandwidth theft youre almost surely going to have to act against he banwwidth theft. What's described above is a way to make bandwidth theft not work as well. Break bandwidth theft sufficiencently and the spammers won't get enough return on the spam to pay for sending it (or the ones paying the spammers won't get sufficient return - it's the same idea either way.)
With a single ancient Vaxstation and an obsolete MTA I stopped spam to millions of recipients elsewhere: AOL, Hotmail, a large number of destinations. To top it off that Vaxstation was a real email server, so it did two things (and it was slightly harder to stop the spam.) SEt up a fake server and everything that comes to it is some form of abuse: none need be delivered as though it is valid email (it isn't valid email. Of course you'd want to deliver the spammers' own test messages: that's what lets them fool themselves into thinking they've found an open relay.) Nowadays this idea works better if you fake an open proxy: open relay abuse is finally on the decline.
If you're an ISP with IP addresses that the spammers check for abusability or with IP addresses that have been abused you can do more than shut off the IP address (and please, I beg of you, do more. Find out where the abuse packets originate that come into the abused system and do whatever you can to get that abuse stopped. If you, for instance, disconnected the abused system and set up something that accepted the incoming abuse packets but sent out no spam that would be helpful. What you can do depends on the abuse and on the spammer - but the main point is that you don't have to only shut off access, you can do more. Why not do more? You are against spam, and doing more stops some spam. That's in the right direction.
"I'm not familiar with Ron's post actually. DO you know where I could find a copy? I work for a regional ISP and anything we can do to stop spam would be something we would be willing to do."
U TF -8&as_ugroup=news.*&as_usubject=who%27s%20spamming &as_uauthors=guilmette&lr=&hl=en
See:
http://groups.google.com/groups?safe=images&ie=
Ron ran a string of open proxy honeypots. He captured open proxy abuse attempts and reported those to the ISP where they originated. He got over 100 spammer accounts closed in under 3 months. That's a lot more effective than what most people who complain about spam typically achieve in the same time.
As a regional ISP you should be able to see, if any spammer is doing it, attempts to find vulnerable systems in your space. (If you have some spare IPs one or two could be set up as honeypots.) If ever a spammer does find a vulnerable system in your space you of course want to get rid of the vulnerability - but you can also do things in addition. One would be to change the IP number of the vulnerable system and intercept the incoming traffic to it. Simpler is to simply see where the control traffic to the hijacked system is originating. If it's a reputable ISP's space notify the ISP. If not, see if thee's any law enforcement agency interested in going after that ISP for conspiring with the spammers.
I run an SMTP "server" that traps all incoming email. No real email clients, no problem - but if a spammer is looking for an open relay he may try to relay a test message through that "server." I capture that, I see the source IP of the email and the dropbox address for the test.
Years ago I stopped spam to millions of recipients. I'd deliver the relay tests but captured the spam that followed. Others have done the same, including Michael Tokarev, who I mentioned. He gave it up because of the cost but while he was running he had the experience of shutting down a spammer's entire Dallas operation one weekend. The spammer used throwaway accounts in the spam-sending scheme and probably figured he'd lose one every week or so. Michael had a web page that showed the incoming spam by IP address and that was updated in near real time. By sending the URL to the ISP where the spam appeared to originate that ISP was enabled to easily see the IP numbers in its space where abuse was originating and to terminate the accounts. The spammer lost all his throwaway accounts on three different ISPs that way.
All that came from watching for the abuse, which is a watch pretty much guaranteed to turn up something. The open proxy honeypots and the open relay honeypot were secure - but the important point is that they looked insecure to the spammer, based on the tests then being used by the spammer to tell insecure systems from secure ones. If I were to deliver open relay test messages many spammers would think that they had found another open relay. Nope, it just looks to them like one.
Not only does it stop spam and find the IP addresses used by spammers (although some do double-hop abuse so what you see is the IP address of another abused system) it's funny to do and to watch. How often do people have the chance to laugh at the spammers at the spammers' expense?
"If more thought were put into a system that made spamming much more difficult, as well as easier to track and punish the abusers, I don't think we would have much of a problem..." Exactly right. With 10's of millions of spam messages sent each day there are millions of abuse events. It takes as little as one strong report of abuse to get a spammer's account removed. (A "strong report" means that the complaint to the ISP says that abuse came from the ISP's customer and that abuse was used to send spam.) That can happen for spam that never reaches the victim because it was stopped by someone alert and active. The complaint is seen over and over that spammers hide the spam source. Yes, the source is hidden from the final victim. Why is it assumed that the final victim or the final victm's ISP are the only ones who can/should/may act against the spammer? (There's no good answer.) There are millions of abuse events daily used to sned spam. Go after those. That's where the spammers are vulneable. Far more analysis can be done to show why going after the abuse is effective. Are you familiar with Ron Guilmette's "Who's Spamming You?" posts to news.admin.net-abuse.email? He was tremendously powerful in getting spammer accounts canceled. Such activity needn't be limited to just one or a few active people: many are situated to do it.
Whoa there. I'm guessing that you are just ranting in general. Considering half of the comments you "rebuffed" in my post were NOT even mentioned in my post, I'm hoping that you weren't personally attacking me, because I largely agree with you.
Excellent guess. I used your post as a springboard from which to launch my diatribe. If you believe all those silly fables then it's directed at you - but I hope you don't believe them.
I've had good success against spammers using anti-abuse methods and others (Micheal Tokarev, Ron Guilmette, to name two) have had superb success. The methods are horribly neglected and terribly under-appreciated. The way to stop almost any abuse isn't to make everyone immune to it, it's to go after the abusers. It's smart to protect your wallet in various ways against pickpockets - but methods that target pickpockets work against them. Telling everyone to "secure your wallet" but never watching for, never arresting and trying pickpockets would mean that the pickpockets were being given a free ride and could pick pockets safely as long as there were pockets to be picked. That would be terrible - but change the discussion to spam and you have ASTA advising everyone to do the equivalent of "secure your wallet" and saying everyone should simply not watch for any signs of pickpockets - it's the fault of the victims when they get robbed. There's a slight difference - but it doesn't destroy the value of the example.
"Until a method is found that kills or significantly makes spam nearly impossible to send or makes the profits significantly less than the costs of operating, all legislation will do is drive the spammers further and further underground..."
No, a method has to both be found and recognized as such by enough of those who can effectively use the method to make it succeed. That could start by someone doing an actual analysis of the spam problem, not one of those fake analyses that SURPRISE! leads to the conclusion that whatever the person doing the analysis favors is the right solution. You know: filters, or blocklists, or sender verification - those things, the "analyses" that lead to them.
I look at the current spam problem, I see it is mostly abuse, I conclude methods that target the abuse (and that don't wait until the spam has reached the destination email server) have promise. Where do you see any authority even mention such an approach?
Spammers are anonymous? Then how is it I know the name (Dave Patton) of one who sent out open relay test messages - just from the test messages? I don't know the name but someone is sending open relay test messages to smtps1@transedge.com from dialups at preserv.net. Is that a hard lead to follow?
The sad truth is that most people, and that includes ASTA and the ASRG of the IETF, don't do adequate analysis before beginning to "design." ASTA, for crying out loud, is still pushing "secure your open relay" when RFC 2505 (which describes WHY open relays should be secured) says doing that is not a way to end spam. ASTA makes other "secure your system" recommendations and those, too, will not work to end spam nor to even cripple it. ASTA realizes that and puts its real hope in changing the email protocol. Meanwhile all the rest of us are supposed to busy ourselves with meaningless effort - while the world continues to lose $25 billion/year on spam.
At that cost wouldn't you think somebody would do a full analysis and come up with all the kinds of abuse used by the spammers and all the ways that the abuse can be countered? OK, how about just one way - who do you see showing that? (Securing systems does NOT counter abuse - don't waste my time by naming that one. It is good practice but it is not a way to end spam - and after the system is secure is a good time to begin thinking of ways to use that secure system to fight spam, not merely to move it out of the "abusable system" category.) Secure systems don't bother spammers, and most of them are good enough to tell the spammer they are secure so the spammer knows instantly to not waste any time on them and to instead look for another insecure system. Quit kidding yourself about "secure your systems."
(Heck, if you're doing an analysis, figure out how spammers could use blocklists to find the abusable systems not yet listed so that spam can be sent to through those abusable systems to the mailboxes protected by the block lists.)
"What we need for what you propose to work is law enforcement (in all the countries involved) that is engaged and willing to help out and use the data that we can collect from regular logs on mailservers that are not configured as open relays."
To which I add fake open relays. All I have is a system that accepts anytihng for relay - but delivers nothing. I trap relay test messages. If I'd deliver them then I'd get spam, which I wouldn't delivver. both ways I have evidence and would dearly love for law enforcement agencies and ISPS to understand the significance of the evidence.
"Why take the risk of keeping a system that is proven to be abusable when you don't have to?"
As I say, securing the system is the right thing for the administrator of the system to do. It is the right thing to do. I don't question that.
Blaming him (and all the others) doesn't end spam. Failing to tell him what he could do that is more effective once he has secured the system (and failing to do so oneself) prolongs spam. That's my real message. The effective weapon against open relay abuse is not securing open relays.
While law enforcement participation would be very helpful action by ISPs that do oppose spam could be very effective. They could also watch their incoming traffic, watch particularly the traffic in to IP addresses from which spam is seen to be emanating, could run their own honeypots. They could get a reputation among spammers as an ISP not worth risking anything with: too sharp, too likely to hit back. But they don't.
"You cannot eliminate spam."
..."
I can't. The people of the internet can.
"Just not going to happen."
Thanks for your support. So you accept spam forever but are angry about open relays because they enable spam. Curious.
"The best that can be done is to make what spam remains traceable and act against the spammers using relevant meatspace laws
That's what I say, too. The fact is most spam is traceable - if you start tracing earlier and if ISPs cooperate in the tracing. If you start tracing earlier then "most" spam doesn't matter - the spam you trace gives enough evidence to get rid of the spammers who sent it.
"Open relays, zombie systems, and other 'workarounds' make this more difficult, so keep your doors locked, your systems patched, and your relays closed."
When spammy comes sniffing for an open relay, etc., detect him and use the meatspace laws: he's committing a crime. If all those things are used to send spam then there's a proportional amount of abuse. That's a huge portion of the internet traffic. Spammy can't hide his traffic: it's massive. That the traffic isn't detected isn't because it is hidden, it's because fewer than one in 10 million look. Tremendously effective things have been done against spammers by individual honeypot operators. It's good advice to secure open relays but securing open relays is an ineffectual approach to dealing with spam. The effective strategy is to go after the open relay abuse committed by the spammer. That works pretty much in direct proportion to the number of practicioners. Securing open relays has no practical effect on spam volume until open relays are either too scarce to find or are so clogged with spam it all can't get through. So far that hasn't happened (although the spammers have lowered the load on the pool of open relays by using other techniques. The net spam load has gone up tremendously since the time when open relays were the predominant spam pathway.)
Honeypots aren't the only way to watch for abuse traffic but they are a way that many individual users can combat spammers. Honeypots exist for open relays and for open proxies. Some reports haveeven been made of honeypot-type activity against zombie-using spammers.
Every complaint against open relays implies that the spamemrs are still looking for open relays to abuse. that may mean they are checking your IP. when they do they may give away information about who and where they are (a few years ago they were blatant enough to test for open relays from their own systems. So few people paid attention that they could do that, didn't even have to think about doing it stealthily. That's a disgrace.)
Forget the disgrace, remember that a spammer might today attempt to test your system and by so doing give himself away. Doesn't it make sense to detect such attempts and to campaign to get the meetspace laws that apply enforced?
"In meatspace there is a term for things analogous to open relays. That is 'attractive nuisance'. Usually used to refer to such things as unsecured structures that could attract trouble."
I'm aware of "attractive nuisance" but that is more like an unfenced swimming pool that attracts its victim. Even though the victim suffers damage because of the victims own actions the owner of the attractive nuisance bears liability because he didn't properly anticipate and protect against the damage.
"In meatspace the owner of an "attractive nuisance" bears some responsibility for the misuse of the property if they do not show that they have made a reasonable effort to prevent such, like using locks on the doors and monitoring the property."
Get over it. The fault lies with the spammers, not the hapless operators of open relays. The cure is to get rid of the spammers.
There is an RFC that describes why open relays should be secured: RFC 2505. That RFC says that securing open relays won't work to end spam nor to control spam. Find it, read it.
Your "attractive nuisance" misconception is founded in the idea that if all operators of abusable systems everywhere were to secure their systems then no more of the abuse through such systems will occur. That's valid logic but it's useless: all operators are not going to do it, one of the premises fails. No combination of hissy fits and snotty behavior toward operators of open relays (or spam zombies) and their ISPs will turn the "secure the systems" approach into an effective tool. If it were to work then all the blather about completely changing the SMTP protocol to end spam would pointless: securing the systems was the solution.
RFC 2505 is from February, 1999. Open relays are still a problem: I trapped an open relay test message yesterday evening (they do come less often now.) That's over 5 years of "secure your open relay" and open relay abuse continues.
If the ones who are so adamant about securing open relays would bother to do an analysis they'd see that if they simulated open relays (enough to fool the spammers or even only enough to trap open relay test messages) they could take advantage of spammer behavior to cause damage to the spammers.
There's two ways to attack the open relay problem. The way that is good for the individual system operators is to secure their open relays. That keeps them from being sites of abuse - but it doesn't stop spam. The other way is to make it no longer pay for the spammers to do open relay abuse, without fretting about how many open relays there are. That works instantly to help end spam.
What's the goal? "Secure the open relays" or "end the spam"? I aim at "end the spam." Once the spam is ended then it's like it was originally: open relays aren't a problem. That was a nice time, a spam-free time, and it had open relays. They weren't the problem, the spammers were the problem. Still are. Ending spam by eliminating all possible points of abuse is hard. Eliminating spam by eliminating spammers isn't nearly as hard. Why choose the harder method, why be so confoundedly insistient on a failed approach?
The open relay test message I trapped yesterday was from slip-12-65-150-128.mis.prserv.net, to smtps1 AT transedge.com. There's useful anti-spam information in those facts, particularly the latter. Transedge.com seems to have links to a lot of spammish places.
"Level 3 is NOT an ISP they are a backbone provider based in Broomfield, CO http://www.level3.com/. PLEASE do some research before you post info here. BTW I am NOT an employee of Level 3 just some one who is interested in truth."
The IP address is in Level 3's space. Either someone at Level 3 is the perpetrator or they do have customers with IP addresses. If that's not an ISP what is, and what does it matter?
Level 3 is also frequently named as a spam-friendly provider by folks who tend to know such things, is number 8 on the Spamhaus top 10 list:
http://www.spamhaus.org/
Enough truth for ya?