(Inevitably, in every thread about spam, someone proposes a solution with one or more flaws. This is a handy form that passes the lameness filter and that can be reused for all such posts to save time! It does not specifically address all possible flaws and may be expanded in future versions.)
Fantastic. Rate proxypots, dude.
http://world.std.com/~pacman/proxypot.html
P.S. Proxypots have been used and have worked. Something more will be needed to combat spam zombies but at least one person (the author of the proxypot above) has figured out one Trojan and faked a zombie. If you don't already know Ron Guilmette got over 100 spammer accounts terminated in under 3 months using a network of proxypots to fgather the needed evidence you may not know enough to do an accurate rating - but give it a try anyway.
Imagine laughing and being gleeful when spam arrives at your system - and the more spam, the louder the laugh. Imagine reporting the spammer's IP to his ISP and geting his accont terminated. Imagine the spammer getting a new account and hitting you proxypot once again, getting terminated once again - because of you.
It can't be enough revenge - but it's way more than your'e getting now, I'd guess.
If a change is going to be made why not make a simpler change that works as well? Instead of encrypting anything why not simply have a DNSWL - a DNS white list? You get on to the list by adopting a policy that prevents spam (and get thrown off if you later allow spam.) If you're on the whitelist you're trusted. No decryption overhead, and you should be able to skip all filtering for email from whitelisted sources, saving additional time.
There's even variations of the idea that could automate adding (and removing) IPs on the white list (which probably would then have to be a cooperative venture.) Remember that you don't need to block every single spam message to kill spam - just block enough so spam doesn't pay. The point of view isn't the false "if one spam gets through the system has failed" but the accurate "if 99.9% of the spam is rejected the system succeeds." Probably it doesn't have to be 99.9%, either.
Obviously, don't drop other countermeasures until spam is dead - and then be vigilant forever.
Thinking about how to survive with a permanent spm problem hasn't worked - it's time to think of eliminating spam. That's a different thought process (it won't center strictly on action at the receiving server and beyond) and should expose many possible modes of attack.
(Re: spam doesn't pay. Yeah, I know - the spammers sell spam services so they get paid even if the buyer loses money. That's only for a while - the buyers will run out of money eventually. And I doubt there's an infinite pool of potential buyers.)
"The vast majority of worms spread via unmaintained systems."
You ask the right question: "What's the point?" and show that you indeed don't see the point.
Yes, the worms travel via insecure systems. It may be taken as a given that there are and always will be insecure systems. If the sole approach taken is "secure the systems" then the worm authors will always win - no effective countermeasures are being taken, will be taken. That is the point, IMHO.
The worms (including worms that create spam zombies) propagate by some form of abuse. The prevailing attitude, as you show, is "ignore the abuse." This book takes a different direction: "pay attention to the abuse." There's hope that if enough follow what this book recommends that the worm authors will be defeated.
Same with spam. I'd guess 99% of those reading this haven't a clue as to what a spammer relay test message looks like - yet those test messages underlie the sending of spam via open relays. Again, 99% know nothing about how spammers test for open proxies, yet that testing underlies sending of spam via open proxies. Usually one need look no further than one's own system to see how spammers test - but most don't see. They ignore the abuse, they say "the problem is insecure systems," they secure their systems, they do no more, the spam continues - and grows.
It makes very good sense to watch the abuse that underlies the offenses. It makes no sense at all to ignore it. It would take fewer than 1% of the operators on the internet watching the abuse to track it down and get the accounts used to send the abuse terminated. Continuing to blame "insecure systems" and to fail to act gives you what we have now: a wide-open opportunity for abuse.
You are not going to beat spam this way. I don't think you are even going to slow it down much..."
It already has slowed some spam down, for a while, on a single honeypot basis. One honeypot has taken a major spammer down - for a while - and that spammer was Alan Ralsky. I agree I'm never going to beat spam this way - eventually even the single honeypot is recognized and avoided. It's easily possible that multiple honeypots will beat spam in the sense of forcing the end of open relay and open proxy spam. The key is that instead of ignoring the packets the spammers send to find systems to abuse you don not ignore them.
Legislation that recognizes the power of monitoring the spammer abuse and made illegal the scans that spammers make to find abusable systems would help but I have no illusion that such legislation will ever happen. I also recognize that spammers will move to virus and other techniques to set up non-standard relays for spam on vulnerable systems that the spammers control. Once the idea sinks in of doing something to counter the abuse rather than sit on one's hands while whining about how sneaky and crafty the spammers are the spammers will lose.
The honeypot that took down Alan Ralsky ran on a 486 DX4. You don't need major power to fight spam. That honeypot was shut down in July, 2002, partly because of the bandwidth cost. You don't have to run a full honeypot with the associated bandwidth usage to detect and repor the spammer abuse. You can allow the spammer one access - so that you have proof of his spamming, and then fake a burdened or crashed system and stop accepting packets. That makes the bandwidth cost trivial - and still allows you to find the spammer's IP and report it.
This is a technique with power. Both for this technique and others it is time to do full, rational analysis and to stop finding a false trivial objection to be used to reject the technique. I don't care if people run honeypots or not - they can stiill contribute to the death of open relay and open proxy spam by simply looking in the appropriate log files for evidence and then reporing that evidence to ISPs. IT will take a periodd of education for the ISPs - they'll have to learn that repors of proxy port conmnection attempts are significant enough that the ISP should conduct an examination of the trafic form the indicated IP - but once ISPs learn that then it is trivial to keep the spammers shut down. Trivial - no new software required. If ZoneALarm users would simply send to the proper IPs their log file entries for SMTP and proxy port connection attempts - along with a short suggestion that the ISP check the traffic of the indicated ISP itself - then the spammers would get shut down quickly, day after day.
There are details - spammers could start abusing through open proxies, requiring additional (but simple) action on the part of the ISP with the open proxy in its space, but its all doable with the existing network structure, existing laws, existing protocols, existing software.
It won't be done by excuse-fiding whiners. Chances are 4 or 5 times a day almost every system on the internet gets probed by a spammer for vulnerability. That's 4 or 5 lost opportunities to detect the spammers' locations for each system on the internet. Maybe my estimate is off, but one every 2 weeks is enough for alert user action to end spam based merely on paying attention to the spammer abuse. One every year is enough, if the users watch for the abuse and repor it.
Honeypots ice the cake and add to the reports incontrovertible evidence that it is spam activity being reported.
"In other words, all you are doing is training spammers to be more sophisticated, and then everyone suffers more than before. Well done guys."
I agree teergrubes aren't doing a lot - but they are doing something.
Besides, you're missing an important point. If one teergrube ties up one spammer thread then 10,000 of them could tie up 10,000 spammer threads. It's certainly true that one teergrube is like a bailing out a sinking boat with a teaspoon. At the single-system level a teergrube isn't a solution, it's a prototype.
I'd rather run a honeypot myself - but there again you're only tying up one spammer at a time (or a few - it all depends.) But one proxypot operator told me last week that he'd just deleted proxypot logs with 200 gigabytes of spam. He says he traps from 100 to 500 Mb of spam per day. Does that sound trivial? It doesn't to me...
A 1% level of user vigilance should be far more than enough to snuff out spammer abuse.
It is muddy thinking of the rankest kind to not consider what ordinary users can do to make life for spammers pure hell. The successes of the spammers to date have been 99.99% because all the experts concentrated solely on securing ports. A good rule of thumb is that if all the experts say to do something you should check it out very carefully.
If everyone would just once find just one instance of a probable spammer attempt to connect to a proxy port and report that attempt to the proper ISP the spammers would be suffering mightily. Those who wish to see more spammer suffering (and worse spammer suffering) can do more - like, for instance, run a proxypot. Yep, that's likely to drive the spammers 100% into using zombie networks. That will last only as long as it takes for activists to figure out how ot defeat the zombies. Alan Curry already has figured out one spammer zombie. See if you can find his report in news.admin.net-abuse.email.
Beyond ordinary user activism there's a world of possibility for ISPs. Criminy, how more obvious can it be? The spammers send voluminous traffic to particular ports. The sources of that traffic are the IPs controlled by spammers. Is it hard to sample traffic? Notice I said "sample," not "monitor." You just need to identify enough spammer traffic that you are a threat to them - either as the spammer's ISP or as the ISP whose space they look in for systems to abuse.
Don't you network people start spouting off about how hard it will be to watch all the traffic. If it's hard then don't do it - look for something less that still has an effect. You'll find it. If you can't find it then OK, leave it to ordinary users. They can kick ass anyway.
Yes. And check out the FBI's garbage excuse in yesterday's Washington Post.
But do note that the DDOS hurt Ron's business and his DNSBL. If Ron did only the proxypot network and posted somewhat anonymously the spammers wouldn't know where to DDOS. They'd get booted from ISP after ISP and not know which "open proxy" was the fake.
Note, too, that just logging proxy port attempts is enough to out the spammers - a full proxypot isn't needed. To find open proxies the spammers have to keep looking for them. Looking exposes them.
Yes, the spammers could use open proxies to search for other open proxies. But while they don't (now) is a good time to strike. Gain the upper hand and the spammers probablty will never get it back.
Law enforcement? Sure - if and when it happens. But the linkage also brings spammers more and more into the sights of the anti-abuse people, and they are active now. The spammers just made themselves a target for a much larger group of network-savvy opponents.
The spammers using virus techniques probably already are subject to at least the provisions of some laws in some jurisdictions. Perhaps the DDOS on Spamhaus and ther others will motivate some people to trace back from the zombie systems to find out where the commands to them originate. I can imagine spammer techniques to dodge detection but the spammers can't know who is watching what. One clue is all it takes to trace a spammer's IP. Once the spammer's IP is known every packet he sends can be captured. If he breaks any law then a search warrant can be issued that makes the packet capture possible - and he'll never know until it's way too late.
"They're quite capable, and have hired on many technically proficient guns to do their dirty work, cracking systems, running hordes of zombies, and trying to find exploits in every commercial and non-commercial system so they can send out ever more spam."
Perhaps. Their sophistication is finally getting beyond somthing that can be stopped by almost the dumbest counter-means. It hasn't been their proficiency that has fueled their success: the spammers have had the incredible luck of their abuse being almost totally ignored (in terms of doing anyone something about it.) A lot of spam still uses open relays and open proxies. If you'd think about it you'd see how vulnerable the spammers who use these actually are. (VERY VULNERABLE.)
I could catch spammer test messages (seeking open relays) just by stopping the delivery queue on my email software - and that software is so old it doesn't recognize EHLO. Do anything just a bit more clever (like force delivery of a trapped test message) and you'll advance into a whole new realm of spam fighting.
Now, with their zombie server trojans, the spammers are doing something approaching clever. But get some experience with undoing their open proxy and open relay abuse and you'll be fired up to go after the trojan servers - and I'll bet more than one person figures out how to combat those. But you need to begin to act.
Go over to news.admin.net-abuse.email and check out proxypots: they're kicking spammer ass. Just about anyone can run a succesful proxypot. The biggest fly in the ointment is that after a few hundred to about a thousand people run a proxypot (and do the follow through of notifying ISPs of the spammer activity from within their network) there will be no more spam sent by open proxies for you to detect. Surely the absense of that spam will comfort you enough so you won't care too greatly about your lost opportunity. But act now to get in some licks - beat the rush.
I'd be truly surprised if there weren't a worm in the works which would not only act as a mail relay, but which would take care to forward mail to every address listed in a person's address book.
That may come. There are Trojans that turn vlnerable systems into unwitting non-standard email relays (non-standard in that they receive the email on other than port 25.) Have been such for about a year now.
I strongly recommend proxypots. Spammers look all over the internet for open proxies to abuse. Why not help them find one - except one that's not quite what they want? Instead of relaying spam it absorbs it. Instead of keeping no record of what comes to it everything is recorded, including the source IP. With that you can contact the ISP and report the attempted abuse. Reputable ISPs will eject the spammers. Disreputable ones will not, and may not even reply. Make their names and actions known. That will eventually make a very big difference.
In all cases all the spam you trapped goes nowhere. You'll have done a very good thing.
These are weeded out fairly quickly. Better to seed it with "probes", aka honeypots or spamtraps, which helps identify spam senders proactively.
Waht you call a "honeypot" and what I call a "honeypot" aren't the same - but the ideas are very similar. You say run a fake email address that's a honeypot for spam. I say run a fake open relay or fake open proxy that's a honeypot for relay spam or open proxy spam. When you do this you have many options open to you. Particularly for open proxy honeypots you may have available to yo the IP form which the spammer operates (he thinks going though your open proxy, the fake, will hide him.)
If I misinterpret and you mean the same thing I do: glory be! Tell more people!
DO you have any idea how easy it can be to subvert all the cleverness of the spammer in hiding his IP and find it? You can't do this on demand for a particular spammer - but so what? They're all enemies, so action taken against any of them is for the good. Get a few proxypots going and you may be so busy getting accounts closed that you don't care which spammer you hit.
Just run a proxypot. You almost surely will trap spam, much or all of it will have been sent from the spammer's own IP. Ron Guilmette (Google for him, look for posts by him with the word Who's spamming" in the subject in news.admin.net-abuse.email) got over 100 spammers thrown off their ISPs in under 3 months using a network of proxypots to gather the data.
In addition I cannot describe the feeling of power you experience when you trap spam the spamemr thought would be sent through your proxypot. You rule him at that point. When you get back the email from his ISP saying he's ben thrown off you have the satisfaction of knowing you've caused a great deal of trouble for one of the scourges of the internet. Even if he gets a new account he may come back to your proxypot and try again to relay spam. Then you get anther opportunity to hit.
This could go so quickly that you'll pout because all the spammers were killed off before you had enough fun. Remember to nonetheless enjoy that moment when it comes.
If you left your house door open and somebody entered to make a mess and you took a video of the whole thing so he could be identified and charged for the intended mischief who would be the winner?
If you faked a computer system vulnerable to spammer abuse and a spammer sent a bunch of spam right from his own system using his own IP and you didn't deliver the spam but did inform his ISP who would be the winner?
This isn't rocket science. You can hurt spammers bigtime on your own home system - if your system is in a net segment the spammers check for open relays and open proxies.
Wouldn't you rather do that than sit and complain all the time about spam? There's not even enough spammers to go around - only the early adopters will have the big fun. Will you be an early adopter?
If the ISP doesn't act you can post about the ISP someplace - maybe even here. How many times will such a post be made before the ISP figures out the cost associated with being the last ISP to act against spammers in its own domain?
You are in the driver's seat if you want to be. Do you?
Your ISP may be able to put together a more intelligent complaint, which will increase the chances of having it looked at. It probably won't affect the chances of action being taken, unless your ISP is huge (RoadRunner, for example).
Perhaps, and some deeply spam-friendly ISPs probably won't do anything no matter who you are.
But back when I was a complete nonentity I sent abuse reports to uu.net (about whom it was said they never acted) and got a spammer terminated - with an abuse report from an open relay honeypot (I think I didn't even know to call it a honeypot at the time.)
Get enough people submitting such reports and even the most sincere spam-friendly ISP will tumble to the notion that pretty soon it is gong to stick out really badly as the last spam-friendly ISP on the planet. If a stream of honest and accurate reports of abuse is flowing in they'll have to someday realize that there's evidence in large numbers of places that shows
(A) spam is originating in their space, (B) they are doing nothing about it, and (C) they are doing nothing even when notified and shown clear evidence of the abuse. NOT a good internet neighbor.
The evidence makes any charge of spam support a fact, and if it's a fact it isn't libel to publish that the ISP is allowing spammers to commit abuse from within their space. I have no illusions that news organizations will jump on that but anti-spammers can surely have web pages that lay out the facts. Maybe the spam-friendly ISP will continue to ignore such things but if ever it hits the fan they get covered - and will richly deserve it.
All this can flow from simply watching for the abuse and acting on it when it appears. It's well worth doing and it's past time for it to happen.
I'd also suggest letting your ISP know: if spammers are looking in your ISP's space for abusable proxies the ISP can take protective actions.
Such as? Firewalling incoming ports? Most large residential broadband ISPs are already doing this.
No, not such as firewalling. That's old, weak thinking. Such as looking to see where the abuse originates, grabbing some abuse evidence, and firing off a strongly-worded nastygram to the ISP of the source. In that nastygram suggest that the source ISP watch it's own outgoing proxy traffic (or disable same.) There's no need to let spammers have the freedom of the internet and there's obvious damned good reasons to not let them have it. Don't simply firewall or otherwise ignore: watch the spammer abuse and act against it. It is easy to do and it is something that even mere home users with cable or DSL connections can also do.
Subject: attempted proxy abuse from 127.0.0.1 (replace with real IP number)
My software firewall logs show the following attempt to connect to port 1080 (or whatever.) This probably is a spammer looking for an open proxy to abuse. In any case it's a customer of yours and he can't be up to any good. Please investigate (for instance, monitor his outgoing port 1080 traffic) and take whatever action is appropriate.
(Note that I also run a hardware firewall, so the IP number shown for my system is a non-routed one.)
Thank you.
Maybe it will be ignored but it should have an educational effect so that the 10th or 20th such alert gets some notice and action. It's far better, of course, to have captured spam from an open proxy honeypot to report but even the log entries have value. There's no legitimate reason to try to connect to my port 1080: it has to be abuse and the ISP needs to learn to take an active stance against abuse.
If you've got a better way to phrase the report then I'd be glad to see it. Note that my subject tells what the problem is and identifies the IP in the ISP's space that is the source fo the abuse and that I show the actual log entry so the abuse person can see I'm not misinterpreting something. I suggest that the ISP monitor the proxy traffic from the indicated IP. Better yet the ISP would simply monitor the proxy port traffic going out (and coming in.) That shows up the spammers like a spotlight.
The example is a real log entry. The SOB was looking for something to abuse.
Apparently Ron is abandoning both but there were two related anti-spam things he did. One was to maintain a blocklist for open proxies. The other was to run a network of proxypots and to use these to discover the IP addresses from which proxy abuse originated. He trapped a lot of spam with those, as well.
Ron made periodic posts to news.admin.net-abuse.email in which he listed the top 40 proxy abuse-source IPs. He also contacted the ISPs from which the abuse originated and was successful in getting many of these to boot the spammers (which is a big reason spammers wanted to put him out of business, it would seem.)
Ron was making real and substantial progress toward ridding the net of spam - even if you never heard of him he was helping you, and the help I speak of had none of the flaws of blocklists.
Spammers look about everywhere on the net, seeking abusable open proxies. That means proxypots will succeed almost anywhere on the net. Just about anyone can help identify spammer IPs and get the spammers thrown off their ISPs. Ron's Top 40 list was a nice bonus and it helped show which ISPs were responsive and which protected spammers. Similar information from a single site (yours, if you'd do it) would be also have great value.
I'd direct you to the Bubblegum proxypot web page but that, too, seems to be down. There's still something you can do even if you don't run a proxypot. If you have a software firewall on your system you can find the log entries for rejected proxy connection attempts. Chances are great that those were made by a spammer. Report the attempt to the appropriate ISP. I'd also suggest letting your ISP know: if spammers are looking in your ISP's space for abusable proxies the ISP can take protective actions. Your ISP also may have greater clout with the spammer's ISP - at least it's worth a shot.
You're still using "abuse" in a restricted venue. Relaying spam through someone else's server is TWO cases of abuse... 1: the abuse of the open relay (IMHO, they got what they deserved for having it open)... and 2: abuse of the recipient. Lots of spammers do use the direct method, and lots of them are still in the USA (but lots of others have moved to places like Hong Kong).
Yes, I am. I could get technical and call it "3rd party abuse" (of which there could be and often is more than one) but that just makes the definition exact - it doesn't convey much information. (Many spammers hit the open relays through open proxies. That's why I see proxypots as having a high value - they may be the first 3rd party the spammers abuse. That reveals the spammer's IP. Are you familiar with Ron Guilmette's top 40 spammer lists in news.admin.net-abuse.email? All the IPs and IP blocks in the lists were learned using proxypots.)
And then there's the Hananet spammer who spams From Taiwan to Taiwan addresses, through US computers. Sometimes he sends spam to apparent relays strictly on the basis of his test message being accepted, not on the test message reaching its destination. He's been a real pest lot's of places.
I don't know of any use for a proxy port to go across the public internet.
Your whole discussion here is very sensible. If some ISPs would do what you advocate and report the success (if any) of doing it then I'd hope many more ISPs would have the simple good sense to do so themselves - if you are anti-spam there's nothing to lose. I'd like to see the spammers whacked (on the basis of honeypot operation) but if they just fade to nothing because the pathways get narrow and then vanish I'm not going to be upset. I'll rejoice. It does seem to me that having honeypots might speed the process (as opposed to blocking ports.) It's similar to the campaign to secure open relays - until the available abusable bandwidth drops below what the spammers need they aren't very inconvenienced. Honeypots, even single ones, can have an effect right away.
Reporting 3rd party abuse has more bang for the buck in terms of a complaint sent to an ISP. If the ISPs learn to give such complaints precedence they can nuke spammers quicker (pressure will have to be applied to the ones who don't want to nuke the spammers) and that should lead to the complaint level going down (no spammers, no complaints, of course.) Everyone wins except the spammers.
"That's what my 2nd item is, when everyone has that goal."
I don't think everyone is needed. Significant effects have been seen from single systems. If I were going for everyone I'd say "Just Hit Delete." If you get EVERYONE involved then it's trivial.
"What the hell are you talking about? ALL spam is abuse."
Excellent point. Since you understand I'll rephrase it as targeting spam that can be targeted using a honeypot. If you're seeing the spammer connection attempts but stopping them how do you know they aren't looking for an open relay? In any case you get bonus points for seeing it - if more people watched then more reports could go to ISPs about the abuse. Even those ISPs who smugly harbor the spammers might change attitude if they saw even a small stream of ABUSE reports - not SPAM reports. I know I've gotten a spammer knocked off UUNET when all others were saying UUNET harbored them. I didn't have to "raise my voice" or issue threats: I just sent them the SMTP logs that showed the abuse, along with a sample spam. For that matter Michael Tokarev got Ralsky knocked off UUNET again and again, all in the same weekend. The spam stopped when Ralsky ran out of his then-current stock of throwaway accounts in his Dallas operation. More recently Ron Guilmette has gotten what appears to be Ralsky's own servers in his $3/4 million house near Detroit knocked off. This is easy stuff.
"Even the small time spammers, who seem to be the ones you focus on..."
With a honeypot you catch who you catch. See above: Ralsky is NOT a small-time spammer. I believe most spammers now use abuse (open relay abuse, open proxy abuse, Jeem-type abuse) to send spam. Direct spam is fairly easy to stop using blocklists. It's also fairly easy to trace. I don't think most spammers use it. Scelson has claimed he does but then Scelson has filed for bankruptcy.
"What about having ISPs also watch for abuse traffic going out from their own customer base?"
(Slaps head.) DOH! Why didn't I say that? You are absolutely correct. Both the ISP on the sending end and the ISP at the abuse end can look for the same traffic, using traffic analysis tools. I'm familiar with ntop - I'm sure there are others. Cable modem users could watch for spammers probing for open proxy ports on their cable segment using ntop (there's even a low-cost Windows version.) Until spam is gone I think all ISPs who could look for abuse should look for abuse (and not simply secure the ports subject to abuse - that is too easy on the spammers.)
"Running honeypots isn't even necessary for this. They can block incoming ports for open proxies either at the border routers, or in the customer RADIUS profiles, and blocking incoming port 25 in the RADIUS profiles (except for those authorized to run a mail server). Same for any ports eventually discovered to have been deployed by viruses."
Frankly, I can't understand why 99+% of ISPs don't do this automatically. Your point is an excellent one.
But I'd really love to see (as a good example) telesp.br start watching for and honeypotting spam traffic. Of course they could block it - I'd just like reading about the shock when the spammers discovered their abuse of that domain was failing 100% (even though it looked just the same form their end.) But that's my mean streak. [I don't, however, apologize for my mean streak.] The next step would be for telesp.br to tell other ISPs how they defeated the spammers abusing their space. Might that word spread fast?
"There are actually two different anti-spam goals."
I go for the BIG GOAL: end spam. Why settle for less?
If you limit the goal you limit the range of solutions that can be tried.
Waht I actually aim at is spam sent by abuse, not all spam (so spam sent directly by the spammer to the recipients isn't included. That's a small portion of the spam.) There's two closely-related tools to do this: open relay honeypots and open proxy honeypots. Both accept spam directed elsewhere, both keep that spam from being delivered. If the initial source of the spam can be identified (as it frequently can be for open proxy spam) then the ISP can be notified of the abuse by the customer. Many ISPs will boot the spammer on the basis of that evidence. If the spammer gets a new account but spams in the same way he'll get caught again, get booted again.
These are real good, but what I've described is single-IP honeypots. If ISPs would watch for abuse traffic coming in (particularly proxy port traffic) they could run ISP-wide honeypots. The ISPs could strike a significant blow against the spammers and fairly quickly cause the spammers to leave their IP space alone. If spammers feared they'd get caught and punished when they sent spam they'd lose a lot of their motivation. Being booted is a weak punishment but even that could, if repeated, get the spammer thinking about no longer sending UCE.
"The coolest way..." Well, there's cool and then there's cool. I find it to be cool to use software so that a spammer thinks I run an open proxy or open relay and send sends spam to be dleiverd (which it isn't.) If it's an open proxy I'm faking the spammer probably sends direct from his own server so I see his IP and can report him and his attempted abuse.
As a result I both stop spam AND may get a spammer thrown off his ISP (some ISPs are still altogether too spam-friendly.) It is noteworthy that no change in protocol is needed to do this: it can be done today, worldwide.
I've only touched on the possibilities. Think of the ways you could cause a spammer grief if that spammer started trying to use your system (which could be your home system) to send spam.
"why should i allow abusive traffic into my network? "
Run with that thought. You apply it to your situation, rejecting traffic South America and Asia. What can they do in South America, in Asia?
Should they allow abusive trafic into their network?
If they (and others) would take simple, reasonable actions against the spam coming in there very soon would be no spam coming in. They don't have to get all their IPs cleaned and secured, they just have to in some way end the abusive traffic. Proxypots are a tool very useful for that.
Once a spammer learns an ISP or a country is no longer a pushover he'll stop using that ISP or that country to relay spam. In the mean time he'll send a lot of spam that does not reach its destination. He loses now, he loses later. That's good.
Don't say "only" unless you've examined all possible solutions.
Proxypots are doing a great deal toward stopping spam, and that's just a small number of them.
Proxypots aren't the end of that line of attack, either. ISPs that don't want spammers operating from their space can watch for traffic characteristic of spammers and nuke the accounts responsible when they find any. ISPs that climb out of their stupor enough to realize they can protect their customers against proxy abuse can monitor incoming traffic for spammer-characteristic patterns and divert the spammer traffic away from the destination IPs.
It's all very simple - it just has to be done.
At the individual IP level almost anyone can run a proxypot or relaypot.
Whitelists are fine but they're mostly a sophisticated JHD. Probably JHD has defeated more spam than all other techniques combined but all of those plus JHD obviously haven't ended spam - more is needed.
I suggest you try a proxypot. Or do the almost minimal version of one: watch for and report attempts to contact the proxy ports on your system.
In response the spammers could try a SOBIG.F based type of distribution method. That's already pretty well blown. They are almost dead. Don't let up until they are gone.
P.S. Seriously: try running a proxypot. You'll be glad you did.
Slashdot Mirror
(Inevitably, in every thread about spam, someone proposes a solution with one or more flaws. This is a handy form that passes the lameness filter and that can be reused for all such posts to save time! It does not specifically address all possible flaws and may be expanded in future versions.)
Fantastic. Rate proxypots, dude.
http://world.std.com/~pacman/proxypot.html
P.S. Proxypots have been used and have worked. Something more will be needed to combat spam zombies but at least one person (the author of the proxypot above) has figured out one Trojan and faked a zombie. If you don't already know Ron Guilmette got over 100 spammer accounts terminated in under 3 months using a network of proxypots to fgather the needed evidence you may not know enough to do an accurate rating - but give it a try anyway.
But really, what I want is revenge.
Have you tried a proxypot?
Imagine laughing and being gleeful when spam arrives at your system - and the more spam, the louder the laugh. Imagine reporting the spammer's IP to his ISP and geting his accont terminated. Imagine the spammer getting a new account and hitting you proxypot once again, getting terminated once again - because of you.
It can't be enough revenge - but it's way more than your'e getting now, I'd guess.
If a change is going to be made why not make a simpler change that works as well? Instead of encrypting anything why not simply have a DNSWL - a DNS white list? You get on to the list by adopting a policy that prevents spam (and get thrown off if you later allow spam.) If you're on the whitelist you're trusted. No decryption overhead, and you should be able to skip all filtering for email from whitelisted sources, saving additional time.
There's even variations of the idea that could automate adding (and removing) IPs on the white list (which probably would then have to be a cooperative venture.) Remember that you don't need to block every single spam message to kill spam - just block enough so spam doesn't pay. The point of view isn't the false "if one spam gets through the system has failed" but the accurate "if 99.9% of the spam is rejected the system succeeds." Probably it doesn't have to be 99.9%, either.
Obviously, don't drop other countermeasures until spam is dead - and then be vigilant forever.
Thinking about how to survive with a permanent spm problem hasn't worked - it's time to think of eliminating spam. That's a different thought process (it won't center strictly on action at the receiving server and beyond) and should expose many possible modes of attack.
(Re: spam doesn't pay. Yeah, I know - the spammers sell spam services so they get paid even if the buyer loses money. That's only for a while - the buyers will run out of money eventually. And I doubt there's an infinite pool of potential buyers.)
"The vast majority of worms spread via unmaintained systems."
You ask the right question: "What's the point?" and show that you indeed don't see the point.
Yes, the worms travel via insecure systems. It may be taken as a given that there are and always will be insecure systems. If the sole approach taken is "secure the systems" then the worm authors will always win - no effective countermeasures are being taken, will be taken. That is the point, IMHO.
The worms (including worms that create spam zombies) propagate by some form of abuse. The prevailing attitude, as you show, is "ignore the abuse." This book takes a different direction: "pay attention to the abuse." There's hope that if enough follow what this book recommends that the worm authors will be defeated.
Same with spam. I'd guess 99% of those reading this haven't a clue as to what a spammer relay test message looks like - yet those test messages underlie the sending of spam via open relays. Again, 99% know nothing about how spammers test for open proxies, yet that testing underlies sending of spam via open proxies. Usually one need look no further than one's own system to see how spammers test - but most don't see. They ignore the abuse, they say "the problem is insecure systems," they secure their systems, they do no more, the spam continues - and grows.
It makes very good sense to watch the abuse that underlies the offenses. It makes no sense at all to ignore it. It would take fewer than 1% of the operators on the internet watching the abuse to track it down and get the accounts used to send the abuse terminated. Continuing to blame "insecure systems" and to fail to act gives you what we have now: a wide-open opportunity for abuse.
You are not going to beat spam this way. I don't think you are even going to slow it down much ..."
It already has slowed some spam down, for a while, on a single honeypot basis. One honeypot has taken a major spammer down - for a while - and that spammer was Alan Ralsky. I agree I'm never going to beat spam this way - eventually even the single honeypot is recognized and avoided. It's easily possible that multiple honeypots will beat spam in the sense of forcing the end of open relay and open proxy spam. The key is that instead of ignoring the packets the spammers send to find systems to abuse you don not ignore them.
Legislation that recognizes the power of monitoring the spammer abuse and made illegal the scans that spammers make to find abusable systems would help but I have no illusion that such legislation will ever happen. I also recognize that spammers will move to virus and other techniques to set up non-standard relays for spam on vulnerable systems that the spammers control. Once the idea sinks in of doing something to counter the abuse rather than sit on one's hands while whining about how sneaky and crafty the spammers are the spammers will lose.
The honeypot that took down Alan Ralsky ran on a 486 DX4. You don't need major power to fight spam. That honeypot was shut down in July, 2002, partly because of the bandwidth cost. You don't have to run a full honeypot with the associated bandwidth usage to detect and repor the spammer abuse. You can allow the spammer one access - so that you have proof of his spamming, and then fake a burdened or crashed system and stop accepting packets. That makes the bandwidth cost trivial - and still allows you to find the spammer's IP and report it.
This is a technique with power. Both for this technique and others it is time to do full, rational analysis and to stop finding a false trivial objection to be used to reject the technique. I don't care if people run honeypots or not - they can stiill contribute to the death of open relay and open proxy spam by simply looking in the appropriate log files for evidence and then reporing that evidence to ISPs. IT will take a periodd of education for the ISPs - they'll have to learn that repors of proxy port conmnection attempts are significant enough that the ISP should conduct an examination of the trafic form the indicated IP - but once ISPs learn that then it is trivial to keep the spammers shut down. Trivial - no new software required. If ZoneALarm users would simply send to the proper IPs their log file entries for SMTP and proxy port connection attempts - along with a short suggestion that the ISP check the traffic of the indicated ISP itself - then the spammers would get shut down quickly, day after day.
There are details - spammers could start abusing through open proxies, requiring additional (but simple) action on the part of the ISP with the open proxy in its space, but its all doable with the existing network structure, existing laws, existing protocols, existing software.
It won't be done by excuse-fiding whiners. Chances are 4 or 5 times a day almost every system on the internet gets probed by a spammer for vulnerability. That's 4 or 5 lost opportunities to detect the spammers' locations for each system on the internet. Maybe my estimate is off, but one every 2 weeks is enough for alert user action to end spam based merely on paying attention to the spammer abuse. One every year is enough, if the users watch for the abuse and repor it.
Honeypots ice the cake and add to the reports incontrovertible evidence that it is spam activity being reported.
"In other words, all you are doing is training spammers to be more sophisticated, and then everyone suffers more than before. Well done guys."
I agree teergrubes aren't doing a lot - but they are doing something.
Besides, you're missing an important point. If one teergrube ties up one spammer thread then 10,000 of them could tie up 10,000 spammer threads. It's certainly true that one teergrube is like a bailing out a sinking boat with a teaspoon. At the single-system level a teergrube isn't a solution, it's a prototype.
I'd rather run a honeypot myself - but there again you're only tying up one spammer at a time (or a few - it all depends.) But one proxypot operator told me last week that he'd just deleted proxypot logs with 200 gigabytes of spam. He says he traps from 100 to 500 Mb of spam per day. Does that sound trivial? It doesn't to me...
Poo.
A 1% level of user vigilance should be far more than enough to snuff out spammer abuse.
It is muddy thinking of the rankest kind to not consider what ordinary users can do to make life for spammers pure hell. The successes of the spammers to date have been 99.99% because all the experts concentrated solely on securing ports. A good rule of thumb is that if all the experts say to do something you should check it out very carefully.
If everyone would just once find just one instance of a probable spammer attempt to connect to a proxy port and report that attempt to the proper ISP the spammers would be suffering mightily. Those who wish to see more spammer suffering (and worse spammer suffering) can do more - like, for instance, run a proxypot. Yep, that's likely to drive the spammers 100% into using zombie networks. That will last only as long as it takes for activists to figure out how ot defeat the zombies. Alan Curry already has figured out one spammer zombie. See if you can find his report in news.admin.net-abuse.email.
Beyond ordinary user activism there's a world of possibility for ISPs. Criminy, how more obvious can it be? The spammers send voluminous traffic to particular ports. The sources of that traffic are the IPs controlled by spammers. Is it hard to sample traffic? Notice I said "sample," not "monitor." You just need to identify enough spammer traffic that you are a threat to them - either as the spammer's ISP or as the ISP whose space they look in for systems to abuse.
Don't you network people start spouting off about how hard it will be to watch all the traffic. If it's hard then don't do it - look for something less that still has an effect. You'll find it. If you can't find it then OK, leave it to ordinary users. They can kick ass anyway.
Yes. And check out the FBI's garbage excuse in yesterday's Washington Post.
But do note that the DDOS hurt Ron's business and his DNSBL. If Ron did only the proxypot network and posted somewhat anonymously the spammers wouldn't know where to DDOS. They'd get booted from ISP after ISP and not know which "open proxy" was the fake.
Note, too, that just logging proxy port attempts is enough to out the spammers - a full proxypot isn't needed. To find open proxies the spammers have to keep looking for them. Looking exposes them.
Yes, the spammers could use open proxies to search for other open proxies. But while they don't (now) is a good time to strike. Gain the upper hand and the spammers probablty will never get it back.
Law enforcement? Sure - if and when it happens. But the linkage also brings spammers more and more into the sights of the anti-abuse people, and they are active now. The spammers just made themselves a target for a much larger group of network-savvy opponents.
The spammers using virus techniques probably already are subject to at least the provisions of some laws in some jurisdictions. Perhaps the DDOS on Spamhaus and ther others will motivate some people to trace back from the zombie systems to find out where the commands to them originate. I can imagine spammer techniques to dodge detection but the spammers can't know who is watching what. One clue is all it takes to trace a spammer's IP. Once the spammer's IP is known every packet he sends can be captured. If he breaks any law then a search warrant can be issued that makes the packet capture possible - and he'll never know until it's way too late.
"They're quite capable, and have hired on many technically proficient guns to do their dirty work, cracking systems, running hordes of zombies, and trying to find exploits in every commercial and non-commercial system so they can send out ever more spam."
Perhaps. Their sophistication is finally getting beyond somthing that can be stopped by almost the dumbest counter-means. It hasn't been their proficiency that has fueled their success: the spammers have had the incredible luck of their abuse being almost totally ignored (in terms of doing anyone something about it.) A lot of spam still uses open relays and open proxies. If you'd think about it you'd see how vulnerable the spammers who use these actually are. (VERY VULNERABLE.)
I could catch spammer test messages (seeking open relays) just by stopping the delivery queue on my email software - and that software is so old it doesn't recognize EHLO. Do anything just a bit more clever (like force delivery of a trapped test message) and you'll advance into a whole new realm of spam fighting.
Now, with their zombie server trojans, the spammers are doing something approaching clever. But get some experience with undoing their open proxy and open relay abuse and you'll be fired up to go after the trojan servers - and I'll bet more than one person figures out how to combat those. But you need to begin to act.
Go over to news.admin.net-abuse.email and check out proxypots: they're kicking spammer ass. Just about anyone can run a succesful proxypot. The biggest fly in the ointment is that after a few hundred to about a thousand people run a proxypot (and do the follow through of notifying ISPs of the spammer activity from within their network) there will be no more spam sent by open proxies for you to detect. Surely the absense of that spam will comfort you enough so you won't care too greatly about your lost opportunity. But act now to get in some licks - beat the rush.
Wait for law enforcement and you'll wait forever - or so it seems.
o %4 0enews2.newsguy.com&output=gplain
But talented people are working on cracking the spammer-sent trojans.
See:
http://groups.google.com/groups?selm=bnjtqd013o
I'd be truly surprised if there weren't a worm in the works which would not only act as a mail relay, but which would take care to forward mail to every address listed in a person's address book.
That may come. There are Trojans that turn vlnerable systems into unwitting non-standard email relays (non-standard in that they receive the email on other than port 25.) Have been such for about a year now.
I strongly recommend proxypots. Spammers look all over the internet for open proxies to abuse. Why not help them find one - except one that's not quite what they want? Instead of relaying spam it absorbs it. Instead of keeping no record of what comes to it everything is recorded, including the source IP. With that you can contact the ISP and report the attempted abuse. Reputable ISPs will eject the spammers. Disreputable ones will not, and may not even reply. Make their names and actions known. That will eventually make a very big difference.
In all cases all the spam you trapped goes nowhere. You'll have done a very good thing.
These are weeded out fairly quickly. Better to seed it with "probes", aka honeypots or spamtraps, which helps identify spam senders proactively. Waht you call a "honeypot" and what I call a "honeypot" aren't the same - but the ideas are very similar. You say run a fake email address that's a honeypot for spam. I say run a fake open relay or fake open proxy that's a honeypot for relay spam or open proxy spam. When you do this you have many options open to you. Particularly for open proxy honeypots you may have available to yo the IP form which the spammer operates (he thinks going though your open proxy, the fake, will hide him.) If I misinterpret and you mean the same thing I do: glory be! Tell more people!
DO you have any idea how easy it can be to subvert all the cleverness of the spammer in hiding his IP and find it? You can't do this on demand for a particular spammer - but so what? They're all enemies, so action taken against any of them is for the good. Get a few proxypots going and you may be so busy getting accounts closed that you don't care which spammer you hit.
Just run a proxypot. You almost surely will trap spam, much or all of it will have been sent from the spammer's own IP. Ron Guilmette (Google for him, look for posts by him with the word Who's spamming" in the subject in news.admin.net-abuse.email) got over 100 spammers thrown off their ISPs in under 3 months using a network of proxypots to gather the data.
In addition I cannot describe the feeling of power you experience when you trap spam the spamemr thought would be sent through your proxypot. You rule him at that point. When you get back the email from his ISP saying he's ben thrown off you have the satisfaction of knowing you've caused a great deal of trouble for one of the scourges of the internet. Even if he gets a new account he may come back to your proxypot and try again to relay spam. Then you get anther opportunity to hit.
This could go so quickly that you'll pout because all the spammers were killed off before you had enough fun. Remember to nonetheless enjoy that moment when it comes.
If you left your house door open and somebody entered to make a mess and you took a video of the whole thing so he could be identified and charged for the intended mischief who would be the winner?
If you faked a computer system vulnerable to spammer abuse and a spammer sent a bunch of spam right from his own system using his own IP and you didn't deliver the spam but did inform his ISP who would be the winner?
This isn't rocket science. You can hurt spammers bigtime on your own home system - if your system is in a net segment the spammers check for open relays and open proxies.
Wouldn't you rather do that than sit and complain all the time about spam? There's not even enough spammers to go around - only the early adopters will have the big fun. Will you be an early adopter?
If the ISP doesn't act you can post about the ISP someplace - maybe even here. How many times will such a post be made before the ISP figures out the cost associated with being the last ISP to act against spammers in its own domain?
You are in the driver's seat if you want to be. Do you?
Your ISP may be able to put together a more intelligent complaint, which will increase the chances of having it looked at. It probably won't affect the chances of action being taken, unless your ISP is huge (RoadRunner, for example).
Perhaps, and some deeply spam-friendly ISPs probably won't do anything no matter who you are.
But back when I was a complete nonentity I sent abuse reports to uu.net (about whom it was said they never acted) and got a spammer terminated - with an abuse report from an open relay honeypot (I think I didn't even know to call it a honeypot at the time.)
Get enough people submitting such reports and even the most sincere spam-friendly ISP will tumble to the notion that pretty soon it is gong to stick out really badly as the last spam-friendly ISP on the planet. If a stream of honest and accurate reports of abuse is flowing in they'll have to someday realize that there's evidence in large numbers of places that shows
(A) spam is originating in their space,
(B) they are doing nothing about it, and
(C) they are doing nothing even when notified and shown clear evidence of the abuse. NOT a good internet neighbor.
The evidence makes any charge of spam support a fact, and if it's a fact it isn't libel to publish that the ISP is allowing spammers to commit abuse from within their space. I have no illusions that news organizations will jump on that but anti-spammers can surely have web pages that lay out the facts. Maybe the spam-friendly ISP will continue to ignore such things but if ever it hits the fan they get covered - and will richly deserve it.
All this can flow from simply watching for the abuse and acting on it when it appears. It's well worth doing and it's past time for it to happen.
I'd also suggest letting your ISP know: if spammers are looking in your ISP's space for abusable proxies the ISP can take protective actions.
Such as? Firewalling incoming ports? Most large residential broadband ISPs are already doing this.
No, not such as firewalling. That's old, weak thinking. Such as looking to see where the abuse originates, grabbing some abuse evidence, and firing off a strongly-worded nastygram to the ISP of the source. In that nastygram suggest that the source ISP watch it's own outgoing proxy traffic (or disable same.) There's no need to let spammers have the freedom of the internet and there's obvious damned good reasons to not let them have it. Don't simply firewall or otherwise ignore: watch the spammer abuse and act against it. It is easy to do and it is something that even mere home users with cable or DSL connections can also do.
These complaints will be ignored.
to abuse@isp.somewhere
Subject: attempted proxy abuse from 127.0.0.1 (replace with real IP number)
My software firewall logs show the following attempt to connect to port 1080 (or whatever.) This probably is a spammer looking for an open proxy to abuse. In any case it's a customer of yours and he can't be up to any good. Please investigate (for instance, monitor his outgoing port 1080 traffic) and take whatever action is appropriate.
The log entry:
FWIN,2003/09/19,12:03:02 -5:00 GMT,68.162.2.103:5627,192.168.17.17:1080,TCP (flags:S)
(Note that I also run a hardware firewall, so the IP number shown for my system is a non-routed one.)
Thank you.
Maybe it will be ignored but it should have an educational effect so that the 10th or 20th such alert gets some notice and action. It's far better, of course, to have captured spam from an open proxy honeypot to report but even the log entries have value. There's no legitimate reason to try to connect to my port 1080: it has to be abuse and the ISP needs to learn to take an active stance against abuse.
If you've got a better way to phrase the report then I'd be glad to see it. Note that my subject tells what the problem is and identifies the IP in the ISP's space that is the source fo the abuse and that I show the actual log entry so the abuse person can see I'm not misinterpreting something. I suggest that the ISP monitor the proxy traffic from the indicated IP. Better yet the ISP would simply monitor the proxy port traffic going out (and coming in.) That shows up the spammers like a spotlight.
The example is a real log entry. The SOB was looking for something to abuse.
Apparently Ron is abandoning both but there were two related anti-spam things he did. One was to maintain a blocklist for open proxies. The other was to run a network of proxypots and to use these to discover the IP addresses from which proxy abuse originated. He trapped a lot of spam with those, as well.
Ron made periodic posts to news.admin.net-abuse.email in which he listed the top 40 proxy abuse-source IPs. He also contacted the ISPs from which the abuse originated and was successful in getting many of these to boot the spammers (which is a big reason spammers wanted to put him out of business, it would seem.)
Ron was making real and substantial progress toward ridding the net of spam - even if you never heard of him he was helping you, and the help I speak of had none of the flaws of blocklists.
Spammers look about everywhere on the net, seeking abusable open proxies. That means proxypots will succeed almost anywhere on the net. Just about anyone can help identify spammer IPs and get the spammers thrown off their ISPs. Ron's Top 40 list was a nice bonus and it helped show which ISPs were responsive and which protected spammers. Similar information from a single site (yours, if you'd do it) would be also have great value.
I'd direct you to the Bubblegum proxypot web page but that, too, seems to be down. There's still something you can do even if you don't run a proxypot. If you have a software firewall on your system you can find the log entries for rejected proxy connection attempts. Chances are great that those were made by a spammer. Report the attempt to the appropriate ISP. I'd also suggest letting your ISP know: if spammers are looking in your ISP's space for abusable proxies the ISP can take protective actions. Your ISP also may have greater clout with the spammer's ISP - at least it's worth a shot.
You're still using "abuse" in a restricted venue. Relaying spam through someone else's server is TWO cases of abuse ... 1: the abuse of the open relay (IMHO, they got what they deserved for having it open) ... and 2: abuse of the recipient. Lots of spammers do use the direct method, and lots of them are still in the USA (but lots of others have moved to places like Hong Kong).
Yes, I am. I could get technical and call it "3rd party abuse" (of which there could be and often is more than one) but that just makes the definition exact - it doesn't convey much information. (Many spammers hit the open relays through open proxies. That's why I see proxypots as having a high value - they may be the first 3rd party the spammers abuse. That reveals the spammer's IP. Are you familiar with Ron Guilmette's top 40 spammer lists in news.admin.net-abuse.email? All the IPs and IP blocks in the lists were learned using proxypots.)
And then there's the Hananet spammer who spams From Taiwan to Taiwan addresses, through US computers. Sometimes he sends spam to apparent relays strictly on the basis of his test message being accepted, not on the test message reaching its destination. He's been a real pest lot's of places.
I don't know of any use for a proxy port to go across the public internet.
Your whole discussion here is very sensible. If some ISPs would do what you advocate and report the success (if any) of doing it then I'd hope many more ISPs would have the simple good sense to do so themselves - if you are anti-spam there's nothing to lose. I'd like to see the spammers whacked (on the basis of honeypot operation) but if they just fade to nothing because the pathways get narrow and then vanish I'm not going to be upset. I'll rejoice. It does seem to me that having honeypots might speed the process (as opposed to blocking ports.) It's similar to the campaign to secure open relays - until the available abusable bandwidth drops below what the spammers need they aren't very inconvenienced. Honeypots, even single ones, can have an effect right away.
Reporting 3rd party abuse has more bang for the buck in terms of a complaint sent to an ISP. If the ISPs learn to give such complaints precedence they can nuke spammers quicker (pressure will have to be applied to the ones who don't want to nuke the spammers) and that should lead to the complaint level going down (no spammers, no complaints, of course.) Everyone wins except the spammers.
"That's what my 2nd item is, when everyone has that goal."
I don't think everyone is needed. Significant effects have been seen from single systems. If I were going for everyone I'd say "Just Hit Delete." If you get EVERYONE involved then it's trivial.
"What the hell are you talking about? ALL spam is abuse."
Excellent point. Since you understand I'll rephrase it as targeting spam that can be targeted using a honeypot. If you're seeing the spammer connection attempts but stopping them how do you know they aren't looking for an open relay? In any case you get bonus points for seeing it - if more people watched then more reports could go to ISPs about the abuse. Even those ISPs who smugly harbor the spammers might change attitude if they saw even a small stream of ABUSE reports - not SPAM reports. I know I've gotten a spammer knocked off UUNET when all others were saying UUNET harbored them. I didn't have to "raise my voice" or issue threats: I just sent them the SMTP logs that showed the abuse, along with a sample spam. For that matter Michael Tokarev got Ralsky knocked off UUNET again and again, all in the same weekend. The spam stopped when Ralsky ran out of his then-current stock of throwaway accounts in his Dallas operation. More recently Ron Guilmette has gotten what appears to be Ralsky's own servers in his $3/4 million house near Detroit knocked off. This is easy stuff.
"Even the small time spammers, who seem to be the ones you focus on..."
With a honeypot you catch who you catch. See above: Ralsky is NOT a small-time spammer. I believe most spammers now use abuse (open relay abuse, open proxy abuse, Jeem-type abuse) to send spam. Direct spam is fairly easy to stop using blocklists. It's also fairly easy to trace. I don't think most spammers use it. Scelson has claimed he does but then Scelson has filed for bankruptcy.
"What about having ISPs also watch for abuse traffic going out from their own customer base?"
(Slaps head.) DOH! Why didn't I say that? You are absolutely correct. Both the ISP on the sending end and the ISP at the abuse end can look for the same traffic, using traffic analysis tools. I'm familiar with ntop - I'm sure there are others. Cable modem users could watch for spammers probing for open proxy ports on their cable segment using ntop (there's even a low-cost Windows version.) Until spam is gone I think all ISPs who could look for abuse should look for abuse (and not simply secure the ports subject to abuse - that is too easy on the spammers.)
"Running honeypots isn't even necessary for this. They can block incoming ports for open proxies either at the border routers, or in the customer RADIUS profiles, and blocking incoming port 25 in the RADIUS profiles (except for those authorized to run a mail server). Same for any ports eventually discovered to have been deployed by viruses."
Frankly, I can't understand why 99+% of ISPs don't do this automatically. Your point is an excellent one.
But I'd really love to see (as a good example) telesp.br start watching for and honeypotting spam traffic. Of course they could block it - I'd just like reading about the shock when the spammers discovered their abuse of that domain was failing 100% (even though it looked just the same form their end.) But that's my mean streak. [I don't, however, apologize for my mean streak.] The next step would be for telesp.br to tell other ISPs how they defeated the spammers abusing their space. Might that word spread fast?
"There are actually two different anti-spam goals."
I go for the BIG GOAL: end spam. Why settle for less?
If you limit the goal you limit the range of solutions that can be tried.
Waht I actually aim at is spam sent by abuse, not all spam (so spam sent directly by the spammer to the recipients isn't included. That's a small portion of the spam.) There's two closely-related tools to do this: open relay honeypots and open proxy honeypots. Both accept spam directed elsewhere, both keep that spam from being delivered. If the initial source of the spam can be identified (as it frequently can be for open proxy spam) then the ISP can be notified of the abuse by the customer. Many ISPs will boot the spammer on the basis of that evidence. If the spammer gets a new account but spams in the same way he'll get caught again, get booted again.
These are real good, but what I've described is single-IP honeypots. If ISPs would watch for abuse traffic coming in (particularly proxy port traffic) they could run ISP-wide honeypots. The ISPs could strike a significant blow against the spammers and fairly quickly cause the spammers to leave their IP space alone. If spammers feared they'd get caught and punished when they sent spam they'd lose a lot of their motivation. Being booted is a weak punishment but even that could, if repeated, get the spammer thinking about no longer sending UCE.
"The coolest way ..." Well, there's cool and then there's cool . I find it to be cool to use software so that a spammer thinks I run an open proxy or open relay and send sends spam to be dleiverd (which it isn't.) If it's an open proxy I'm faking the spammer probably sends direct from his own server so I see his IP and can report him and his attempted abuse.
As a result I both stop spam AND may get a spammer thrown off his ISP (some ISPs are still altogether too spam-friendly.) It is noteworthy that no change in protocol is needed to do this: it can be done today, worldwide.
I've only touched on the possibilities. Think of the ways you could cause a spammer grief if that spammer started trying to use your system (which could be your home system) to send spam.
"why should i allow abusive traffic into my network? "
Run with that thought. You apply it to your situation, rejecting traffic South America and Asia. What can they do in South America, in Asia?
Should they allow abusive trafic into their network?
If they (and others) would take simple, reasonable actions against the spam coming in there very soon would be no spam coming in. They don't have to get all their IPs cleaned and secured, they just have to in some way end the abusive traffic. Proxypots are a tool very useful for that.
Once a spammer learns an ISP or a country is no longer a pushover he'll stop using that ISP or that country to relay spam. In the mean time he'll send a lot of spam that does not reach its destination. He loses now, he loses later. That's good.
Don't say "only" unless you've examined all possible solutions.
Proxypots are doing a great deal toward stopping spam, and that's just a small number of them.
Proxypots aren't the end of that line of attack, either. ISPs that don't want spammers operating from their space can watch for traffic characteristic of spammers and nuke the accounts responsible when they find any. ISPs that climb out of their stupor enough to realize they can protect their customers against proxy abuse can monitor incoming traffic for spammer-characteristic patterns and divert the spammer traffic away from the destination IPs.
It's all very simple - it just has to be done.
At the individual IP level almost anyone can run a proxypot or relaypot.
Whitelists are fine but they're mostly a sophisticated JHD. Probably JHD has defeated more spam than all other techniques combined but all of those plus JHD obviously haven't ended spam - more is needed.
I suggest you try a proxypot. Or do the almost minimal version of one: watch for and report attempts to contact the proxy ports on your system.
In response the spammers could try a SOBIG.F based type of distribution method. That's already pretty well blown. They are almost dead. Don't let up until they are gone.
P.S. Seriously: try running a proxypot. You'll be glad you did.