Why take such a feeble path? You can, on your own computer, go after spammers in a big way - one that works and can produce massive results.
If you run Windows you can use Jackpot, which turns your system into an open relay honeypot.
http://jackpot.uk.net
If you run Linux you can run the Bubblegum Proxypot, which turns your systme into an open proxy honeypot.
http://world.std.com/~pacman/proxypot.html
What these will tell you is the IP from which spammer abuse comes - that's very often the spammer's own IP (the spam itself would come from a hijacked system such as you are pretending to be run. You have far greater power if you detect and report the spammer activity than if you report just spam.
Go to news.admin.net-abuse.email (use Google Groups if you must) and find any of the posts with the subject "Who's Spamming You? [date]..."
These are lists of the top spammer IPs detected using a colleciton of open proxy honeypots.
IF you do this the odds are very high that you will detect spammer activity and will trap spam. If you report the activity to the ISP, pointing out that it is abuse (theft of service) there's a very good chance that action will be taken against the spammer. If you don't see good results for your reports make a posting in that newsgroup about them - you may get some assistance in making your evidence work to stop the spammer.
Note that many spammers do send spam to open relays through open proxies. In that cae your report might only serve to get an open proxy secured. It can't hurt to suggest to the ISP, when you make your report, that a devastating way to secure an open proxy is to turn it into an open proxy honeypot. If you think about it you'll also realize how this kind of conversion can start to put fear in the hearts of the spammers.
If you still just want to learn to read spam headers then the main point is to read them backwards and to realize that the first header you reach starting from the top which shows receipt of the email by your ISP may be the last one that is true. Spammers do forge headers - anyting earlier than that one could be a fake.
"But this measure will lead to increased non-spam traffic, as legitimate mailers have to queue legitimate messages and resend them."
You make sense.
"And it's ineffective because there is no reason why spammers wouldn't just re-send the same message; this method increases the cost for spam and non-spam messages equally."
Spammers already do resend. If the method burdens non-spam then I agree that's a minus. The re-sending of spam seems to be what currently happens. I cna't say what the reason is that spammers send the same spam again and again (I know what a message from "Frank" is going to say) but resending definitely is done alredy.
(Serious question.) Has the spam volume slacked the last few days? Despite what some might claim the specter of Microsoft suing and winning ought to make some spammers stop, at least until they can remove all traces of US origin for their spam. May their lawyers (if any) advise them that's too late: if MS can trace them they could be next if they've spammed MSN or Hotmail adresses.
"I think these people haven't thought through the issue as fully as they could."
Amen. It's a programmers' feast: pick an idea and start coding - before any real analysis.
Make that a bad programmers' feast. Come to a hard point to analyze? No problem: make up something plausible (to yourself, at least) and go right on working on what you want to do.
Heck, RFC 2505 said in plain language that securing open relays was not an effective anti-spam method. Did that matter? Humph. "They" proceeded to demonize open relay operators and to demand obedience to "their" orders. there was a point to securing open relays - no doubt about that - but securing was not a method to end spam. Still, years were frittered away on "secure your open relay." "550 we do not relay" tells a spammer all the useful information that he needs to know about an IP when he's looking for open relays. That's still mostly the standard action for a secure MTA.
When all the secure relays say they're secure it's no great challenge to pick out the insecure, true open relays. No matter: give that gift to the spammers. It's more important to get every operator to obey than it is to end spam.
I think we agree: if every mailbox were protected by a good DNSBL then spam would have to die. That's not the goal, apparently - there's no effort expended to extend DNSBL coverage.
What do you think of DCC? It apprently creates a need for some whitelisting but it's automated - no constant need for human action to get spam identified. That's another problem: relying on humans to do the detail work. What are computers for if not to do the detail work? Why would anyone ever want to run a DNSBL that necessitated near-constant human effort? We need more lazy people - let the computer do the work./b
Go ahead: do it, run one. I did for years. How open do you want the relay to be? I must admit mine was truly open only to local users for whom I added a filter rule to let them through (and one remote user, for a while) but I didn't really want a truly open relay, just one open locally. I could have used send-after-receive if I'd had the right MTA software but I didn't have that so I had to improvise.
There's two ways that could work: if you could reliably identify spam or if you could reliably identify non-spam. Either discrimination could be based on multiple criteria.
In general the philosophy you seem to be expressing is admirable, and better than the philosophy that has prevailed for years. "They" say eliminate all the open relays. You seem to be suggesting you want to make the open relays selectively unavailable to spammers. They give up, you don't. They give control to the spammers, you keep control. I'm for your approach: it doesn't cower. I'm tired of people who cower before the spammers. Er're right, they're wrong. We have the strength of numbers, the moral strength, the intellectual strength. The spammers win only because we (stupidly) choose to not wield our power in an effective manner.
I may be reading too much into what you say - I won't get my feelings hurt if you correct me. (Not that I think you should care a bunch about whether you did.
"Spam guards and spam co-evolve. Since greylisting is easy to get around by spammers, if it becomes widespread, spammers will take measures to avoid it, and the net result will be a lot of extra traffic."
"A lot of extra traffic"? Have you seen what's happening lately? Every anti-spam measure will lead to increased spam traffic, and the spam traffic has increased. The "extra traffic" argument is meaningless. If there's a flaw it would be that greylisting puts more of a burden on anti-spammers than the is justified on the basis of the burden that it puts on spammers. I see nothing that approaches an analysis on that basis. If there's a claim that spam will be stopped without effort or cost that seems to say everyone can just stop all efforts and spam will disappear. In time that will probably even work. Do we want to wait that long or do we want to kill spam today
"It wouldn't be that hard for them to act like a legit MTA to get around this problem..."
How hard is that hard?
If they spam through an open proxy to open relay path, as many do, just how does the failure information get back to them? Valid return address? That gives away something about the spammer.
"That said, it will make spammers lives much more difficult, and requires them to identify themselves. So this could be helpful, in concert with other tools."
I take it as a given that any proposed technique is proposed as an addition to the arsenal unless it specifically knocks out some existing tool.
I think that any analysis that says "the spammers can learn this is being done and compensate" needs to show what the spammers need to do to compensate and how much more, if any, that compensation cousts the spammer. Isn't that a resonable expectation
"To assume that a human will always be 100% accurate at classifying their own email isn't just arrogant, it's plain wrong."
Yeah, OK. It's not like arrogance doesn't show up all over the place anyway.
I use human classification (I guess) of email to identify spam and it is 100% accurate. That's because I let those who are best at identifying spam do it: the spammers. I trap relay spam, only spammers attempt to send through open relays such as the one I fake. Presto: 100% accuracy, and no actual filter at all.
Sure, if you restrict yourself to fighting spam with your own email you have possible classification problems. I do it for other people's spam, and I get 100% accuracy, always. That's what spammers try to relay through my system: other people's spam.
There's easy and there's hard. What I do is easy. I prefer easy.
What's hard is getting other people to do what's easy. There's a nifty paradox for you
When the open relay DNSBLs are shut down becuse they no longer do anything useful then you'll know open relays are no longer a problem. I've got a (Taiwan) spammer trying to send spam through my fake open relay right now. I've wanted to catch the spammer who tests from 4.46.13.179 but so far he's slipped the hook. I just keep getting this #$@#!@# Taiwan spammer.
There's two ways to know when open relay abuse is over. The first is as above: when the open relay DNSBLs shut down because they're idle you'll know. the other way is to watch the spammers look for open relays yourslf, on your own system.(Same for open proxies, incidentally.)
If you'd set up your own open relay honeypot maybe you'd catch the 4.46.13.179 tester. That would be fine with me: I want him caught and I don't care who does it. If you'd set up your own honeypot you'd almost surely catch somebody, even if not that particular spammer. Why not give it a try? I'ts a bit of a rush to know you've outsmarted somebody who thinks he's smarter than you are
"As long as knowledgable internet security experts are getting paid good cash to enable spammers, and SMTP doesn't change, spam will only continue to get worse.
Oh, foo. What these experts know that's most valuable to them is that essentially nobody pays attention to the huge level of spammer abuse that the spammers commit to send their spam. Beyond the impotent "secure your open relay" campaign that they were told from the start wouldn't work 99.99% of the operators pay no attention whatsoever to the spammer abuse. It isn't that the spammers are so clever (that's a self-serving tale told by careless administrators.) The problem is that the abuse is easy because almost nobody pays attention. Spammers get away with the simplest possible abuse - there's not yet even a challenge in it for them to execsise those claimed intellectual powers.
Those reading this who have any kind of permanent internet connection probably do not know about or attend to the open relay and open proxy tests spammers make on their systems to see if the systems can be abused. It's obviously not enough for most people to be secure (look at how things are - is spam succeeding?) but few will take the obvious and easy step of acting in some manner, no matter how slight, to counter that abuse. How much trouble is it to find the sources and destinations of open relay test email messages and report them? How much trouble is it to find proxy port scans and report them? Apparently so much trouble that those who don't do it would rather have the spam than take the trouble.
jackpot.uk.net
http://world.std.com/~pacman/proxypot.html
By this evening you could be set up to see and counter the most common spammer abuse. Most likely you won't do it. It's an opportunity to act as a single, isolated system and have possibly a big effect against some spam or, if enough others do the same, spam itself. If you run Windows and are competent enough to install a JVM and Jackpot please do it and start up Jackpot. Start it in the default mode: that delivers nothing, you are not risking very much at all. Just trap some spammer relay tests so you see what they're like, how often they occur, where they originate and where they go. You'll know as much as any so-called spammer "expert" in under a week
This honeypot: http://www.corpit.ru/cgi-bin/h0n5yp0t knocked Ralsky off three separate ISPs in one weekend. The story is a bit more complex than just that but what I say is true.
If any of you would bother to look you would find, unless you're on a dialup (and sometimes even dialups get hit) that if you have a real IP some spammer, sooner or later, usually within a day, will check to see if you have an open relay or open proxy. It's not hard: ZoneAlarm is enough. I see, for instance, that 12.145.146.25 was sniffing around my proxy ports earlier today (3128 and 1080). I'll report this to ATT.
I'm patiently waiting for someone to check to see if I'm an open relay. Depending on what I learn I'll take appropriate action.
But I'm just a guy. Why don't ISPs do some simple traffic analysis and find the abuse traffic and its source? This holds particularly for ISPs outside the US but if any ISP anywhere would just watch the spammer-specific abuse traffic that ISP could whack the spammers very hard.
I realize some would rather sit on a self-made throne and say the problem is those who are dumb (er than the guy on the thrown) and have open relays and/or open proxies but that approach hasn't done anything to stop spam, whatever it does to build up the throne occupant's ego.
For an open relay honeypot see http://jackpot.uk.net
For an open proxy honeypot see http://world.std.com/~pacman/proxypot.html
Doon't listen to the people who say stopping spam is hard - their next statement is usually that if you'd do something that makes them a lot of money then spam will end. Do something easy, something that makes nobody anything: stop the abuse. It is easy and just about everybody can join in. Take a first step: load Jackpot you also need a JVM), run it, and trap some relay test messages. Find out what spammers are doing to test your own IP - that's an opportunity only you can seize (well, you or your ISP.
"My organization has roughly 120 Internet email users and a quick grep -c of the logs reveals that in the last week my server has denied 700 messages from open relays or known sources of UCE."
Yes, and my ISP, which uses Brightmail, lets through tons of crap. I know a message from "Frank" is going to tell me I should enlarge my penis. Brightmail doesn't.
For what you do (use a blocklist) the solution would seem to be faster addition of IPs to the blocklists. All those IPs that are sources of the spam to you - those should be listed instantly. It appears that much of the current anti-spam technology is grossly labor-intensive: somebody has to look at the spam and then enter the source IP in the blocklist. Why is there no way you could at least send the IPs you've seen as sources directly to a listing service that would automatically list them? Why is there (apparently) no listing service that uses a DCC front end - one that recognizes spam by its checksum and then adds the source IP to a blocklist if it isn't already there? If DCC fails because of spammer clerverness why isn't there a listing service that uses Bayesian filters to identify the spam?
Getting back to your system and logs, how many relay attempts did you reject last week? Most of these surely are spammers who are looking for new open relays. If your company had a second box with a different IP that just accepted all incoming email and delivered nothing you'd very quickly build a database of which spammers (identified by source IP and by test email destination or bounce address) are testing your IP space. You almost have that in your logs anyway - the second system means you'll trap the messages and be sure they are tests. You'll also learn what spammer tests look like. That's a big part of the spam problem - shouldn't people know what the spammers do?
I advocate honeypots but I have no monetary attachment to them - I'll make $0 from them whether they are used or not. I have no problem with them being unused and instead for a really effective blocklist plan to be implemented. If every spam source were listed and if every mailbox were protected by a blocklist then no spam would get delivered. ASRG could be working on such a solution, even as a temporary stopgap, but they aren't.
Blocklists get encumbered with extra stuff. The first encumbrance is the nasty attitude toward the listee: he's dirty and he should remain on the list forever - that sort of thing. That interferes with the function, which is: block spam. The blocklist is not a means of punishment - forget that. I'd say the effective blocklist would use automated techniques to list IPs and would age off IPs very quickly - in a day or less. Ageing off is OK: if spam comes again from the IP it will again be listed - listing is automatic in my scheme. What's really needed most is a list of trusted sources for the bad-IP information. You know you can be trusted (I think) - the problem is that of how the listing organization knows you are to be trusted (to send accurate information on which IPs should be blocked.) There may be a good start: if AOL, MSN, and Hotmail are going to trust each other that should lead to a large proportion of the mailboxes being protected. How do others get into the system?
Some spammers probably consult lists of open relays to find ones to exploit. Who monitors the pattern of inquiries to blocklists? Which open relay blocklists salt the lists with honeypot addresses?
There's tons that could be done that isn't, lots of it very easy to do. Where's the discussion on those things? NANAE? No. ASRG? No. Where?
Sure. Distrust in the nodes, trust in the people. Ship sendmail so the default is to relay. Transmit unencrypted. Have RFCs - follow them voluntarily.
Trust.
So the early model was that the people could be trusted, the technology couldn't. Now the model being pursued is one in which the technology is trusted, the people aren't.
Meanwhile anyone with a spare Linux/Unix box can trap spam by configuring the MTA (possibly sendmail) to accept everything and deliver nothing. It's boringly simple.
(As described you mostly just trap relay tests. Deliver one of those and you'll very likely see spam follow.)
My model is to not trust the people, too, and to devise ways to interfere with what the ones who don't deserve trust do to stop them. My model is also to destroy the trust of the wrongdoers in the rest of us: we won't willingly let them get by with their abuse.
Too much efffort could be put into describing the grand scheme in some clever way - there should be a balanace in which a fair amount of effort goes into stopping the spammers.
The internet started on a model of trust. We know we can't trust the spammers and we knock ourselves out trying to implement that distrust. All the while we operate in a manner the spammers can fully trust: if a system says it's an open relay it really is, if a system is secured against being an open relay it proudly proclaims as much. We're just as honest about open proxies. We assist the spammers thousands of times a day by being trustworthy. Isn't that exactly why why they find it so easy to commit abuse? We keep being honest and trustworthy with the spammers - we help them. Stop doing things that lead to our being hurt, start doing things that hurt the spammers. It's an easy and logical progression to make.
It's time to destroy the spammers' trust in us. This should have no impact on anything legitimate: it's targeted on the spammers. Those who never go looking for open relays will never be deceived by fakes - it's only the spammers who fall victim to the deceit. Same for open proxies - who goes looking for them other than abusers? Doesn't that seem to be exactly right - harm those who would do harm, don't touch the rest? There are behaviors that only spammers exhibit. Target those, make life miserable for the spammers.
The ASRG methods, all of them, are designed to be the same for everyone - they are targeted on what spammers and non-spammers do in common and then are supposed to make use by the non-spammers impossible. To do that everything will have to be changed. That will take years and it will take nearly full compliance to be effective. It will be like the "secure open relays" campaign of a few years ago. To actually stop spam that had to be universal, or very nearly so. Instead there are still hundreds of thousands of open relays, more pop up every day. How many years for full compliance? Alternately there may have to be a D-day for a total switchover - a source of huge complexity and disruption. Before commiting to that isn't it necessary to make sure there is not something less drastic which will work to end spam?
If instead people opposed to spam change their behavior toward the things spammers and only spammers do then ordinary email can be left as it is - if those behavior changes end spam. Foremost of the behavior changes would be stop ignoring spammer abuse. Spammer abuse is an easy target, an easy path to hitting spammers and completely missing non-spammers. Spammers have two choices: spam direct or spam via abuse. If you knock down spam via abuse then they're left with direct spam. That you can hit adequately using blocklists. ASRG wants to make spam impossible by making every single spam message imposible. That's overkill - it's only necessary to make spam cost more than it returns. That can be done - without a total reengineering of the system.
The big question is: are anti-spammers smart enough to stop spammers by going after the abuse? I say they are, when you include in "anti-spammers" all the people that do not like spam. The alternative position would seem to be that anti-spammers are smart enough to stop spam by changing the entire internet but not by doing anything lesser. I can't agree to that - not unless those limited-intelligence people explain why that is. Isn't there the roots of a paradox in that?
"Sending mail through an open relay isn't wrong or a crime or whatever."
It's been enough, time after time, to get an ISP to boot a spammer. Including Rizler and Ralsky. It's abuse, too. As abuse it's perfectly within the rights of the owner of the system being abused to not deliver the spam and to give no notice of non-delivery. If you do this on a system with no real email function you will almost certainly never touch any valid email. Only by very strange circumstances should valid email ever come to a system you just set up to listen on port 25. I had a system with all email directed away from it by MX records. Spammers, who connect by IP number, still reached it.
"Only the actual spamming can be grounds for account termination."
Wearing plaid can be grounds, if the ISP says so in the TOS. In any event you're wrong. I'll give you the plaid - I doubt many ISPS care.
"Besides, what makes you think that they probe from the same account which is shortly thereafter used for the actual spamming?"
Where do you get the notion I do think that? What do I care - they probe from IP A, find an "open relay," start sending spam through open proxies B, C, D, E, F,... Ah - getting them terminated - that's where you believe I think that. No, in the case I just described (open proxies as sources) I pretty much sigh and give up (I'm lazy.) Now if I ran an open proxy honeypot lots of times I'd see the real spammer IP (I might have to be outside the US for this to consistently work. This is a hint to those outside the US.) In the past there have been many times when the spammers sent the relay spam direct to the open relay (no open proxy involved.) That's when they got terminated.
If the trapped spam contains anything I can use against the spammer then I'll do that.
At this time many still test from their own IPs (sometimes registration information shows that, sometimes the constancy of IP for the same test strongly implies that.) Get tests from the same IP month after month to mets17@erols.com and you think pretty surely that IP belongs to the spammer. Could be wrong but it's enough reason to ask the ISP to take a look.
"Even if almost every ISP made SMTP scanning a violation of their TOS, that wouldn't stop the spammers: They would simply scan from spammer-friendly ISPs and spam from other ISPs as usual."
You have to think of every possible way to screw the spammers when they test - your goal isn't merely to get the account used to do the scanning closed (you want to do something that really hurts them - or should.) If the tests go to freemail providers then you want the freemail provider to divert the messages. If the spammer sends tests to himself, at his own domain, you probably want to deliver the tests. Then you don't deliver the spam that follows. Why do you care if he tests from a spam-friendly domain - you've screwed him even if he does. You also want the universe of actions taken to be mixed - you don't want the spammer to ever easily figure out what is happening. Remember - he's doing things no honest person does. If you screw with people who do these things you only hurt them - not your honest peers.
You can just intercept the tests and do nothing at all. The spammer can't tell whether that's what you are doing, whether you are reporting them to his ISP and to the dropbox provider, or whether you are an open relay and the ISP that controls the dropbox is screwing with the messages. You may not then be doing much but you'll be doing something, which in this areas of spam fighting puts you well above just about everyone else.
I stopped spam to about 330,000 people this weekend. Wasn't that worth doing? I realize it's a tiny fraction of the total spam but it's more than my share. If 0.1% of the systems on the internet were as successful at stopping spam then there'd be far less spam ever reaching the filters, let alone recipients. I'm not done with my use
"If you have an idea for a completely new system that doesn't suck in the ways above, I'd like to hear it. But I haven't heard of one yet..."
Stick with SMTP, stop being such utter idiots about spammer abuse. To succeed the spammers have to send a lot of probing packets to IPs everywhere. Quit ignoring those probes.
No new protocol required, nothing centralized, no disruption from a switchover, nothing that makes email a pain in the ass (instead it makes spamming a pain in the ass - to spammers).
It's doable by end-users, it's doable by ISPs. Start today - spam will be devstated in a month.
It's exactly what you want. Stop ignoring spammer abuse. LOOK at the log entries for bounced relay messages, report them to the source ISP and to the destination ISP. Suggest to the destinaiton ISP that the best thing to do, if compatible with their TOS, is to wipe the mailbox and divert future messages from it. As a bonus the destination ISP can find the IP's of the messages to that email address and submit them to an open relay blocklist.
Plus other things that will occur to you once you are rolling - it's not rocket science. In general you want (a) to lie to the spammer whenever possible, (b) to interfere with spam delivery whenever possible, and (c) to notify as many ISPs as possible about the spammer tests and spam.
Open relay honeypots, open proxy honeypots - these are powerful weapons. There's not yet a download for everyone but there are these:
If you're going to think (which is good) why not think more? There are two aspects to the open relay problem, for instance. These are:
(1) Open relays exist. (2) Spammers can find them.
The campaign to secure open relays aims strictly at (1). The campaign also ignores RFC 2505, which says this is not the way to stop spam, because of (2).
So if attacking (1) doesn't work isn't it logical to try to attack (2)?
Spammers have an unbelievably easy task when it comes to finding open relays. They just try to relay through a whole bunch of IPs. The ones that deliver the test message are the open relays.
So one way to fight (2) would be to make it untrue that the systems that deliver the test messages are open relays. How? Easy - set up systems that accept and deliver spammer test messages and accept and don't deliver everything else.
Argue with me if you want but I'm up over 284,000 recipients in the spam I've been trapping since Saturday morning. If you think it's hard to identify spammer relay test messages maybe you should trap some for a while and see if it is hard. I am trapping the spam using Jackpot: http://jackpot.uk.net Jackpot does OK at identifying spammer test messages. It's failed to identify a few (so it didn't deliver them) but the volume of spam is such that it hardly matters.
It's all spam from Taiwan to Taiwan recipients that I'm trapping (based on sampling: I've not checked all the recipient addresses.) I'd rather it were otherwise but in this game you stop what comes to you and hope the next guy will get what isn't being sent to your trap.
That reminds me: there are currently several openings for being "the next guy." Why not give it a try? At least just trap some test messages - Jackpot in it's default delivered state delivers nothing - you're safe from any risk of getting on a blocklist.
See if you get any tests to the insulting/threatening fake address sent by the guy in California (I think his tests work by their being bounced back to the sender.) Or to jela, or mets17, or donzta, or mikebarncat, or cougarsrun, or... you get the idea. There's a bunch of them. You'll almost surely catch a test from someone who has never tested my IP. Sometimes, like with mets17, you can identify the spammer sending the tests using Google.
"Those filters need badly to be refined; they are not doing the job they were designed to do, which is simply to eperate the spam from the valid mail."
My comment is hardly necessary but I fully agree. My ISP uses Brightmail and plenty of spam gets through. I approve of filters but the ideal for filters is to (1) block spam and (2) block nothing else. They need to constantly work on them - it is wrong to be smugly satisfied with a filter that blocks non-spam.
Let's be frank: the real value of the law is to make it too expensive and cumbersome for spammers to operate. They want to scream that they can't tell where the recipient is located, therefore the law shouldn't apply to them. California replies (I think) that that is their problem. The law is explicit, they have to follow it - the details are the problem of the spammers. They have the choices of making all spam comform to the California statute, to aggressively seek to determine which email addresses are in California and to stop spamming those, or give up spamming altogether. (Note: I didn't write the law: my opinions are not those of the legislature of California and can't be construed as such. Spammer attorneys who cite my opinion here as evidence of the intent of the law do so at the peril of their clients: that opens the door for a lot more of my opinions.) It is possible to adhere to the requirements of the law: the courts will not (I hope) give any great credence to the protestations of the spammers that it is too hard. It is not up to the government nor the ISPs nor the customers of the ISPs to make it easy for spammers to spam. A spammer who wants to get out a message is always free to buy newspaper or TV advertising - his right of commercial speech is not impaired. The spammer has no right of access to individual email mailboxes, no right to an unfettered ability to send spam wherever, whenever, in in whatever volume the spammer chooses. That right is fictional and exists only in the weak and twisted mind of the spammer. He can whine all he wants, neither that whine nor the expression of that whine in lawsuits or in legal defenses against laws such as the California law are going to grant the spammer rights he doesn't have, never did have. He's been pulling a scam. If that ends it is a good thing, not a bad thing - spammer whines of protestation notwithstanding.
"Digging through fake headers that really came off a home DSL routed through an open relay in China won't be worth it no matter what, no matter what they set it to because you'll never collect it. And the "company" will claim they never sent it, that someone illegally spammed on their behalf. On a good-bad dimension of course stronger fines are good. But it's a cardboard fence against an avalanch."
You should be happy to know that my home DSL system is receiving relay spam email from Taiwan (not exactly China but close enough) and that relay spam email is going noplace. In this case it's Chinese-language spam with the victimes (those that I've seen when I browsed the spam) in Taiwan but the effect is waht matters: the spam ain't goin' noplace.
There seem to be two broad options: continue to rail about clueless users who relay spam or do something against the spam by running a fake abusable system. I contend the latter do more to stop spam, but then I'm about to break my arm patting myself on the back. Still, maybe I have a point. What do you think?
"Junk snail mail causes more damage to our natural resources than electronic mail. Yet, we see spam as more of a problem. This shouldn't be right, should it? We can simply delete email, but paper & cellophane piles up in our backyard."
That's your "analysis," not mine. There are other issues than damage to natural resources (which I think you know full well.) Your "argument" is feeble and bogus. Nonetheless you're free to repeat it, free to lobby your state legislators to accept your point of view. Others are free to say your position is a crock.
I'd prefer a higher level of awareness among those at the relay level. That's just about everybody, by the way. There's not two separate internets, one with the spam victims and the other with the operators of the systems abused by spammers. Most people who bitch and whine about spam coming to their email mailboxes ignore their own real local opportunity to trap and discard spam (plus do various other things harmful to the spammers.)
Spam is a problem, it will take some small amount of work to fight it. While I type this my home system, on a 256 Kb/sec DSL line, is trapping spam from Taiwan and has been most of the day. I look at the honeypot web page once in a while, I look at the log in the Java window once in a while, otherwise the computer does the job without any attention from me. It's not at all difficult, it's not complex.
(I'd hoped to catch the FL spammer who's tested me twice recently. Maybe next time he tests I'll get him.)
jackpot.uk.net
If you want to run an open proxy honeypot (even more wicked) there's the "Bubblegum proxypot:"
I run a honeypot. If the spammer didn't use abuse to send his email I'd never touch it.
I touch a fair amount of spam. There is no, zero, zilch consitutional issue for that touching. Same for all the others who do the touching using honeypots - if the spammer wants to assert his consitutional right then he can send directly to the recipient. He has no constitutional right to use my equipment or anyone else's equipment in his spam scheme. The spammers who scream "constitutional right" conveniently forget to mention how they send their spam.
Scelscon's testimony in Washington was that ISPs should be forced to deliver the spam. That's not asserting a constitutional right, that's trying to escape ISPs having the right to control their own networks.
Just because I have an email mailbox there is not created a right for anyone who wishes to send email to that mailbox nor any right to require its delivery. The email mailbox exists for my convenience and is not the spammers nor TrustE's nor Microsoft's nor anyone else's to authorize as a spam destination. I've not granted any such right to TrustE, etc. and I will not grant such a right. "trusted sender" is hogwash, and that's a polite term in place of what it really is.
Of course there's also a court decision that says the ISP is not obligated to accept the spam.
Slashdot Mirror
Why take such a feeble path? You can, on your own computer, go after spammers in a big way - one that works and can produce massive results.
..."
If you run Windows you can use Jackpot, which turns your system into an open relay honeypot.
http://jackpot.uk.net
If you run Linux you can run the Bubblegum Proxypot, which turns your systme into an open proxy honeypot.
http://world.std.com/~pacman/proxypot.html
What these will tell you is the IP from which spammer abuse comes - that's very often the spammer's own IP (the spam itself would come from a hijacked system such as you are pretending to be run. You have far greater power if you detect and report the spammer activity than if you report just spam.
Go to news.admin.net-abuse.email (use Google Groups if you must) and find any of the posts with the subject "Who's Spamming You? [date]
These are lists of the top spammer IPs detected using a colleciton of open proxy honeypots.
IF you do this the odds are very high that you will detect spammer activity and will trap spam. If you report the activity to the ISP, pointing out that it is abuse (theft of service) there's a very good chance that action will be taken against the spammer. If you don't see good results for your reports make a posting in that newsgroup about them - you may get some assistance in making your evidence work to stop the spammer.
Note that many spammers do send spam to open relays through open proxies. In that cae your report might only serve to get an open proxy secured. It can't hurt to suggest to the ISP, when you make your report, that a devastating way to secure an open proxy is to turn it into an open proxy honeypot. If you think about it you'll also realize how this kind of conversion can start to put fear in the hearts of the spammers.
If you still just want to learn to read spam headers then the main point is to read them backwards and to realize that the first header you reach starting from the top which shows receipt of the email by your ISP may be the last one that is true. Spammers do forge headers - anyting earlier than that one could be a fake.
"But this measure will lead to increased non-spam traffic, as legitimate mailers have to queue legitimate messages and resend them."
You make sense.
"And it's ineffective because there is no reason why spammers wouldn't just re-send the same message; this method increases the cost for spam and non-spam messages equally."
Spammers already do resend. If the method burdens non-spam then I agree that's a minus. The re-sending of spam seems to be what currently happens. I cna't say what the reason is that spammers send the same spam again and again (I know what a message from "Frank" is going to say) but resending definitely is done alredy.
(Serious question.) Has the spam volume slacked the last few days? Despite what some might claim the specter of Microsoft suing and winning ought to make some spammers stop, at least until they can remove all traces of US origin for their spam. May their lawyers (if any) advise them that's too late: if MS can trace them they could be next if they've spammed MSN or Hotmail adresses.
"I think these people haven't thought through the issue as fully as they could."
Amen. It's a programmers' feast: pick an idea and start coding - before any real analysis.
Make that a bad programmers' feast. Come to a hard point to analyze? No problem: make up something plausible (to yourself, at least) and go right on working on what you want to do.
Heck, RFC 2505 said in plain language that securing open relays was not an effective anti-spam method. Did that matter? Humph. "They" proceeded to demonize open relay operators and to demand obedience to "their" orders. there was a point to securing open relays - no doubt about that - but securing was not a method to end spam. Still, years were frittered away on "secure your open relay." "550 we do not relay" tells a spammer all the useful information that he needs to know about an IP when he's looking for open relays. That's still mostly the standard action for a secure MTA.
When all the secure relays say they're secure it's no great challenge to pick out the insecure, true open relays. No matter: give that gift to the spammers. It's more important to get every operator to obey than it is to end spam.
I think we agree: if every mailbox were protected by a good DNSBL then spam would have to die. That's not the goal, apparently - there's no effort expended to extend DNSBL coverage.
What do you think of DCC? It apprently creates a need for some whitelisting but it's automated - no constant need for human action to get spam identified. That's another problem: relying on humans to do the detail work. What are computers for if not to do the detail work? Why would anyone ever want to run a DNSBL that necessitated near-constant human effort? We need more lazy people - let the computer do the work./b
You're right, I missed that.
Go ahead: do it, run one. I did for years. How open do you want the relay to be? I must admit mine was truly open only to local users for whom I added a filter rule to let them through (and one remote user, for a while) but I didn't really want a truly open relay, just one open locally. I could have used send-after-receive if I'd had the right MTA software but I didn't have that so I had to improvise.
There's two ways that could work: if you could reliably identify spam or if you could reliably identify non-spam. Either discrimination could be based on multiple criteria.
In general the philosophy you seem to be expressing is admirable, and better than the philosophy that has prevailed for years. "They" say eliminate all the open relays. You seem to be suggesting you want to make the open relays selectively unavailable to spammers. They give up, you don't. They give control to the spammers, you keep control. I'm for your approach: it doesn't cower. I'm tired of people who cower before the spammers. Er're right, they're wrong. We have the strength of numbers, the moral strength, the intellectual strength. The spammers win only because we (stupidly) choose to not wield our power in an effective manner.
I may be reading too much into what you say - I won't get my feelings hurt if you correct me. (Not that I think you should care a bunch about whether you did.
"With all of the naysayers that come out a scrutinize every idea to the 't', it's a wonder we ever get anything done at all."
Tell me about it. Uh, what do you see that has gotten done?
As I test once I posted 2 + 2 = 4. Naysayers volunteered. I knew they would.
Waht we need is a posting for which a naysayer's response will destroy that naysayer.
(Yeah, I know. "That will never work.")
"Spam guards and spam co-evolve. Since greylisting is easy to get around by spammers, if it becomes widespread, spammers will take measures to avoid it, and the net result will be a lot of extra traffic." "A lot of extra traffic"? Have you seen what's happening lately? Every anti-spam measure will lead to increased spam traffic, and the spam traffic has increased. The "extra traffic" argument is meaningless. If there's a flaw it would be that greylisting puts more of a burden on anti-spammers than the is justified on the basis of the burden that it puts on spammers. I see nothing that approaches an analysis on that basis. If there's a claim that spam will be stopped without effort or cost that seems to say everyone can just stop all efforts and spam will disappear. In time that will probably even work. Do we want to wait that long or do we want to kill spam today
"It wouldn't be that hard for them to act like a legit MTA to get around this problem..."
How hard is that hard?
If they spam through an open proxy to open relay path, as many do, just how does the failure information get back to them? Valid return address? That gives away something about the spammer.
"That said, it will make spammers lives much more difficult, and requires them to identify themselves. So this could be helpful, in concert with other tools."
I take it as a given that any proposed technique is proposed as an addition to the arsenal unless it specifically knocks out some existing tool.
I think that any analysis that says "the spammers can learn this is being done and compensate" needs to show what the spammers need to do to compensate and how much more, if any, that compensation cousts the spammer. Isn't that a resonable expectation
"To assume that a human will always be 100% accurate at classifying their own email isn't just arrogant, it's plain wrong."
Yeah, OK. It's not like arrogance doesn't show up all over the place anyway.
I use human classification (I guess) of email to identify spam and it is 100% accurate. That's because I let those who are best at identifying spam do it: the spammers. I trap relay spam, only spammers attempt to send through open relays such as the one I fake. Presto: 100% accuracy, and no actual filter at all.
Sure, if you restrict yourself to fighting spam with your own email you have possible classification problems. I do it for other people's spam, and I get 100% accuracy, always. That's what spammers try to relay through my system: other people's spam.
There's easy and there's hard. What I do is easy. I prefer easy.
What's hard is getting other people to do what's easy. There's a nifty paradox for you
Eh, open relays are soooo 20th century. :)"
Like dial phones, eh?
When the open relay DNSBLs are shut down becuse they no longer do anything useful then you'll know open relays are no longer a problem. I've got a (Taiwan) spammer trying to send spam through my fake open relay right now. I've wanted to catch the spammer who tests from 4.46.13.179 but so far he's slipped the hook. I just keep getting this #$@#!@# Taiwan spammer.
There's two ways to know when open relay abuse is over. The first is as above: when the open relay DNSBLs shut down because they're idle you'll know. the other way is to watch the spammers look for open relays yourslf, on your own system.(Same for open proxies, incidentally.)
If you'd set up your own open relay honeypot maybe you'd catch the 4.46.13.179 tester. That would be fine with me: I want him caught and I don't care who does it. If you'd set up your own honeypot you'd almost surely catch somebody, even if not that particular spammer. Why not give it a try? I'ts a bit of a rush to know you've outsmarted somebody who thinks he's smarter than you are
"As long as knowledgable internet security experts are getting paid good cash to enable spammers, and SMTP doesn't change, spam will only continue to get worse.
Oh, foo. What these experts know that's most valuable to them is that essentially nobody pays attention to the huge level of spammer abuse that the spammers commit to send their spam. Beyond the impotent "secure your open relay" campaign that they were told from the start wouldn't work 99.99% of the operators pay no attention whatsoever to the spammer abuse. It isn't that the spammers are so clever (that's a self-serving tale told by careless administrators.) The problem is that the abuse is easy because almost nobody pays attention. Spammers get away with the simplest possible abuse - there's not yet even a challenge in it for them to execsise those claimed intellectual powers.
Those reading this who have any kind of permanent internet connection probably do not know about or attend to the open relay and open proxy tests spammers make on their systems to see if the systems can be abused. It's obviously not enough for most people to be secure (look at how things are - is spam succeeding?) but few will take the obvious and easy step of acting in some manner, no matter how slight, to counter that abuse. How much trouble is it to find the sources and destinations of open relay test email messages and report them? How much trouble is it to find proxy port scans and report them? Apparently so much trouble that those who don't do it would rather have the spam than take the trouble.
jackpot.uk.net
http://world.std.com/~pacman/proxypot.html
By this evening you could be set up to see and counter the most common spammer abuse. Most likely you won't do it. It's an opportunity to act as a single, isolated system and have possibly a big effect against some spam or, if enough others do the same, spam itself. If you run Windows and are competent enough to install a JVM and Jackpot please do it and start up Jackpot. Start it in the default mode: that delivers nothing, you are not risking very much at all. Just trap some spammer relay tests so you see what they're like, how often they occur, where they originate and where they go. You'll know as much as any so-called spammer "expert" in under a week
How do you find out where the spam originated?
Be where the spammers connect first.
This honeypot:
http://www.corpit.ru/cgi-bin/h0n5yp0t
knocked Ralsky off three separate ISPs in one weekend. The story is a bit more complex than just that but what I say is true.
Next question.
If any of you would bother to look you would find, unless you're on a dialup (and sometimes even dialups get hit) that if you have a real IP some spammer, sooner or later, usually within a day, will check to see if you have an open relay or open proxy. It's not hard: ZoneAlarm is enough. I see, for instance, that 12.145.146.25 was sniffing around my proxy ports earlier today (3128 and 1080). I'll report this to ATT.
I'm patiently waiting for someone to check to see if I'm an open relay. Depending on what I learn I'll take appropriate action.
But I'm just a guy. Why don't ISPs do some simple traffic analysis and find the abuse traffic and its source? This holds particularly for ISPs outside the US but if any ISP anywhere would just watch the spammer-specific abuse traffic that ISP could whack the spammers very hard.
I realize some would rather sit on a self-made throne and say the problem is those who are dumb (er than the guy on the thrown) and have open relays and/or open proxies but that approach hasn't done anything to stop spam, whatever it does to build up the throne occupant's ego.
For an open relay honeypot see
http://jackpot.uk.net
For an open proxy honeypot see
http://world.std.com/~pacman/proxypot.html
Doon't listen to the people who say stopping spam is hard - their next statement is usually that if you'd do something that makes them a lot of money then spam will end. Do something easy, something that makes nobody anything: stop the abuse. It is easy and just about everybody can join in. Take a first step: load Jackpot you also need a JVM), run it, and trap some relay test messages. Find out what spammers are doing to test your own IP - that's an opportunity only you can seize (well, you or your ISP.
"My organization has roughly 120 Internet email users and a quick grep -c of the logs reveals that in the last week my server has denied 700 messages from open relays or known sources of UCE."
Yes, and my ISP, which uses Brightmail, lets through tons of crap. I know a message from "Frank" is going to tell me I should enlarge my penis. Brightmail doesn't.
For what you do (use a blocklist) the solution would seem to be faster addition of IPs to the blocklists. All those IPs that are sources of the spam to you - those should be listed instantly. It appears that much of the current anti-spam technology is grossly labor-intensive: somebody has to look at the spam and then enter the source IP in the blocklist. Why is there no way you could at least send the IPs you've seen as sources directly to a listing service that would automatically list them? Why is there (apparently) no listing service that uses a DCC front end - one that recognizes spam by its checksum and then adds the source IP to a blocklist if it isn't already there? If DCC fails because of spammer clerverness why isn't there a listing service that uses Bayesian filters to identify the spam?
Getting back to your system and logs, how many relay attempts did you reject last week? Most of these surely are spammers who are looking for new open relays. If your company had a second box with a different IP that just accepted all incoming email and delivered nothing you'd very quickly build a database of which spammers (identified by source IP and by test email destination or bounce address) are testing your IP space. You almost have that in your logs anyway - the second system means you'll trap the messages and be sure they are tests. You'll also learn what spammer tests look like. That's a big part of the spam problem - shouldn't people know what the spammers do?
I advocate honeypots but I have no monetary attachment to them - I'll make $0 from them whether they are used or not. I have no problem with them being unused and instead for a really effective blocklist plan to be implemented. If every spam source were listed and if every mailbox were protected by a blocklist then no spam would get delivered. ASRG could be working on such a solution, even as a temporary stopgap, but they aren't.
Blocklists get encumbered with extra stuff. The first encumbrance is the nasty attitude toward the listee: he's dirty and he should remain on the list forever - that sort of thing. That interferes with the function, which is: block spam. The blocklist is not a means of punishment - forget that. I'd say the effective blocklist would use automated techniques to list IPs and would age off IPs very quickly - in a day or less. Ageing off is OK: if spam comes again from the IP it will again be listed - listing is automatic in my scheme. What's really needed most is a list of trusted sources for the bad-IP information. You know you can be trusted (I think) - the problem is that of how the listing organization knows you are to be trusted (to send accurate information on which IPs should be blocked.) There may be a good start: if AOL, MSN, and Hotmail are going to trust each other that should lead to a large proportion of the mailboxes being protected. How do others get into the system?
Some spammers probably consult lists of open relays to find ones to exploit. Who monitors the pattern of inquiries to blocklists? Which open relay blocklists salt the lists with honeypot addresses?
There's tons that could be done that isn't, lots of it very easy to do. Where's the discussion on those things? NANAE? No. ASRG? No. Where?
Sure. Distrust in the nodes, trust in the people. Ship sendmail so the default is to relay. Transmit unencrypted. Have RFCs - follow them voluntarily.
Trust.
So the early model was that the people could be trusted, the technology couldn't. Now the model being pursued is one in which the technology is trusted, the people aren't.
Meanwhile anyone with a spare Linux/Unix box can trap spam by configuring the MTA (possibly sendmail) to accept everything and deliver nothing. It's boringly simple.
(As described you mostly just trap relay tests. Deliver one of those and you'll very likely see spam follow.)
My model is to not trust the people, too, and to devise ways to interfere with what the ones who don't deserve trust do to stop them. My model is also to destroy the trust of the wrongdoers in the rest of us: we won't willingly let them get by with their abuse.
Too much efffort could be put into describing the grand scheme in some clever way - there should be a balanace in which a fair amount of effort goes into stopping the spammers.
The internet started on a model of trust. We know we can't trust the spammers and we knock ourselves out trying to implement that distrust. All the while we operate in a manner the spammers can fully trust: if a system says it's an open relay it really is, if a system is secured against being an open relay it proudly proclaims as much. We're just as honest about open proxies. We assist the spammers thousands of times a day by being trustworthy. Isn't that exactly why why they find it so easy to commit abuse? We keep being honest and trustworthy with the spammers - we help them. Stop doing things that lead to our being hurt, start doing things that hurt the spammers. It's an easy and logical progression to make.
It's time to destroy the spammers' trust in us. This should have no impact on anything legitimate: it's targeted on the spammers. Those who never go looking for open relays will never be deceived by fakes - it's only the spammers who fall victim to the deceit. Same for open proxies - who goes looking for them other than abusers? Doesn't that seem to be exactly right - harm those who would do harm, don't touch the rest? There are behaviors that only spammers exhibit. Target those, make life miserable for the spammers.
The ASRG methods, all of them, are designed to be the same for everyone - they are targeted on what spammers and non-spammers do in common and then are supposed to make use by the non-spammers impossible. To do that everything will have to be changed. That will take years and it will take nearly full compliance to be effective. It will be like the "secure open relays" campaign of a few years ago. To actually stop spam that had to be universal, or very nearly so. Instead there are still hundreds of thousands of open relays, more pop up every day. How many years for full compliance? Alternately there may have to be a D-day for a total switchover - a source of huge complexity and disruption. Before commiting to that isn't it necessary to make sure there is not something less drastic which will work to end spam?
If instead people opposed to spam change their behavior toward the things spammers and only spammers do then ordinary email can be left as it is - if those behavior changes end spam. Foremost of the behavior changes would be stop ignoring spammer abuse. Spammer abuse is an easy target, an easy path to hitting spammers and completely missing non-spammers. Spammers have two choices: spam direct or spam via abuse. If you knock down spam via abuse then they're left with direct spam. That you can hit adequately using blocklists. ASRG wants to make spam impossible by making every single spam message imposible. That's overkill - it's only necessary to make spam cost more than it returns. That can be done - without a total reengineering of the system.
The big question is: are anti-spammers smart enough to stop spammers by going after the abuse? I say they are, when you include in "anti-spammers" all the people that do not like spam. The alternative position would seem to be that anti-spammers are smart enough to stop spam by changing the entire internet but not by doing anything lesser. I can't agree to that - not unless those limited-intelligence people explain why that is. Isn't there the roots of a paradox in that?
"Sending mail through an open relay isn't wrong or a crime or whatever."
... Ah - getting them terminated - that's where you believe I think that. No, in the case I just described (open proxies as sources) I pretty much sigh and give up (I'm lazy.) Now if I ran an open proxy honeypot lots of times I'd see the real spammer IP (I might have to be outside the US for this to consistently work. This is a hint to those outside the US.) In the past there have been many times when the spammers sent the relay spam direct to the open relay (no open proxy involved.) That's when they got terminated.
It's been enough, time after time, to get an ISP to boot a spammer. Including Rizler and Ralsky. It's abuse, too. As abuse it's perfectly within the rights of the owner of the system being abused to not deliver the spam and to give no notice of non-delivery. If you do this on a system with no real email function you will almost certainly never touch any valid email. Only by very strange circumstances should valid email ever come to a system you just set up to listen on port 25. I had a system with all email directed away from it by MX records. Spammers, who connect by IP number, still reached it.
"Only the actual spamming can be grounds for account termination."
Wearing plaid can be grounds, if the ISP says so in the TOS. In any event you're wrong. I'll give you the plaid - I doubt many ISPS care.
"Besides, what makes you think that they probe from the same account which is shortly thereafter used for the actual spamming?"
Where do you get the notion I do think that? What do I care - they probe from IP A, find an "open relay," start sending spam through open proxies B, C, D, E, F,
If the trapped spam contains anything I can use against the spammer then I'll do that.
At this time many still test from their own IPs (sometimes registration information shows that, sometimes the constancy of IP for the same test strongly implies that.) Get tests from the same IP month after month to mets17@erols.com and you think pretty surely that IP belongs to the spammer. Could be wrong but it's enough reason to ask the ISP to take a look.
"Even if almost every ISP made SMTP scanning a violation of their TOS, that wouldn't stop the spammers: They would simply scan from spammer-friendly ISPs and spam from other ISPs as usual."
You have to think of every possible way to screw the spammers when they test - your goal isn't merely to get the account used to do the scanning closed (you want to do something that really hurts them - or should.) If the tests go to freemail providers then you want the freemail provider to divert the messages. If the spammer sends tests to himself, at his own domain, you probably want to deliver the tests. Then you don't deliver the spam that follows. Why do you care if he tests from a spam-friendly domain - you've screwed him even if he does. You also want the universe of actions taken to be mixed - you don't want the spammer to ever easily figure out what is happening. Remember - he's doing things no honest person does. If you screw with people who do these things you only hurt them - not your honest peers.
You can just intercept the tests and do nothing at all. The spammer can't tell whether that's what you are doing, whether you are reporting them to his ISP and to the dropbox provider, or whether you are an open relay and the ISP that controls the dropbox is screwing with the messages. You may not then be doing much but you'll be doing something, which in this areas of spam fighting puts you well above just about everyone else.
I stopped spam to about 330,000 people this weekend. Wasn't that worth doing? I realize it's a tiny fraction of the total spam but it's more than my share. If 0.1% of the systems on the internet were as successful at stopping spam then there'd be far less spam ever reaching the filters, let alone recipients. I'm not done with my use
"If you have an idea for a completely new system that doesn't suck in the ways above, I'd like to hear it. But I haven't heard of one yet..."
Stick with SMTP, stop being such utter idiots about spammer abuse. To succeed the spammers have to send a lot of probing packets to IPs everywhere. Quit ignoring those probes.
No new protocol required, nothing centralized, no disruption from a switchover, nothing that makes email a pain in the ass (instead it makes spamming a pain in the ass - to spammers).
It's doable by end-users, it's doable by ISPs. Start today - spam will be devstated in a month.
It's exactly what you want. Stop ignoring spammer abuse. LOOK at the log entries for bounced relay messages, report them to the source ISP and to the destination ISP. Suggest to the destinaiton ISP that the best thing to do, if compatible with their TOS, is to wipe the mailbox and divert future messages from it. As a bonus the destination ISP can find the IP's of the messages to that email address and submit them to an open relay blocklist.
Plus other things that will occur to you once you are rolling - it's not rocket science. In general you want (a) to lie to the spammer whenever possible, (b) to interfere with spam delivery whenever possible, and (c) to notify as many ISPs as possible about the spammer tests and spam.
Open relay honeypots, open proxy honeypots - these are powerful weapons. There's not yet a download for everyone but there are these:
http://jackpot.uk.net
world.std.com/~pacman/proxypot.html
Go get 'em!
If you're going to think (which is good) why not think more? There are two aspects to the open relay problem, for instance. These are:
... you get the idea. There's a bunch of them. You'll almost surely catch a test from someone who has never tested my IP. Sometimes, like with mets17, you can identify the spammer sending the tests using Google.
(1) Open relays exist.
(2) Spammers can find them.
The campaign to secure open relays aims strictly at (1). The campaign also ignores RFC 2505, which says this is not the way to stop spam, because of (2).
So if attacking (1) doesn't work isn't it logical to try to attack (2)?
Spammers have an unbelievably easy task when it comes to finding open relays. They just try to relay through a whole bunch of IPs. The ones that deliver the test message are the open relays.
So one way to fight (2) would be to make it untrue that the systems that deliver the test messages are open relays. How? Easy - set up systems that accept and deliver spammer test messages and accept and don't deliver everything else.
Argue with me if you want but I'm up over 284,000 recipients in the spam I've been trapping since Saturday morning. If you think it's hard to identify spammer relay test messages maybe you should trap some for a while and see if it is hard. I am trapping the spam using Jackpot:
http://jackpot.uk.net Jackpot does OK at identifying spammer test messages. It's failed to identify a few (so it didn't deliver them) but the volume of spam is such that it hardly matters.
It's all spam from Taiwan to Taiwan recipients that I'm trapping (based on sampling: I've not checked all the recipient addresses.) I'd rather it were otherwise but in this game you stop what comes to you and hope the next guy will get what isn't being sent to your trap.
That reminds me: there are currently several openings for being "the next guy." Why not give it a try? At least just trap some test messages - Jackpot in it's default delivered state delivers nothing - you're safe from any risk of getting on a blocklist.
See if you get any tests to the insulting/threatening fake address sent by the guy in California (I think his tests work by their being bounced back to the sender.) Or to jela, or mets17, or donzta, or mikebarncat, or cougarsrun, or
"Those filters need badly to be refined; they are not doing the job they were designed to do, which is simply to eperate the spam from the valid mail."
My comment is hardly necessary but I fully agree. My ISP uses Brightmail and plenty of spam gets through. I approve of filters but the ideal for filters is to (1) block spam and (2) block nothing else. They need to constantly work on them - it is wrong to be smugly satisfied with a filter that blocks non-spam.
Let's be frank: the real value of the law is to make it too expensive and cumbersome for spammers to operate. They want to scream that they can't tell where the recipient is located, therefore the law shouldn't apply to them. California replies (I think) that that is their problem. The law is explicit, they have to follow it - the details are the problem of the spammers. They have the choices of making all spam comform to the California statute, to aggressively seek to determine which email addresses are in California and to stop spamming those, or give up spamming altogether. (Note: I didn't write the law: my opinions are not those of the legislature of California and can't be construed as such. Spammer attorneys who cite my opinion here as evidence of the intent of the law do so at the peril of their clients: that opens the door for a lot more of my opinions.) It is possible to adhere to the requirements of the law: the courts will not (I hope) give any great credence to the protestations of the spammers that it is too hard. It is not up to the government nor the ISPs nor the customers of the ISPs to make it easy for spammers to spam. A spammer who wants to get out a message is always free to buy newspaper or TV advertising - his right of commercial speech is not impaired. The spammer has no right of access to individual email mailboxes, no right to an unfettered ability to send spam wherever, whenever, in in whatever volume the spammer chooses. That right is fictional and exists only in the weak and twisted mind of the spammer. He can whine all he wants, neither that whine nor the expression of that whine in lawsuits or in legal defenses against laws such as the California law are going to grant the spammer rights he doesn't have, never did have. He's been pulling a scam. If that ends it is a good thing, not a bad thing - spammer whines of protestation notwithstanding.
"Digging through fake headers that really came off a home DSL routed through an open relay in China won't be worth it no matter what, no matter what they set it to because you'll never collect it. And the "company" will claim they never sent it, that someone illegally spammed on their behalf. On a good-bad dimension of course stronger fines are good. But it's a cardboard fence against an avalanch."
You should be happy to know that my home DSL system is receiving relay spam email from Taiwan (not exactly China but close enough) and that relay spam email is going noplace. In this case it's Chinese-language spam with the victimes (those that I've seen when I browsed the spam) in Taiwan but the effect is waht matters: the spam ain't goin' noplace.
There seem to be two broad options: continue to rail about clueless users who relay spam or do something against the spam by running a fake abusable system. I contend the latter do more to stop spam, but then I'm about to break my arm patting myself on the back. Still, maybe I have a point. What do you think?
"Junk snail mail causes more damage to our natural resources than electronic mail. Yet, we see spam as more of a problem. This shouldn't be right, should it? We can simply delete email, but paper & cellophane piles up in our backyard."
That's your "analysis," not mine. There are other issues than damage to natural resources (which I think you know full well.) Your "argument" is feeble and bogus. Nonetheless you're free to repeat it, free to lobby your state legislators to accept your point of view. Others are free to say your position is a crock.
Your position is a crock, by the way.
Maybe this applies:
Ferguson v. Friendfinder, Inc., Case No. A092653
http://www.timothywalton.com/ferguson.html
(Thank you, Mark Ferguson, for going to the trouble of following this case through. For that matter, thanks for starting it.)
I'd prefer a higher level of awareness among those at the relay level. That's just about everybody, by the way. There's not two separate internets, one with the spam victims and the other with the operators of the systems abused by spammers. Most people who bitch and whine about spam coming to their email mailboxes ignore their own real local opportunity to trap and discard spam (plus do various other things harmful to the spammers.)
Spam is a problem, it will take some small amount of work to fight it. While I type this my home system, on a 256 Kb/sec DSL line, is trapping spam from Taiwan and has been most of the day. I look at the honeypot web page once in a while, I look at the log in the Java window once in a while, otherwise the computer does the job without any attention from me. It's not at all difficult, it's not complex.
(I'd hoped to catch the FL spammer who's tested me twice recently. Maybe next time he tests I'll get him.)
jackpot.uk.net
If you want to run an open proxy honeypot (even more wicked) there's the "Bubblegum proxypot:"
world.std.com/~pacman/proxypot.html
I run a honeypot. If the spammer didn't use abuse to send his email I'd never touch it.
I touch a fair amount of spam. There is no, zero, zilch consitutional issue for that touching. Same for all the others who do the touching using honeypots - if the spammer wants to assert his consitutional right then he can send directly to the recipient. He has no constitutional right to use my equipment or anyone else's equipment in his spam scheme. The spammers who scream "constitutional right" conveniently forget to mention how they send their spam.
Scelscon's testimony in Washington was that ISPs should be forced to deliver the spam. That's not asserting a constitutional right, that's trying to escape ISPs having the right to control their own networks.
Just because I have an email mailbox there is not created a right for anyone who wishes to send email to that mailbox nor any right to require its delivery. The email mailbox exists for my convenience and is not the spammers nor TrustE's nor Microsoft's nor anyone else's to authorize as a spam destination. I've not granted any such right to TrustE, etc. and I will not grant such a right. "trusted sender" is hogwash, and that's a polite term in place of what it really is.
Of course there's also a court decision that says the ISP is not obligated to accept the spam.