You're wrong. States routinely assert "long arm" jurisdiction. Defendants try to use your defense, don't often get states supreme courts (e.g., CA's) to agree that CA laws have no force.
Re:client filtering is just wrong approach
on
I, Spammer
·
· Score: 1
"That spam email should never be sent, period. It should not ever proceed across the internet whose bandwidth is being paid for by millions of users, providing benefit to the sender. It should never touch the hard disk of a server."
And politicians should never lie.
"In addition, it simply takes too much sophistication for the VAST majority of email users to properly set up filters."
OK. I can't give you all you want in paragraph one but I cam bring you closer to it. For paragraph two it should be possible for the upper 50% at least of the user population to do what I advocate, which is to stop the spam at the relay (or proxy) level. Do this by setting up fake open relays and fake open proxies. That means the spam does travel at least to the fake system. It never reaches an email server, so you've partly got your wish.
Right now for fake open relays there's Jackpot. Most reasonably capable people can download that, install that, download a Java Virtual Machine (if needed), install that, and then configure and run Jackpot. The configuring of Jackpot isn't hard but it would be much easier for Jackpot to be configured as needed before it is downloaded. Then it's just download, install, run to make it go. Get the ball rolling and that will happen quickly: there will be a pre-configured version.
That's http://jackpot.uk.net
Linux heads can run the Bubblegum proxypot: http://world.std.com/~pacman/proxypot.html
As Senator Schumer says, it's time to take back the internet. This is how. Wait for the government to do it and you'll get what the government does. That probably won't be fully satisfactory.
You could be successfully sued by the spamees (?).
OK, but why sue fellow victims and not sue the spammers and their ISPs? WHY? The problem is the spammers, not the open relay (and don't forget open proxy) operators whose systems were abused by the spammers sending the spam. Sueing the operator of an open relay just perpetuates the mis-focus of the anti-spam movement. It isn''t the fault of the open relay operator that there's a spammer sending spam.
Furthermore most open relay operators surely have "shallow" pockets. Even with the waves of bankruptcies the ISPs have deeper pockets. They allow the abuse of their systems (many spammer relay tests come directly from the spammers' IPs on major ISPs), the ISPs are negligent.
Talk to a lawyer. Which is the better target for a suit - open relay operator or spam-tolerant ISP?
(The spammers would prbably be delighted to see the victims going at each other while they continued to spam. Not a pretty picture.)
"just out of curosity, why would any mail admin want to have an open relay?"
Probably most simply don't know any better. A few may think it's necessary so that their users can still send email from roving laptops (it isn't necessary.) Some may be so offended by the high-handed and offensive email messages lambasting them for the open relay they get that they continue to do it in spite.
I did it to attract spam. If course it wasn't quite as "open" as the spammers thought - their mistake. It was only "open" for spammer test messages.
This year it's been even less open - I only deliver selected ones of the spammer test messages (they come at a rate of about 100/month.) That way I can associate a particular test with the spam that follows.
It's not rocket science - any halfway (or better) capable computer user can do the same thing. Windows user? Even better - you've probably got nothing currently listening on port 25: it's free for fun and games against the spammers.
Let me summarize it this way. If you are a system's administrator of ANY kind then you WILL NOT be running an open relay. If you are then you truly are incompentent and have absolutely no business running any system. I can think of more than a few people from over the years that meet this criteria. Incompetence doesn't appear to be a dieing disease.
RFC 2505 says:
"The Non-Relay rules are not in themselves enough to stop spam. Even if 99% of the SMTP MTAs implemented them from Day 1, spammers would still find the remaining 1% and use them. Or spammers would just switch gear and connect directly to each and every recipient host; that will be to a higher cost for the spammer, but is still quite likely."
If you wish to help in the pursuit of the goal of stopping spam you'll have to do more than crow about how superior you are to those operators who haven't secured their open relays.
First of all this scapegoating of open relay operators hasn't worked to stop spam (the real goal) in all the years it's been practiced by the private sector (MAPS and successors/imitators.) Shouldn't the FTC read and understand RFC 2505, just like anyone else should? It says the relay rules won't work to stop spam, remember? Most open relays have been because the operator ran the software as shipped. I at one time managed Unix systems from 4 vendors, all with sendmail configured open. I can't recall a message from any of those vendors, ever, telling me they'd shipped a badly-configured sendmail. I got no feedback or warning from anyone until after I'd already taken my own action - and that feedback was wrong.
Second, all the attention on open relays has caused a partial shift of the spammers to use of open proxies. If the FTC were serious about this shouldn't they also draft a letter to send to open proxy operators?
Third, you can't ever expect the FTC to recognize this but an open relay operator is ideally placed to cause a spammer serious harm. Here's where it really pays to think. Many of the open relays are just Unix/Linux boxes with trivial or non-existent email tasks but that are running an MTA because it's the default. It's easy and worthwhile to secure these the "standard" way but it's even better to convert them to honeypots. The longer the spammer has abused them the better that would be. Secure it the "550 we do not relay" way and the spammer spends microseconds longer on that system - it costs the spammer nearly nothing to stop sending spam to it. Configure it to accept but then discard (or simply archive) the spam and the spammer can waste a lot of effort and resources sending it spam. Finally the spammer will recognize it doesn't relay. How will the spammer know when the change occurred? And the operator then has all that spam to examine. If the operator can trace the spam back to its origin (which may be hard - many spammers go to the open relay through an open proxy) he can send a very powerful complaint ot the ISP.
To me it makes far more sense to point out ot the open relay (and open proxy) operator the things he can do to cause spammers harm. Instead the common knowledge sems to require that the open whatever operator do as little as possible that harms the spammer - it's almost as though the spammers are giving false advice to make their jobs easier.
Of course you don't have to just do this with existing open relays. Most people with even rudimentary alertness understand that the spammers constantly test systems for vulnerability. That is opportunity knocking - pay attention. If you have a spare IP and a spare (even if really old) computer you can set up a honeypot. The spammers will very soon discover it, you can be in operation quite soon.
The FTC is part of the government. Which of the three most popular lies is the one about "I'm from the government - I'm doing this for your own good"?
Well for WinBlows there's already Jackpot: http://jackpot.uk.net. It works pretty well.
For Linux, sendmail can be used as a honeypot, if the Linux system isn't already running sendmail (I think the best honeypots are systems with no real email function, where that means email using incoming port 25).
What you propose would be a great beginning project for a programming class that's up to the point of doing network programming. Give them the SMTP spec and tell them to create something that looks like an MTA but isn't.
There's also been a Perl version of a honeypot posted to NANAE maybe over a year ago. the author saids there was a second, better version but I don't know anything after that. Really it isn't that hard, particularly if you just create an abuse email grabber. The author of Jackpot added in code to deliver detected spammer test messages and when the author did that he simply incorporated another person's MX lookup - he didn't try to reinvent that.
There are 43145 recipients so far for the current spam run. The only network traffic is the spam coming in - there's a total of just 70 messages for all this spam. If the messages went out there'd be a whale of a lot more network traffic - the spam would go to quite a few different ISPs. So I burn some incoming network bandwidth in order to cause the spammer difficulty.
Another good project would be open proxy honeypots. One important thing about those is that if a spammer is hiding his own IP by going through a chain of open proxies then some open proxy is first in that chain. If that's a honeypot the spammer has given himself away to that honeypot. It should be obvious, too, that more effort in seeking out proxy logs would also give ammunition against the spammers.
My honeypot (the one that so far has 43,145 recipients) is a standard (but old and obsolete) MTA with the output mail queue stopped (it's a VMS system.) I manually forced delivery of a relay test yesterday - that's why the spam started. Almost anyone with a good working knowledge of some MTA can do something similar.
I'm familiar with NANAE and NANAS. Thanks anyway for the tip.
I also knew, from NANAS, that the spam his been sighted - I looked for the phone number and saw a disgusting number of hits going fairly far back in time (disgusting because that means he's gotten away with it for so long.)
Looking in ROKSO I see a Howard Minsky has sometimes claimed a Tulsa location - maybe it's him. I figure that it's more important to someone who does some form of enforcement to know the name - I can just know him by his relay test profile (where the tests originate, where they go) and be satisied. It is, of course, nice to have a name to attach to the spammer.
"Another thing that would really help is for slashdot people to advocate proper mail server configuration, including disallowing open relays, and education of all of the part-time mail sysadmins out there who perpetuate the problem with their own ineptness."
There's some merit in what you say - it's better to try to educate inept sysadmins than to just sit back and complain about them. But there's an entirely different path available to attack the open rely problem and that path doesn't depend on educating the inept. Instead it's educating the ept, which is about as hard.
For both open relays and open proxies the problem is that they exist AND are easily discovered. If a spammer makes a test for open relay or for open proxy the results are over 99.999% accurate. The spammer has no difficulty at all while that is true.
Salt the stock of open relays and open proxies (as determined by the types of tests the spammers now do) with fakes and the situation is very different. Then the spammer could just as easily be sending his abuse-path spam to a system controlled by someone who knows the score as he is to be sending it to a system run by a bumbling sysop (so the more bumbling management you can fake for the false abusable system the better you do.) In addition running the fake is very easy - take any standard MTA and make it accept relay email but deliver nothing and you have a trap. When you want you can force delivery of one of the test messages that comes in - then you deceive the spammer and you also know which spam is associated with that test message source (if it's fixed) and destination. Windows users can run Jackpot, which pretty well automates the whole thing: http://jackpot.uk.net. Run Jackpot in its default configuraiton a while and just trap tests. when you're ready configure it to relay and turn off relay as soon as one test message has been delivered.
The same approach works for open proxies: fake an open proxy and the spammer will try to send spam through it. with open proxies you've got a better chance that the spammer made his contact form his own IP (some spammers even test for open relay through open proxies. Some still test from their own IPs.)
When you do this you become the person in charge. The limits of what you can accomplish haven't even been established yet. Additionally, this isn't the only approach that can be taken against spammer abuse. ISPs with abused open proxies should find it very easy to trace the abuse back to the source. If the ISP would intercept proxy packets from identified spammer IPs then the spammer suddenly loses all power over all the open proxies in that ISP's entire space.
"You might be able to get the SWBell security folks after him, but more likely they'd just cancel the account and it'd be protected by their privacy policies."
SW Bell has been singularly unresponsive with respect to another relay tester - this after a SW Bell abuse person said she was determined to do something about the guy. That was months ago. The real question in my mind is whether the spammed (and otherwise abused) large ISPs this guy is targeting will wish to/be able to use the information I supply and do their own suits. The larger ISPs tend to sue for more than small claims court amounts.
He's still sending spam - he's targeted over 33000 recipients so far, in just 34 spam messages. The top one had 4269 recipients. Whew. 278 of the recipients are at swbell.net, so the spammer is fouling his own nest. Maybe that will get SW Bell to act. Plus 86 Pacbell. 1811 to mcimail - looks like phone numbers on all of them.
There's 1700 of what look like random generated addresses at msm.com (NOT msn.com). Looks like maybe he's harvested some webpoison addresses.
(Cute - the Slashdot email telling me of your reply has a rackspace ad in it.)
He really thinks he's grabbed the brass ring - found an unlisted open relay. I'm ROFL.
Who are the spammers in the Tulsa, OK area? I've got some pretty good evidence against someone there. Wasn't much work at all. I received a relay test message from him, I delivered it, now spam is arriving that (so sorry, Mr. Spammer) isn't getting delivered. Over 5000 recipients so far. The spam comes to my fake open realy through open proxy systems.
He's sending the relay tests from:
adsl-65-70-89-125.dsl.tulsok.swbell.net
He spams:
Subject: FWD: ASSET - BACKGROUND - MISSING PERSON SEARCHES.. Subject: FWD: BACKGROUND & ASSET SEARCHES - SAME DAY! Subject: Fwd: background & asset reports - same day.. Subject: WE FIND MISSING PERSONS FOR YOU...OR NO CHARGE.. Subject: Re: WE FIND MISSING PERSONS FOR YOU...OR NO CHARGE! Subject: Re: BACKGROUND & ASSET REPORTS - SAME DAY" Subject: Re: background checks - same day service! Subject: ASSET SEARCHES - SAME DAY SERVICE. Subject: Re: BACKGROUND & ASSET SEARCHES - NATIONWIDE SEARCHES'
with this phone number for the marks to call: 1-877-269-3892
His relay test message went to timsmith777@connectfree.co.UK
He's been sending tests from that same IP for quite some time so I think it's the spammers IP, not an open proxy.
If $0.01/email is too expensive for you (I won't argue) then instead of paying the tax you can work on the "road gang" cleaning up email. What you are assigned to do is to detect any attempt made to see if your own system can be used to send spam and to report that. If you have a "software firewall" this means you report attempts to use your ports 25, 1080,3128, 8070, 8080, etc.
If you want to go further you can run software that does more than detect such attempts - it traps them. For port 25 (SMTP) there's (as an example) Jackpot: jackpot.uk.net. If you run Unix or Linux then you can configure sendmail to not deliver and trap everything sent to you. If you want to run an MTA then you can secure it and check your logs every day or so for illicit activity. The point is to stop ignoring this form of spammer abuse and start acting on it, to the point that they are forced to give it up.
Get a decent number of "road gang" workers and the need for the tax melts away. Huh - how about that...
Re:RFC-821 Re-Write is Not Needed
on
Spam Meeting Wrap-up
·
· Score: 2, Interesting
"I'm wonding how long it will be before they start installing smarter software on the proxies."
I think it's pretty damned smart already. I can't recall where but I read a description of Jeem on on of the anti-virus web sites - that is pretty sophisticated already. The downside I hope exists for the spammers is that this brings all the security people into the fight against spam - when the spammers crack into systems (by whatever pathway) they've really crossed a line.
I advocate open relay and open proxy honeypots. The Jeem approach, if the Trojan Horse is sent by an email virus, is rich with honeypot possibilities. Once you know how the cracked proxies work (all the details) you can "phone home" to the master spammer system and tell him your honeypot now has the spam relay installed. Then he trusts it and sends it spam to deliver. The operator of the phony cracked system goes into full ROFL mode.
(It would be interesting to see if the US DOJ would claim anyone doing this was intercepting communications. Very interesting, indeed. How will the DOJ find out someone is even doing this?)
"Welcome to 2003.... Most spam today isn't from open realys, its from hacked boxes that have had proxies installed."
Where's your data? I have no doubt some spam comes that way - I've read Michael Tokarev's November, 2002, report in mailing.postfix.users. Absent actual evidence I can't see any reason to assert that hacked boxes are now the principle conduit for spam.
I know spammers still seek open proxies and open relays - these are still valid areas of concern and action.
OK, it's time to start thinking in a different mode - what's been done so far isn't working well enough. Look at the facts: almost all relay email sent through open relays because they are open relays is spam. I mean something like 99.9999% of it - almost all. Most of the rest is spammer relay tests. Quality people don't looking for open relays through which to send their email. Spammers do that. Take advantage of that knowledge. If only spammers use that pathway MINE that pathway. It's figurative mines, not real ones: prohibitions against deadtraps don't apply.
Instead of continuing the three-years-long moan about all those clods who run open relays (I was once one of them myself) why not quit moaning and DO SOMETHING? Spammers send relay tests. DO SOMETHING that screws the spammer because of that. Report relay attempts to his ISP, accept and deliver the tests and send the spam to/dev/null - ACT. Make up your own way of dealing with them, but make it hurt them in some way, however small. Get any number at all doing something with the tests and those that merely accept the tests and ignore them will help strike fear in the spammers hearts (the operator who does nothing knows he does nothing. The spammer has to worry that the operator does more.)
Like, for instance, here's a relay test from today:
Received: from adsl-65-70-89-125.dsl.tulsok.swbell.net by X.X.X;
Sat, 3 May 03 12:04 CDT Message-Id: Date: Sat, 03 May 2003 12:01:44 -1700 From: 0eik00ha7i95o4@starband.net Subject: hello To: timsmith777@connectfree.co.UK MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
(I had to beeak up the strings becuase of the Slashdot "lameness" filters.)
It takes as close to no smarts at all to trap a test like this as is possible. DO IT.
(By the way, I altered the string in the message-ID: that's where spammers who use this form of test encode the IP tested.) Similarly, they encode where the test originated in the body. It's decimal ascii: "048" encodes "0," etc.
Don't want to do SMTP trapping? No problem - trap some spammer open proxy abuse. MAybe you'll learn his IP, even (the clown who sent the test above has been using the same IP since at least 11-Mar-2003.)
I've been telling connectfree.co.uk about these test messages going to the spammer dropboxes in their space. I suggest that they simply divert email to the dropbox address so it goes someplace else. This is SOMETHING they can do that really screws the spammers. Until the spammers figure out the email is being diverted they discover no open relays if the email through those open relays to the dropbox doesn't get delivered.
Isn't it about time people though about what to do to stop these spammers? Is it so terribly hard to divert email to a known spammer dropbox address someplace else? Does that not conform to the TOS? CHANGE the TOS - quit waiting for someone else to solve spam and act. Worried about the US DOJ saying this is a crime? Hey, we're talking about a.co.uk location - US law doesn't reach that far. DO IT.
Read my post again. See anything that says action must wait for a change in the SMTP protocol? NO. See anything that says the little guy with a DSL or cable connection can't take part? NO. ISPs could do even better - think about what the ISP with hundreds of abused open proxies could do if it intercepted the proxy connections made by the spammers.
This does nothing to stop direct spam. There blocklists work like a charm. This does an awful lot to sop abuse-path spam (non-direct spam.) DO IT.
Or continue to moan. One path has better results - see if you can tell which.
"Simply put, we should require some form of an operators' license to own or operate a computer. Despite there being radical differences between the types of machinery, an adequate comparison would be to either automobiles or firearms licensing legislation."
That's going in exactly the wrong direction. All the anti-spam solutions that aren't succeeding against spam (but you really should make sure you define "succeed" if you don't want to err in this sort of statement) came from people you would (I presume) license to be on the internet. All those smarts haven't done the job, have they? You also (like many before you) gloss over the fact that the huge majority of the people you would deny a license to be on the internet are running exactly what the software vendors sold them, configured exactly as the vendor had it configured as the default. The smarts you would require them to have would be to not trust the software vendors. OK, I'll give you that one. But why isn't that repeated incessantly until people learn it? You want to make them be smart - what do you do to educate them?
The "smart" people on the internet, the ones you would grant licenses, still almost 100% ignore their big daily opportunity to hit spammers where it hurts: the tests the spammers are doing on systems in these "smart" peoples' own domains to see if there are vulnerable IPs. Spammy as much as says "hurt me," the "smart" people say "no." That makes no sense, that's worse than trusting the vendors.
So: watch out: the licensing might get into what you'd consider the wrong hands: mine, say. I'd require every operator to demonstrate the ability to think logically - there go 90% of your "smart" people down the tubes. They still don't get it that telling a spammer "550 we do not relay" is telling him exactly what he needs to know - it helps the spammer. There's a difference between what you do to protect your own system (and what you do to secure your own system) and what works best for the benefit of the internet as a whole. Spammers every day provide opportunities for operators to cause the same spammers significant harm - opportunities on the operators' own computers. 99.99% of them simply secure the system and throw away the opportunity. Then they complain about spammers and maybe about the dummies that shouldn't be licensed to be on the internet. Uh-huh. Sure. There's Dummies and then there's Dummies.
Thee's a reasonable, non-Draconian solution: hit spammers where it hurts and where they are not now being hit. Most spam is abuse spam. Screw up the abuse pathway and that spam dies. That can be done, now, with no change in the internet or in any protocol. While spammers test IP's on DSL and cable blocxks for open relay the battle cna be engaged on those same DSL and cable blocks - individuals can fight spam. Even individuals running (gasp) Windows.
"But how do you then track down who happens to be sending it and punish them for it?"
Perhaps you don't. Perhaps you want for someone to run an open proxy honeypot and hope he catches the same spam and identifies the source ip.
Alternately, you could be the someone running the open proxy honeypot that someone else is waiting for. Maybe you are in Brazil running an open proxy honeypot and find out that a particular spammer is using Brazilian (and possibly other) open proxies to send out his spam. Looks like the trickiest part would be informing you of the actual source. If the open proxy opreator would tell Spamhaus what he learned they could report it - yoou'd look there to find the actual spammer information and start your action.
"We just can't afford these open relays and if it takes major ISP's like AOL to start blocking large swaths of them to end this, more power to them!"
Close enough. Years ago I had an open relay that was discovered. I would have considered it favor to have blocked it. Instead I cured the problem. I cured it by making my open relay effectively filter spam. then I ASKED to be listed (by ORBS) - might as well let the spammers send relay spam to a black hole, eh?
Still works. jackpot.uk.net
It's really very easy. The spammers actually do need systems to abuse in order to send spam. They find the systems they can abuse very simply: they look for them. If a system looks like it can be abused the spammers send spam through it. If the operator of the system faked the appearance of vulnerability the spammer just wasted his time. If the spammer gives away anything about his operation (in the URLs, if nowhere else) the operator has ammunition for a complaint - a complaint the spammer's ISP really shouldn't ignore (it's an abuse complaint, a complaint of attempted theft of service.) If the operator is more current he could be running a fake open proxy instead of a fake open relay. Then he may have the spammer's IP (if the spammer didn't go through an open proxy to reach the fake open proxy.) Once again: powerful complaint material.
What is the goal - to stop spam coming to you or to just plain stop spam? That latter would be everybody's spam. Seems like stopping everybody's spam would have the bigger payoff.
You stop your own spam when it comes to you. You stop the spam for everybody when you let the spammer send relay spam to a box you control. To see if you are qualified to do this take this simple test:
If your system receives relay spam do you:
(A) Deliver it
or
(B) Not deliver it?
If you answered (B), Not deliver it, you have passed the test.
The spammers are looking for open relays and open proxes all over, every day. Right now they don't know the difference between a real open relay and a fake. This is an opportunity. Create a fake open relay, let them find it (which means you allow their test message to be delivered) and then watch to see if spam rolls in [remember the correct anser above was (B).]
If you want to mess with them it might be useful for you to know that the spammers send themselves a lot of email that is critical to their success.
That's right: to find open relays they attempt to send test messages to a bunch of IPs. The messages that come through identify the open relays. If you'd look at your own port 25 you very likely would see such attempts.
Most people reject the attempts - do you think that's always wise? Sure, you don't want to deliver their message if it tells them you are running an open relay but the fact you're even thinking about that indicates you aren't running an open relay and won't be. On your real server the smartest and best thing to do usually is to reject the test message attempts. Got a spare box and a spare IP? Let the spammers test that, trap the tests, find out the addresses to which they direct the tests. Here's one such address that died earlier today:
pzbigz10@runbox.com
It died 'cause I told Runbox about it and they killed the account. I got the address from a relay test sent to me from:
pool-141-150-141-116.mad.east.verizon.net
It's pretty certain, given the number of tests seen from that same general block, that the spammer is there - he's not abusing open proxies to send the tests (as far as I can tell.) If Verizon is acting they're going very slow. (That may be OK - there's very effective slow things they might be doing.)
You may have far more power available to you than you realize: many spammers may be working hard to tell you where they send their tests, if you would just let them.
It's theoretically possible, reporting relay tests, to get a spammer booted before he sends his first spam message.
If you do nothing else why not look in the MTA logs for rejected relay attempts? You may see something useful even that way. If there's a bunch that is pretty solid evidence that if you'd set up a system with a close-by IP addrerss that the spammers would very quickly begin testing that system as well.
(Deliver one of the tests and something quite interesting can happen. Be very, very sure you do not have an open relay before you try that.)
"The worst spammers are akin to a DoS attack, which can be tracked down and stopped. This is basically the same thing. So why not just unplug the spammers one by one?"
A few spammers send directly to recipients. Most use open relays, open proxies, or an open-proxy to open relay combination (with more than one open proxy possible.) If they send from ISP A and have the web pages offshore, in China (for example), how do you identify ISP A to get them terminated?
The question has an answer: run open proxy and open relay honeypots. Get enough honeypots going and some of them will be the first hop for the spammers. Their secret source is no longer secret.
Or the ISP where a lot of proxy abuse is happening can just watch for, say, lots of traffic to port 1080 all over its own space all coming from one IP somewhere else. Very likely that IP is controlled by the spammer. Even lowly managers of/24's can run ntop - can't ISPs run the equivalent? If the total traffic for the ISP backbone is too great then the ISP can run ntop on subnets (it's easier if the ISP already knows abuse is going to a particular subnet in its space, perhaps because of an open proxy report.)
So yes, network operators could do more. The evil part of this is that the network operators where the abuse is most intense have the best chance to cause hurt to the spammers - that sort of takes away the advantage to the spammer of finding a really abusable address space. "Evil" to the spammers, that is: I find it rather nice.
"With all due respect to your solution, expecting admins to set up a honeypot and monitor it aggressively isn't exactly fair. Doing that is a fair amount of ongoing work, while simply securing an open relay one is responsible for is a low-effort one-time job. It's the difference between locking your front door and organizing a neighborhood watch; the latter may be more noble, but that doesn't make the former an unreasonable request."
The neighborhood watch is a good analogy. Some can do it, some can't - I was a bit extreme in my language to make a point.
Returning to the neighborhood watch analogy, I think in a real neighborhood watch you'd have some zealots and some sluggards - some that want to go out and watch the neighborhood, some that agree it's a good idea and even do it once in a while, reluctantly. That's how people are - no solution that requires a change in human nature is likely to become popular or successful.
But with the honeypots you can "watch the neighborhood" in a way that has no real-world analog: the lazy watchers can just smart-host their incoming port 25 traffic to a system run by a neighborhood zealot. Better yet, if honeypots get numerous (and if large numbers of operators only trap relay tests, deliver nothing) then lots of things can look threatening to the spammer who is honeypot-aware, including systems that accept tests for the (lazy) operator to examine someday, with the (lazy) operator never bothering to look. So, while I state that an aggressively monitored honeypot has power over that of a mostly ignored honeypot the latter still has value. It could send the relay tests to/dev/null (or the equivalent) - as long as the spammer doesn't really know what is happening he has to fear it the same as an aggressively monitored hp.
At this point in time I'd stress the value of capturing spammer relay tests. The zealots can report these to the ISPs of source and destination, the slackards can ignore. The spammers don't know which is which (as long as the ISPs don't spill the beans) - both are a problem to the spammer. The best spammer defense is to leave the IP that is (or may be) a honeypot strictly alone. That is exactly what I want them to do, for the entire internet. ISPs can be honeypot operators - then instead of the internet becoming spammer-dangerous one IP at a time it can happen one ISP at a time. That could move pretty fast. When the spammers are off the existing internet they're done sending abuse-based spam - there's not going to be a second internet for them to abuse. You can think a long, long time but I don't think you'll hit on a way to test for open relay that doesn't reveal itself to be just that: a test for open relay. There is no stealth way for the spammers to test - the curent "stealth" is really inattention of those who could be watching. Start watching - it is worth doing (even if you have the neighborhood zealot do the work for you.)
If you are concerned (angry, assigning blame, whatever) about spam through open relays and open proxies you might like to know how they find the systems to abuse.
If you are concerned and know how they do it you could do something to make it harder for them.
Slashdot Mirror
You're wrong. States routinely assert "long arm" jurisdiction. Defendants try to use your defense, don't often get states supreme courts (e.g., CA's) to agree that CA laws have no force.
"That spam email should never be sent, period. It should not ever proceed across the internet whose bandwidth is being paid for by millions of users, providing benefit to the sender. It should never touch the hard disk of a server."
And politicians should never lie.
"In addition, it simply takes too much sophistication for the VAST majority of email users to properly set up filters."
OK. I can't give you all you want in paragraph one but I cam bring you closer to it. For paragraph two it should be possible for the upper 50% at least of the user population to do what I advocate, which is to stop the spam at the relay (or proxy) level. Do this by setting up fake open relays and fake open proxies. That means the spam does travel at least to the fake system. It never reaches an email server, so you've partly got your wish.
Right now for fake open relays there's Jackpot. Most reasonably capable people can download that, install that, download a Java Virtual Machine (if needed), install that, and then configure and run Jackpot. The configuring of Jackpot isn't hard but it would be much easier for Jackpot to be configured as needed before it is downloaded. Then it's just download, install, run to make it go. Get the ball rolling and that will happen quickly: there will be a pre-configured version.
That's http://jackpot.uk.net
Linux heads can run the Bubblegum proxypot:
http://world.std.com/~pacman/proxypot.html
As Senator Schumer says, it's time to take back the internet. This is how. Wait for the government to do it and you'll get what the government does. That probably won't be fully satisfactory.
A question important to those who run open relay honeypots and open proxy honeypots (proxypots.)
These are 100% accurate aginst spam - filters and blacklists are not. Will they be outlawed?
Check out the bubblegum proxypot. It's a neat way to hurt spammers:
http://world.std.com/~pacman/proxypot.html
Don't forget the relay spam honeypot (Jackpot):
http://jackpot.uk.net
You could be successfully sued by the spamees (?).
OK, but why sue fellow victims and not sue the spammers and their ISPs? WHY? The problem is the spammers, not the open relay (and don't forget open proxy) operators whose systems were abused by the spammers sending the spam. Sueing the operator of an open relay just perpetuates the mis-focus of the anti-spam movement. It isn''t the fault of the open relay operator that there's a spammer sending spam.
Furthermore most open relay operators surely have "shallow" pockets. Even with the waves of bankruptcies the ISPs have deeper pockets. They allow the abuse of their systems (many spammer relay tests come directly from the spammers' IPs on major ISPs), the ISPs are negligent.
Talk to a lawyer. Which is the better target for a suit - open relay operator or spam-tolerant ISP?
(The spammers would prbably be delighted to see the victims going at each other while they continued to spam. Not a pretty picture.)
"just out of curosity, why would any mail admin want to have an open relay?"
Probably most simply don't know any better. A few may think it's necessary so that their users can still send email from roving laptops (it isn't necessary.) Some may be so offended by the high-handed and offensive email messages lambasting them for the open relay they get that they continue to do it in spite.
I did it to attract spam. If course it wasn't quite as "open" as the spammers thought - their mistake. It was only "open" for spammer test messages.
This year it's been even less open - I only deliver selected ones of the spammer test messages (they come at a rate of about 100/month.) That way I can associate a particular test with the spam that follows.
It's not rocket science - any halfway (or better) capable computer user can do the same thing. Windows user? Even better - you've probably got nothing currently listening on port 25: it's free for fun and games against the spammers.
See: jackpot.uk.net
You will also need a Java Virtual Machine.
Let me summarize it this way. If you are a system's administrator of ANY kind then you WILL NOT be running an open relay. If you are then you truly are incompentent and have absolutely no business running any system. I can think of more than a few people from over the years that meet this criteria. Incompetence doesn't appear to be a dieing disease.
RFC 2505 says:
"The Non-Relay rules are not in themselves enough to stop spam. Even if 99% of the SMTP MTAs implemented them from Day 1, spammers would still find the remaining 1% and use them. Or spammers would just switch gear and connect directly to each and every recipient host; that will be to a higher cost for the spammer, but is still quite likely."
If you wish to help in the pursuit of the goal of stopping spam you'll have to do more than crow about how superior you are to those operators who haven't secured their open relays.
If you wish. It's nowhere evident you do.
But THINK, please.
First of all this scapegoating of open relay operators hasn't worked to stop spam (the real goal) in all the years it's been practiced by the private sector (MAPS and successors/imitators.) Shouldn't the FTC read and understand RFC 2505, just like anyone else should? It says the relay rules won't work to stop spam, remember? Most open relays have been because the operator ran the software as shipped. I at one time managed Unix systems from 4 vendors, all with sendmail configured open. I can't recall a message from any of those vendors, ever, telling me they'd shipped a badly-configured sendmail. I got no feedback or warning from anyone until after I'd already taken my own action - and that feedback was wrong.
Second, all the attention on open relays has caused a partial shift of the spammers to use of open proxies. If the FTC were serious about this shouldn't they also draft a letter to send to open proxy operators?
Third, you can't ever expect the FTC to recognize this but an open relay operator is ideally placed to cause a spammer serious harm. Here's where it really pays to think. Many of the open relays are just Unix/Linux boxes with trivial or non-existent email tasks but that are running an MTA because it's the default. It's easy and worthwhile to secure these the "standard" way but it's even better to convert them to honeypots. The longer the spammer has abused them the better that would be. Secure it the "550 we do not relay" way and the spammer spends microseconds longer on that system - it costs the spammer nearly nothing to stop sending spam to it. Configure it to accept but then discard (or simply archive) the spam and the spammer can waste a lot of effort and resources sending it spam. Finally the spammer will recognize it doesn't relay. How will the spammer know when the change occurred? And the operator then has all that spam to examine. If the operator can trace the spam back to its origin (which may be hard - many spammers go to the open relay through an open proxy) he can send a very powerful complaint ot the ISP.
To me it makes far more sense to point out ot the open relay (and open proxy) operator the things he can do to cause spammers harm. Instead the common knowledge sems to require that the open whatever operator do as little as possible that harms the spammer - it's almost as though the spammers are giving false advice to make their jobs easier.
Of course you don't have to just do this with existing open relays. Most people with even rudimentary alertness understand that the spammers constantly test systems for vulnerability. That is opportunity knocking - pay attention. If you have a spare IP and a spare (even if really old) computer you can set up a honeypot. The spammers will very soon discover it, you can be in operation quite soon.
The FTC is part of the government. Which of the three most popular lies is the one about "I'm from the government - I'm doing this for your own good"?
Windows users: see jackpot.uk.net
Well for WinBlows there's already Jackpot: http://jackpot.uk.net. It works pretty well.
For Linux, sendmail can be used as a honeypot, if the Linux system isn't already running sendmail (I think the best honeypots are systems with no real email function, where that means email using incoming port 25).
What you propose would be a great beginning project for a programming class that's up to the point of doing network programming. Give them the SMTP spec and tell them to create something that looks like an MTA but isn't.
There's also been a Perl version of a honeypot posted to NANAE maybe over a year ago. the author saids there was a second, better version but I don't know anything after that. Really it isn't that hard, particularly if you just create an abuse email grabber. The author of Jackpot added in code to deliver detected spammer test messages and when the author did that he simply incorporated another person's MX lookup - he didn't try to reinvent that.
There are 43145 recipients so far for the current spam run. The only network traffic is the spam coming in - there's a total of just 70 messages for all this spam. If the messages went out there'd be a whale of a lot more network traffic - the spam would go to quite a few different ISPs. So I burn some incoming network bandwidth in order to cause the spammer difficulty.
Another good project would be open proxy honeypots. One important thing about those is that if a spammer is hiding his own IP by going through a chain of open proxies then some open proxy is first in that chain. If that's a honeypot the spammer has given himself away to that honeypot. It should be obvious, too, that more effort in seeking out proxy logs would also give ammunition against the spammers.
My honeypot (the one that so far has 43,145 recipients) is a standard (but old and obsolete) MTA with the output mail queue stopped (it's a VMS system.) I manually forced delivery of a relay test yesterday - that's why the spam started. Almost anyone with a good working knowledge of some MTA can do something similar.
(How "old and obsolete"? It doesn't know EHLO.)
I'm familiar with NANAE and NANAS. Thanks anyway for the tip.
I also knew, from NANAS, that the spam his been sighted - I looked for the phone number and saw a disgusting number of hits going fairly far back in time (disgusting because that means he's gotten away with it for so long.)
Looking in ROKSO I see a Howard Minsky has sometimes claimed a Tulsa location - maybe it's him. I figure that it's more important to someone who does some form of enforcement to know the name - I can just know him by his relay test profile (where the tests originate, where they go) and be satisied. It is, of course, nice to have a name to attach to the spammer.
"Another thing that would really help is for slashdot people to advocate proper mail server configuration, including disallowing open relays, and education of all of the part-time mail sysadmins out there who perpetuate the problem with their own ineptness."
There's some merit in what you say - it's better to try to educate inept sysadmins than to just sit back and complain about them. But there's an entirely different path available to attack the open rely problem and that path doesn't depend on educating the inept. Instead it's educating the ept, which is about as hard.
For both open relays and open proxies the problem is that they exist AND are easily discovered. If a spammer makes a test for open relay or for open proxy the results are over 99.999% accurate. The spammer has no difficulty at all while that is true.
Salt the stock of open relays and open proxies (as determined by the types of tests the spammers now do) with fakes and the situation is very different. Then the spammer could just as easily be sending his abuse-path spam to a system controlled by someone who knows the score as he is to be sending it to a system run by a bumbling sysop (so the more bumbling management you can fake for the false abusable system the better you do.) In addition running the fake is very easy - take any standard MTA and make it accept relay email but deliver nothing and you have a trap. When you want you can force delivery of one of the test messages that comes in - then you deceive the spammer and you also know which spam is associated with that test message source (if it's fixed) and destination. Windows users can run Jackpot, which pretty well automates the whole thing: http://jackpot.uk.net. Run Jackpot in its default configuraiton a while and just trap tests. when you're ready configure it to relay and turn off relay as soon as one test message has been delivered.
The same approach works for open proxies: fake an open proxy and the spammer will try to send spam through it. with open proxies you've got a better chance that the spammer made his contact form his own IP (some spammers even test for open relay through open proxies. Some still test from their own IPs.)
When you do this you become the person in charge. The limits of what you can accomplish haven't even been established yet. Additionally, this isn't the only approach that can be taken against spammer abuse. ISPs with abused open proxies should find it very easy to trace the abuse back to the source. If the ISP would intercept proxy packets from identified spammer IPs then the spammer suddenly loses all power over all the open proxies in that ISP's entire space.
There's still more - that's enough for now.
"You might be able to get the SWBell security folks after him, but more likely they'd just cancel the account and it'd be protected by their privacy policies."
SW Bell has been singularly unresponsive with respect to another relay tester - this after a SW Bell abuse person said she was determined to do something about the guy. That was months ago. The real question in my mind is whether the spammed (and otherwise abused) large ISPs this guy is targeting will wish to/be able to use the information I supply and do their own suits. The larger ISPs tend to sue for more than small claims court amounts.
He's still sending spam - he's targeted over 33000 recipients so far, in just 34 spam messages. The top one had 4269 recipients. Whew. 278 of the recipients are at swbell.net, so the spammer is fouling his own nest. Maybe that will get SW Bell to act. Plus 86 Pacbell. 1811 to mcimail - looks like phone numbers on all of them.
There's 1700 of what look like random generated addresses at msm.com (NOT msn.com). Looks like maybe he's harvested some webpoison addresses.
(Cute - the Slashdot email telling me of your reply has a rackspace ad in it.)
He really thinks he's grabbed the brass ring - found an unlisted open relay. I'm ROFL.
Who are the spammers in the Tulsa, OK area? I've got some pretty good evidence against someone there. Wasn't much work at all. I received a relay test message from him, I delivered it, now spam is arriving that (so sorry, Mr. Spammer) isn't getting delivered. Over 5000 recipients so far. The spam comes to my fake open realy through open proxy systems.
He's sending the relay tests from:
adsl-65-70-89-125.dsl.tulsok.swbell.net
He spams:
Subject: FWD: ASSET - BACKGROUND - MISSING PERSON SEARCHES..
Subject: FWD: BACKGROUND & ASSET SEARCHES - SAME DAY!
Subject: Fwd: background & asset reports - same day..
Subject: WE FIND MISSING PERSONS FOR YOU...OR NO CHARGE..
Subject: Re: WE FIND MISSING PERSONS FOR YOU...OR NO CHARGE!
Subject: Re: BACKGROUND & ASSET REPORTS - SAME DAY"
Subject: Re: background checks - same day service!
Subject: ASSET SEARCHES - SAME DAY SERVICE.
Subject: Re: BACKGROUND & ASSET SEARCHES - NATIONWIDE SEARCHES'
with this phone number for the marks to call: 1-877-269-3892
His relay test message went to timsmith777@connectfree.co.UK
He's been sending tests from that same IP for quite some time so I think it's the spammers IP, not an open proxy.
If $0.01/email is too expensive for you (I won't argue) then instead of paying the tax you can work on the "road gang" cleaning up email. What you are assigned to do is to detect any attempt made to see if your own system can be used to send spam and to report that. If you have a "software firewall" this means you report attempts to use your ports 25, 1080,3128, 8070, 8080, etc.
If you want to go further you can run software that does more than detect such attempts - it traps them. For port 25 (SMTP) there's (as an example) Jackpot: jackpot.uk.net. If you run Unix or Linux then you can configure sendmail to not deliver and trap everything sent to you. If you want to run an MTA then you can secure it and check your logs every day or so for illicit activity. The point is to stop ignoring this form of spammer abuse and start acting on it, to the point that they are forced to give it up.
Get a decent number of "road gang" workers and the need for the tax melts away. Huh - how about that...
"I'm wonding how long it will be before they start installing smarter software on the proxies."
I think it's pretty damned smart already. I can't recall where but I read a description of Jeem on on of the anti-virus web sites - that is pretty sophisticated already. The downside I hope exists for the spammers is that this brings all the security people into the fight against spam - when the spammers crack into systems (by whatever pathway) they've really crossed a line.
I advocate open relay and open proxy honeypots. The Jeem approach, if the Trojan Horse is sent by an email virus, is rich with honeypot possibilities. Once you know how the cracked proxies work (all the details) you can "phone home" to the master spammer system and tell him your honeypot now has the spam relay installed. Then he trusts it and sends it spam to deliver. The operator of the phony cracked system goes into full ROFL mode.
(It would be interesting to see if the US DOJ would claim anyone doing this was intercepting communications. Very interesting, indeed. How will the DOJ find out someone is even doing this?)
"Welcome to 2003.... Most spam today isn't from open realys, its from hacked boxes that have had proxies installed."
t p%241%40FreeBSD.csie.NCTU.edu.tw&output=gplain )
Where's your data? I have no doubt some spam comes that way - I've read Michael Tokarev's November, 2002, report in mailing.postfix.users. Absent actual evidence I can't see any reason to assert that hacked boxes are now the principle conduit for spam.
I know spammers still seek open proxies and open relays - these are still valid areas of concern and action.
(http://groups.google.com/groups?selm=aqhj96%2429
OK, it's time to start thinking in a different mode - what's been done so far isn't working well enough. Look at the facts: almost all relay email sent through open relays because they are open relays is spam. I mean something like 99.9999% of it - almost all. Most of the rest is spammer relay tests. Quality people don't looking for open relays through which to send their email. Spammers do that. Take advantage of that knowledge. If only spammers use that pathway MINE that pathway. It's figurative mines, not real ones: prohibitions against deadtraps don't apply.
/dev/null - ACT. Make up your own way of dealing with them, but make it hurt them in some way, however small. Get any number at all doing something with the tests and those that merely accept the tests and ignore them will help strike fear in the spammers hearts (the operator who does nothing knows he does nothing. The spammer has to worry that the operator does more.)
: 7bit
4 610011
.co.uk location - US law doesn't reach that far. DO IT.
Instead of continuing the three-years-long moan about all those clods who run open relays (I was once one of them myself) why not quit moaning and DO SOMETHING? Spammers send relay tests. DO SOMETHING that screws the spammer because of that. Report relay attempts to his ISP, accept and deliver the tests and send the spam to
Like, for instance, here's a relay test from today:
Received: from adsl-65-70-89-125.dsl.tulsok.swbell.net by X.X.X;
Sat, 3 May 03 12:04 CDT
Message-Id:
Date: Sat, 03 May 2003 12:01:44 -1700
From: 0eik00ha7i95o4@starband.net
Subject: hello
To: timsmith777@connectfree.co.UK
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.3018.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
054053046055048046056 057046049050053058097 1001151080450540530450550480450560570450490500530
510804611611710811 511110704611511909810110810804611 0101116058049049048051058057058089101115
(I had to beeak up the strings becuase of the Slashdot "lameness" filters.)
It takes as close to no smarts at all to trap a test like this as is possible. DO IT.
(By the way, I altered the string in the message-ID: that's where spammers who use this form of test encode the IP tested.) Similarly, they encode where the test originated in the body. It's decimal ascii: "048" encodes "0," etc.
Don't want to do SMTP trapping? No problem - trap some spammer open proxy abuse. MAybe you'll learn his IP, even (the clown who sent the test above has been using the same IP since at least 11-Mar-2003.)
I've been telling connectfree.co.uk about these test messages going to the spammer dropboxes in their space. I suggest that they simply divert email to the dropbox address so it goes someplace else. This is SOMETHING they can do that really screws the spammers. Until the spammers figure out the email is being diverted they discover no open relays if the email through those open relays to the dropbox doesn't get delivered.
Isn't it about time people though about what to do to stop these spammers? Is it so terribly hard to divert email to a known spammer dropbox address someplace else? Does that not conform to the TOS? CHANGE the TOS - quit waiting for someone else to solve spam and act. Worried about the US DOJ saying this is a crime? Hey, we're talking about a
Read my post again. See anything that says action must wait for a change in the SMTP protocol? NO. See anything that says the little guy with a DSL or cable connection can't take part? NO. ISPs could do even better - think about what the ISP with hundreds of abused open proxies could do if it intercepted the proxy connections made by the spammers.
This does nothing to stop direct spam. There blocklists work like a charm. This does an awful lot to sop abuse-path spam (non-direct spam.) DO IT.
Or continue to moan. One path has better results - see if you can tell which.
"Simply put, we should require some form of an operators' license to own or operate a computer. Despite there being radical differences between the types of machinery, an adequate comparison would be to either automobiles or firearms licensing legislation."
That's going in exactly the wrong direction. All the anti-spam solutions that aren't succeeding against spam (but you really should make sure you define "succeed" if you don't want to err in this sort of statement) came from people you would (I presume) license to be on the internet. All those smarts haven't done the job, have they? You also (like many before you) gloss over the fact that the huge majority of the people you would deny a license to be on the internet are running exactly what the software vendors sold them, configured exactly as the vendor had it configured as the default. The smarts you would require them to have would be to not trust the software vendors. OK, I'll give you that one. But why isn't that repeated incessantly until people learn it? You want to make them be smart - what do you do to educate them?
The "smart" people on the internet, the ones you would grant licenses, still almost 100% ignore their big daily opportunity to hit spammers where it hurts: the tests the spammers are doing on systems in these "smart" peoples' own domains to see if there are vulnerable IPs. Spammy as much as says "hurt me," the "smart" people say "no." That makes no sense, that's worse than trusting the vendors.
So: watch out: the licensing might get into what you'd consider the wrong hands: mine, say. I'd require every operator to demonstrate the ability to think logically - there go 90% of your "smart" people down the tubes. They still don't get it that telling a spammer "550 we do not relay" is telling him exactly what he needs to know - it helps the spammer. There's a difference between what you do to protect your own system (and what you do to secure your own system) and what works best for the benefit of the internet as a whole. Spammers every day provide opportunities for operators to cause the same spammers significant harm - opportunities on the operators' own computers. 99.99% of them simply secure the system and throw away the opportunity. Then they complain about spammers and maybe about the dummies that shouldn't be licensed to be on the internet. Uh-huh. Sure. There's Dummies and then there's Dummies.
Thee's a reasonable, non-Draconian solution: hit spammers where it hurts and where they are not now being hit. Most spam is abuse spam. Screw up the abuse pathway and that spam dies. That can be done, now, with no change in the internet or in any protocol. While spammers test IP's on DSL and cable blocxks for open relay the battle cna be engaged on those same DSL and cable blocks - individuals can fight spam. Even individuals running (gasp) Windows.
See: http://jackpot.uk.net
"But how do you then track down who happens to be sending it and punish them for it?"
Perhaps you don't. Perhaps you want for someone to run an open proxy honeypot and hope he catches the same spam and identifies the source ip.
Alternately, you could be the someone running the open proxy honeypot that someone else is waiting for. Maybe you are in Brazil running an open proxy honeypot and find out that a particular spammer is using Brazilian (and possibly other) open proxies to send out his spam. Looks like the trickiest part would be informing you of the actual source. If the open proxy opreator would tell Spamhaus what he learned they could report it - yoou'd look there to find the actual spammer information and start your action.
"We just can't afford these open relays and if it takes major ISP's like AOL to start blocking large swaths of them to end this, more power to them!"
Close enough. Years ago I had an open relay that was discovered. I would have considered it favor to have blocked it. Instead I cured the problem.
I cured it by making my open relay effectively filter spam. then I ASKED to be listed (by ORBS) - might as well let the spammers send relay spam to a black hole, eh?
Still works. jackpot.uk.net
It's really very easy. The spammers actually do need systems to abuse in order to send spam. They find the systems they can abuse very simply: they look for them. If a system looks like it can be abused the spammers send spam through it. If the operator of the system faked the appearance of vulnerability the spammer just wasted his time. If the spammer gives away anything about his operation (in the URLs, if nowhere else) the operator has ammunition for a complaint - a complaint the spammer's ISP really shouldn't ignore (it's an abuse complaint, a complaint of attempted theft of service.) If the operator is more current he could be running a fake open proxy instead of a fake open relay. Then he may have the spammer's IP (if the spammer didn't go through an open proxy to reach the fake open proxy.) Once again: powerful complaint material.
What is the goal - to stop spam coming to you or to just plain stop spam? That latter would be everybody's spam. Seems like stopping everybody's spam would have the bigger payoff.
You stop your own spam when it comes to you. You stop the spam for everybody when you let the spammer send relay spam to a box you control. To see if you are qualified to do this take this simple test:
If your system receives relay spam do you:
(A) Deliver it
or
(B) Not deliver it?
If you answered (B), Not deliver it, you have passed the test.
The spammers are looking for open relays and open proxes all over, every day. Right now they don't know the difference between a real open relay and a fake. This is an opportunity. Create a fake open relay, let them find it (which means you allow their test message to be delivered) and then watch to see if spam rolls in [remember the correct anser above was (B).]
[wildstar] # sh /etc/init.d/sendmail stop
m 06132002.htm
sendmail -bd used to work, too. For stopping relay spam. It came in, it stayed.
It's more complex now:
http://fightrelayspam.homestead.com/files/antispa
If you want to mess with them it might be useful for you to know that the spammers send themselves a lot of email that is critical to their success.
That's right: to find open relays they attempt to send test messages to a bunch of IPs. The messages that come through identify the open relays. If you'd look at your own port 25 you very likely would see such attempts.
Most people reject the attempts - do you think that's always wise? Sure, you don't want to deliver their message if it tells them you are running an open relay but the fact you're even thinking about that indicates you aren't running an open relay and won't be. On your real server the smartest and best thing to do usually is to reject the test message attempts. Got a spare box and a spare IP? Let the spammers test that, trap the tests, find out the addresses to which they direct the tests. Here's one such address that died earlier today:
pzbigz10@runbox.com
It died 'cause I told Runbox about it and they killed the account. I got the address from a relay test sent to me from:
pool-141-150-141-116.mad.east.verizon.net
It's pretty certain, given the number of tests seen from that same general block, that the spammer is there - he's not abusing open proxies to send the tests (as far as I can tell.) If Verizon is acting they're going very slow. (That may be OK - there's very effective slow things they might be doing.)
You may have far more power available to you than you realize: many spammers may be working hard to tell you where they send their tests, if you would just let them.
It's theoretically possible, reporting relay tests, to get a spammer booted before he sends his first spam message.
If you do nothing else why not look in the MTA logs for rejected relay attempts? You may see something useful even that way. If there's a bunch that is pretty solid evidence that if you'd set up a system with a close-by IP addrerss that the spammers would very quickly begin testing that system as well.
(Deliver one of the tests and something quite interesting can happen. Be very, very sure you do not have an open relay before you try that.)
"The worst spammers are akin to a DoS attack, which can be tracked down and stopped. This is basically the same thing. So why not just unplug the spammers one by one?"
/24's can run ntop - can't ISPs run the equivalent? If the total traffic for the ISP backbone is too great then the ISP can run ntop on subnets (it's easier if the ISP already knows abuse is going to a particular subnet in its space, perhaps because of an open proxy report.)
A few spammers send directly to recipients. Most use open relays, open proxies, or an open-proxy to open relay combination (with more than one open proxy possible.) If they send from ISP A and have the web pages offshore, in China (for example), how do you identify ISP A to get them terminated?
The question has an answer: run open proxy and open relay honeypots. Get enough honeypots going and some of them will be the first hop for the spammers. Their secret source is no longer secret.
Or the ISP where a lot of proxy abuse is happening can just watch for, say, lots of traffic to port 1080 all over its own space all coming from one IP somewhere else. Very likely that IP is controlled by the spammer. Even lowly managers of
So yes, network operators could do more. The evil part of this is that the network operators where the abuse is most intense have the best chance to cause hurt to the spammers - that sort of takes away the advantage to the spammer of finding a really abusable address space. "Evil" to the spammers, that is: I find it rather nice.
"With all due respect to your solution, expecting admins to set up a honeypot and monitor it aggressively isn't exactly fair. Doing that is a fair amount of ongoing work, while simply securing an open relay one is responsible for is a low-effort one-time job. It's the difference between locking your front door and organizing a neighborhood watch; the latter may be more noble, but that doesn't make the former an unreasonable request."
/dev/null (or the equivalent) - as long as the spammer doesn't really know what is happening he has to fear it the same as an aggressively monitored hp.
The neighborhood watch is a good analogy. Some can do it, some can't - I was a bit extreme in my language to make a point.
Returning to the neighborhood watch analogy, I think in a real neighborhood watch you'd have some zealots and some sluggards - some that want to go out and watch the neighborhood, some that agree it's a good idea and even do it once in a while, reluctantly. That's how people are - no solution that requires a change in human nature is likely to become popular or successful.
But with the honeypots you can "watch the neighborhood" in a way that has no real-world analog: the lazy watchers can just smart-host their incoming port 25 traffic to a system run by a neighborhood zealot. Better yet, if honeypots get numerous (and if large numbers of operators only trap relay tests, deliver nothing) then lots of things can look threatening to the spammer who is honeypot-aware, including systems that accept tests for the (lazy) operator to examine someday, with the (lazy) operator never bothering to look.
So, while I state that an aggressively monitored honeypot has power over that of a mostly ignored honeypot the latter still has value. It could send the relay tests to
At this point in time I'd stress the value of capturing spammer relay tests. The zealots can report these to the ISPs of source and destination, the slackards can ignore. The spammers don't know which is which (as long as the ISPs don't spill the beans) - both are a problem to the spammer. The best spammer defense is to leave the IP that is (or may be) a honeypot strictly alone. That is exactly what I want them to do, for the entire internet. ISPs can be honeypot operators - then instead of the internet becoming spammer-dangerous one IP at a time it can happen one ISP at a time. That could move pretty fast. When the spammers are off the existing internet they're done sending abuse-based spam - there's not going to be a second internet for them to abuse. You can think a long, long time but I don't think you'll hit on a way to test for open relay that doesn't reveal itself to be just that: a test for open relay. There is no stealth way for the spammers to test - the curent "stealth" is really inattention of those who could be watching. Start watching - it is worth doing (even if you have the neighborhood zealot do the work for you.)
If you are concerned (angry, assigning blame, whatever) about spam through open relays and open proxies you might like to know how they find the systems to abuse. If you are concerned and know how they do it you could do something to make it harder for them.