"Last time I checked, actions speak louder than words."
How do you feel about stopping spam at the relay and at the proxy? That can be done NOW, it is done NOW (on small numbers of systems), works NOW.
Individuals can do it. Even better, ISPs can do it. If telesp.br had any decent way of controlling traffic to proxy ports in their space then the spammers would have to give up trying to use all of the open proxies there. If the spammer does one-hop proxy abuse then all that proxy traffic comes from the spammer's own IP. That can be blocked, and as a bonus telesp.br could tell the spammer's just exactly what he'd been doing.
If they'd look they'd find it. Then stopping it would become very easy (unless some accursed law stands in the way. But it is abuse traffic - why should it ever be required to carry that?)
Same for any other ISP plagued with abuse of its customers open proxies.
Let's take DNSBLs. They stop much spam but they don't end the spam problem. Why not?
Possible answers:
(1) Not enough mailboxes are protected by DNSBL
(2) too many spam-source IPs escape listing for too long
For (1) the answer would seem to be: get more mailboxes protected. Get enough protected so that the amount of spam that gets through is too little for the spammer to earn the cost of sending the spam.
For (2) the answer would seem to be: recognize spam faster, get IPs listed faster. Automated recognition might be ideal. Razor, perhaps, feeding back to a good DNSBL?
If it's filters then the problems include:
(1) Not enough mailboxes protected by filters
(2) Too much spam slip sthrough the filters
For DCC and Razor:
(1) Not enough mailboxes are protected.
See a pattern here? I'd say there are solutions, they just aren't used widely enough. With the recent inititive at AOL to block spam there's been a big change: that's one whale of a lot of mailboxes at least partially protected by something that works. Those AOL lawsuits may do a lot as well.
I favor relay spam honeypots and open proxy honeypots - throw them into the mix, too. To some extent these would help compensate for the "not enough mailboxes" problems - the honeypots might end up trapping spam for those unprotected mailboxes anyway (trapping spam that would be DNSBL blocked only helps in that it reduces some bandwidth costs - the spam is doomed form the start if the mailbox has good DNSBL protection.) But if we had universal (which might really mean 85 - 90%) usage of a good DNSBL then spam might die just from that. No change in protocol, just a bigger effort to use what already exists.
Same for any really effective filter - get it used widely enough and the delivered spam falls below the self-sustaining level.
"Please. The problem with spammers isn't because SMTP is so weak. The primary cause of the modern deluge of spam is unsecured email servers around the world, allowing senders to spoof their identity and auto-email anyone they happen to have an address for. And no new system, no matter how rigidly secured, will make up for admins who don't do their job; if it did, it would be prohibitively expensive or complicated and thus be impossible to implement as widely as email is now."
You might as well sing the "secure your open relay" song. That hasn't worked and RFC 2505 tells why. The problem isn't just the clueless operators of open relays, it's also the clueful operators who have the strange notion that securing their own servers does something measurable to stop spam. You know: secure your server and then coast, bitching about all those remaining open relays and their stupid, irresponsible operators. I'll bet 99.9% of the ones who do secure their relays are proud of that and make sure they respond to every relay attempt "550 we do not relay." That tells the spammer all he needs to know about that IP - he goes on to the next. Eventually he finds ones that don't say "we do not relay" and most of those do relay. DUH. How much easier can it be? The spammer wants to find open relays and does. He gets help from both sides.
Now if the guys with the secure relays would at least accept the spammers test message and keep mum about not relaying (why tell the spammer anything at all useful?) then the test message would be in the queue (or sompelpace) and the operator could learn from it something about that particulars spammers testing strategy. Then maybe he could send a complaint someplace (or two someplaces: the ISP of the origin, if it's not through an open proxy, and the ISP of the destination, if it's not the spammer himself.)
That would be USEFUL.
If the clueful operator would actually DELIVER the spammer's test message then the spammer would very likely think the IP was an open relay and send gobs of spam. Well, gosh, what to do? If the answer isn't "don't deliver it" you get an F. If the spam comes form the spammer (not through an open proxy, which s increasingly common) you have all you need to contact the spammer's ISP and tell them that the spammer is trying to steal service from you. Very often that causes Mr. Spammer some grief.
All because you accpeted that test message and delivered it intead of being all proud about how secure you were.
Don't do it on a server - do it on a system you set up just for this purpose. That grants you absolution for any number of "550 we do not" systems you care to run. You hardly have to think. If a message looks like a relay test, deliver it. If it doesn't, don't. That's the entire set of rules for delivery. if in doubt, don't deliver. Somebody else will be screwing the spammer real soon, if there's others doing this.
Recently I've trapped spam with thousands of recipients/message. Here's some log counts:
... Counts: Good = 202; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 2295; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 589; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 2516; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 281; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 964; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 4; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 2596; Bad = 0; Ugly = 0; Dup = 0
It's chickenfeed trapping, but imagine the thrill of that compared to just watching nothing at all happen. Some guys hit it big. One guy, with a 120 MHz Pentium (64 Mb) trapped spam for 281 million recipients in his first year of running a fake open relay.
I've stopped spam for years! Exclamation point! Not just spam for me, not just spam for my domain - spam for aol, msn, hotmail, and thousands of other domains. Real spam, sent by real spammers.
That guy is a real PITA. For months all I trapped on my home honeypot was his tests and spam. He's so obnoxious that he sends spam if you merely accept his test - he doesn't rely on test delivery.
"You know this is trivial to defeat right? A simple heuristic to detect the honeypots would have no trouble dealing with this. Spammers are highly motivated at defeating stuff. Excessively slow server detection will be a standard feature of all next generation spam software. Bet on it."
I've run what may be the world's dumbest honeypot for nigh onto 3 years. I think some spammers figure it out, I think some Florida ones figured it out this week. It took them well over a month and there were clues constantly hitting them in the face that they ignored.
It is true they can figure some of these things out, it has to be true that some have. Many don't. Ralsky, with his hundreds of spam servers, sent spam to the Moscow honeypot run by Michael Tokarev all the time it was in operation. Ralsky suffered major damage as a result.
Not only is the programming trivial it is unnecessary. Set up your honeypot on an IP that has no legitimate email function and everything that comes to it is spam. "The Mushroom Guy" somewhere in the world stopped spam to over 281 million recipients in his first year of operation with a 120 MHz Pentium, 64 Mb, running Linux and sendmail. No programming, or just a tiny bit, probably done with command files to force delivery only of spammer relay tests. These are mostly easily recognized, which you find out if you start trapping them. Duh. Exactly how many reasons are there for YOUR IP to be in the mail someone tries to send though your IP? Some do encode the IPs, either in decimal ascii in the message-id or in the body, in a MAILINF0 string.
Here's a test I've altered to encode the tested IP 123.11.22.3
It came from 66.226.231.14, which is encoded in MAILINF2.
Windows users can use a download: http://jackpot.uk.net/
You do not care if the spammer figures you out. What you want is a combined internet presence of anti-spam-abuse systems that is so daunting for the spammers that they give up.
"Trivial to defeat" isn't that trivial, and it is an order of magnitude (at least) more trivial to set the system up. Get large numbers of honeypots in place implemented large numbers of ways, including implemented using real MTA's, and that triviality of defeat gets less and less trivial. Drag that old Unix/Linux box out of storage and set up a honeypot. Make spamming hard.
"The article repeatedly made the point that fighting spam is no fun at all."
Suresh fights spam at a huge freemail ISP and I sympathize. He has little fun.
I fight spam using a fake open relay - that's fun.
Many months ago I sent Suresh long lists of freemail dropbox addresses in a couple of domains he administers - snowboarding.com and swirve.com. These were gleaned from relay spam I trapped. Suresh could wipe out a huge number of spammer dropboxes based on the informaiton in a single email. I suspect that had some element of fun.
Portscanning on proxy ports is now very often done by spammers, who either send the spam through the proxy to the destination or through the proxy to an open relay. I know - I run a fake open relay and see it done very often.
There are those who run fake open proxies that deceive the spammers. It's fine to call for defensive measures. Running an open proxy honeypot designed to snare spammers is a very good defensive measure.
Your premise isn't particularly true. Spammers abuse other system to send their spam. I imagine there are at least 100,000 open relays, far more open proxies. Surely a good numbner of both are listed on block lists but not enough ISPs use block lists to blokc spam well enough to make it unprofitable.
I'm in a better position to know some of these things than many: I trap raw spam at a fake open relay. I see the wide range of open proxies used to send the spam to my "open relay," I see the recipients spread over a large number of destination ISPs.
Rather than keep poring effort into blocking (which is pretty far along, pretty complete) I'd far rather see effort put into faking (of open relays and of open proxies.) If the spammers can't reliably find either of these then they can't reliably use either of these. Get enough fakes and the reliability is gone. Keep doing the blocking, of course, but also poson the pool of abusable systems. For instance, run Jackpot:
http://jackpot.uk.net/
Effort put into getting ISPs that don't use block lists to use them is also effort well spent. Every countermeasure against spam helps end spam.
It would make much more sense to reward people for running false open relays.
http://jackpot.uk.net/
Years have been wasted in attempots to get people (all people, everywhere) to stop running open relays. It hasn't worked. It's just as bad for the spammers if there are still open relays but the spammers can't distinguish them from fakes, and that can be achieved without universal conformance. Each fake open relay adds to the problems the spammer faces, starting with the first (mine, in fact.) I've trapped spam for something like 20,000 victims since 7:30 Sunday evening (that was the last time i wiped out excess spam - it's easy to count what's now on the system.) It's ridiculously easy to do. The spammer uses open proxies so I can't easily report him to his ISP. Here's an opportunity for forward-moving innovation: fake open proxies.
You also need to modernize your viewpoint: spam now also comes via open proxies and there has been a report of a trojan horse program somehow installed that listens on some random high port for incoming spam and then delivers it.
Of course. Not just filters but everything, even JHD (just hit delete.) Everything that reduces the incidence of a victim reading spam has the effect of inducing the spammer to send more. Even sending more spam has this effect: the enormously gullible eventually run out either of funds or of patience and quit reading spam, quit responding.
Do you have some suggestion as to how to avoid this? Practical, I mean.
Collateral damage may have had an effect about like what you say on a very few people. I see no evidence that such collateral damage is widespread. Indeed, the scarcity of such evidence suggests to me that causing collateral damage on purpose is a poor approach to stopping spam.
I agree that blocking non-spam-source IPs is wrong. I don't think that the incidence of such blocking is particularly high.
Do you have evidence your own email has been blocked as you describe or do you just assume or fear it might be blocked in that way?
"And you don't run an open relay, do you? Do you?"
I did, and it hurt spammers. I don't recommend it (because there's easier/better things to do) but you can run an open relay that's secure. That means it will accept relay email from anybody, including spammers, but only delivers the non-spam.
But forget that. If you want to play that kind of game (I rather hope you do) run a system that never receives any valid email. The only email you'd ever want that system to deliver would be the messages the spammer sends to see if it is an open relay. Delivering the test message makes him conclude it is an open relay, but he concludes wrong.
You can have great fun whacking the spammer, based on what you learn from the spam he sends and your logs, but the real goal is to have so many such systems that the spammer is in despair: he can't tell real open relays from fakes. Then what does he do?
Of course exactly the same idea works for open proxies - run a fake open proxy, fool a spammer.
If you run windows or a JVM under some other environment try out the Jackpot Mailswerver: http://jackpot.uk.net/ This enables you to deceive the spammer into thinking your Windows system is a mail relay. Heck, I trapped a relay test message just 8 minutes ago from axis.software.powerinternetcr.com [216.25.173.245]. If I had relay enabled in my Jackpot I'd probably see spam very soon.
Forgot to say: he connnects to the fake relay using open proxies - he can't be traced back further than those without the cooperation of the operators of the systems with the open proxies.
If you'll read RFC 2505 (Anti-Spam Recommendations for SMTP MTAs) it will tell you that running an open relay is a bad thing but that trying to stop spam by securing all open relays isn't likely to work. This has been the experience.
So it hasn't worked, isn't likely to, you still want to do something. OK, do something: bury the true open relays in a mass of false open relays. you can't do a mass of them alone: persuade your friends. (Post on Slashdot with a plea, even.)
While doing that you can have a lot of additional anti-spam fun.
Run Jackpot: http://jackpot.uk.net/
You do like fun, don't you?
I've stopped spam to about 3000 (495+1584+990) recipients in the last hour. Thank of what it would be like if thousands did the same (and note that many who run relay spam honeypots stop more than that per hour.)
I also have a good notion about where the spam originates - the relay test that I delivered to get the spam to come to me went to a particular email address in California. Where the spammer is I can't say, but he does have that California link and I suspect he is himself in California (and not in China nor in Russia, despite his false registrations giving addresses in those countries.)
Looks like more people should be using Bayesian filters - and DCC. Neither relies on some human or bunch of humans to recognize the spam, add it to a database, etc.
Which did you get: Russian wives or herbal Viagra?
Then the spammer is totally wasting his time (which is fine by me.)
One of the MIT people got press mention for his comments about this "diabolical" means of obscuring the content of the spam. Maybe he was using a traditional word-based filter. In any case the comments would fail to obscure if the filter first removed all comments.
Hey, if you want to be naughty why waste it on a putz like the open relay operator? Go after the big cheese: the spammer himself. YOU be the "open relay."
If you are the "open relay" then YOU control what happens to all the spam the spammer sends you. How much do you deliver? NONE! That's right. (If the putz gets the spam he delivers it. That's what makes him a putz.)
If the spammers were still mostly sending direct from their servers to the open relays then you could even try a too-long reply packet to see if spammy has buffer-overflow properly guarded against. Since it's more likely an open proxy that's feeding you the spam that ploy doesn't work as well. (If you don't see why this makes running a fake open proxy a very attactive option think about it again.)
The only trick to running a fake open relay is that you need to deliver the relay test messages the spammer sends to deceive him into thinking you are an open relay.
Here's one (munged in spots):
Received: from dhcp065-029-068-003.indy.rr.com by X.X.X;
Fri, 28 Feb 03 04:45 CST Message-Id: [IPindecimalasciimunged@164.100.80.127:8080] Date : Fri, 28 Feb 2003 05:46:05 -1700 From: a_benson@earthlink.net Subject: Where you been? To: sue@pop7.goodhealthclick.net MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
I munged in the message-ID the encoded IP for the system that captured this test. I also replaced angle brackets with square brackets. The encoding is simple: "048" encodes "0," etc. You can decode the message body, but it tells you little:
192.168.1.102:NOT:495:1:
Interesting - spammy may have a firewall. Typically the sending IP is in the body, along with fields I've never figured out.
Here's another way the sometimes encode the body:
aejafhafdaegafaaejaffaegafaafbaejaegafcafiafiafa af aafcaffafiaejafiahibbb
It's the same as before, with a second step. "A" is used to replace "0," etc.
If you are scared of receiving spam then don't deliver any test messages, just trap them. Report the source IP and the recipient(s) in a short post in news.admin.net-abuse.email. If the source IP belongs to a big ISP send them a complaint and a copy of the test, explaining that relay tests are the heart of relay spam. They won't get it (apparently, judging by history) but maybe the hundredth report will be the one that opens their eyes. Or the thousandth - I'm pessimistic tonight.
"For a particularly abused open relay, that could lead to such problems that the admin of that open relay will finally get a clue and look in to configuring their server properly."
Before I ran an open relay honeypot I ran an open relay (Bad. Yes.) It didn't need anyone slowing down receipt of email to be a problem - Spammy sent enough one Saturday to make it a problem anyway. But I'd have noticed if there'd been just one foreign message (I found the spam when I did a regular check of the queue to see if the email was moving OK.)
But the real point of this post is to say I strongly agree. I so strongly agree that I suggest that blocklist users consider giving a "disk full" code when they reject from open relays rather than "550 we do not relay." This would mean, I think, that the open relay would keep trying to deliver the spam - the point is that the open relay queue might get clogged and draw attention to the problem.
I'm not sure what would happen if it was an open proxy being used. It would be interesting to find out. For an open proxy the more intersting thing to do might be to give a completely nonstandard reply, possibly confusing the spamware into paralysis. It's nice to contemplate.
Spammers have done exactly that. A year ago almost all relay spam I trapped came as two 21-recipient spam messages followed by about an hour of silence.
My current spammer is sending 99-recipient spam, and sometimes he sends as many as 10 in one session. All the spam stays on my system - he is totaly wasting his time.
I've seen a lot of recent single-recipient spam, I've seen single spam messages with recipient counts in the thousands. Much relay spam reaches my relay spam honeypot from open proxies. I think thee was some in January that came direct from the spammer.
This (running a relay spam honeypot) is easy for many Windows users - try it yourself: http://jackpot.uk.net/
Linux users can make Jackpot work (it's in Java) or they could jimmy sendmail (or some other MTA) to be a honeypot - do it on a second Ip with no other email function. The MTA I use is so old it doesn't know EHLO. You don't need sophisticated tools to beat the spammers.
But a server of extreme virtue might relay the spammer's own test messages (and of course not relay any spam.) Do you see why that is so effective against the spammer?
There's a few spammers who send direct from their own IPs. If you want to tarpit them just tarpit the traffic from their Ips - you don't need to analyze anything.
For other spam, through open proxies or open relays, you are not hurting the spammer to tarpit. If the spammer is working through open proxies and if you got enough tarpits going then you could hurt them, but until there's enough tarpits there is still zero (0.000) percent pain to the spammer. Some open proxes are slow with one or two tarpits, the others are fast enough to keep the spammer's server fully busy. He only cares if he's running his server flat out. Delays at one or more open proxies mean little.
Right now I'm trapping spam on a relay spam honeypot. It comes to the honeypot from open proxies - theer's nothig I can learn about the spammer by learning about the proxies. It comes (usually) as 99-recipient spam messages. This particular spammer uses imbedded comments in his spam to evade Bayesian filters. Makes no difference to me - I see it is spam. I have no valid email to filter out - everything is spam. That's one of the beauties o a honeypot - the spammer does yor filtering for you.
Somewhere over 20,000 recipients so far, since Wednesday. Here's a tiny sample, showing the URL's he advertises and the random comments he uses to defeat filters:
(I replaced agle brackets with square brackets - tou'll have to imagine them restored.)
I have no filter, no smarts of any kind. The honeypot is a mail server with the output queue stopped. I got the spammer to start sendng spam by delivering to him three of his relay test messages - he'd sent so many I decided to see who he was, what spam I'd get if I did deliver.
I'm trying various ways to hurt the spammer but I've not yet delivered enough hurt - he's still operating. Other spammers have succumed more readily - this guy is better at hiding himself.
Note, by the way, that he puts no comments in the URL - if you filter on those (or remove comments before filtering - that would be easy) the spam instantly is revealed. One guy simply rejects any email message with three repeated comments in a line (this spam is laced with the comments throughout, not just in the http lines.) The spammer's clever way of obscuring the spam is useful in identifying the spam - no points for Spammy.
Windows users with a permanent connection can step into running a relay spam honeypot very easily: they can run Jackpot: http://jackpot.uk.net/
There is at least one open proxy honeypot out there: Google in news.admin.net-abuse.email for it. These can be very wicked - create your own for even more fun. Or create your own open relay honeypot - see if you can make it even more wicked.
(Oversize reply packets from an open proxy honeypot might have a very interesting efffect.)
"Do you think they care? They'll just move thier tasks to net providers that take no interest in security. And if that doesn't work, look for open proxies in third-world countries, etc.."
Let's suppose the spammers, though diligent use of open relay and open proxy honeypots, are down to one last 3rd world country where they can find systems to abuse. Do we (a) cry at our misfortune or (b) try to persuade operators in that one last country to run honeypots?
As it stands they still look for open relays (and I'd guess open proxies) in the good old USA. Why not be an early example for the operators in that last 3rd world country and run a honeypot now, so they can see the advantage?
Thee's been some might fine honeypot success overseas. Moscow isn't 3rd world, of course, but that honeypot was a sensation. I don't even know where (what country) the 235-million-trapping honeypot is located. Some mighty old hardware has been used for honeypots - even stuff the 3rd world might easily have to spare. They can run Jackpot on Windows systems. If they're on the net in suffucient number to matter to the spammers then there's almost certainly sufficient resources that can be used to fight the spammers.
I invite you to try Jackpot. Just load it and start it, trap relay tests only. You may be surprised.
Slashdot Mirror
"Last time I checked, actions speak louder than words."
How do you feel about stopping spam at the relay and at the proxy? That can be done NOW, it is done NOW (on small numbers of systems), works NOW.
Individuals can do it. Even better, ISPs can do it. If telesp.br had any decent way of controlling traffic to proxy ports in their space then the spammers would have to give up trying to use all of the open proxies there. If the spammer does one-hop proxy abuse then all that proxy traffic comes from the spammer's own IP. That can be blocked, and as a bonus telesp.br could tell the spammer's just exactly what he'd been doing.
If they'd look they'd find it. Then stopping it would become very easy (unless some accursed law stands in the way. But it is abuse traffic - why should it ever be required to carry that?)
Same for any other ISP plagued with abuse of its customers open proxies.
OK, we've got DNSBLs, we've got filters, we've got DCC, we've got Razor. Why don't they stop spam?
Let's take DNSBLs. They stop much spam but they don't end the spam problem. Why not?
Possible answers:
(1) Not enough mailboxes are protected by DNSBL
(2) too many spam-source IPs escape listing for too long
For (1) the answer would seem to be: get more mailboxes protected. Get enough protected so that the amount of spam that gets through is too little for the spammer to earn the cost of sending the spam.
For (2) the answer would seem to be: recognize spam faster, get IPs listed faster. Automated recognition might be ideal. Razor, perhaps, feeding back to a good DNSBL?
If it's filters then the problems include:
(1) Not enough mailboxes protected by filters
(2) Too much spam slip sthrough the filters
For DCC and Razor:
(1) Not enough mailboxes are protected.
See a pattern here? I'd say there are solutions, they just aren't used widely enough. With the recent inititive at AOL to block spam there's been a big change: that's one whale of a lot of mailboxes at least partially protected by something that works. Those AOL lawsuits may do a lot as well.
I favor relay spam honeypots and open proxy honeypots - throw them into the mix, too. To some extent these would help compensate for the "not enough mailboxes" problems - the honeypots might end up trapping spam for those unprotected mailboxes anyway (trapping spam that would be DNSBL blocked only helps in that it reduces some bandwidth costs - the spam is doomed form the start if the mailbox has good DNSBL protection.) But if we had universal (which might really mean 85 - 90%) usage of a good DNSBL then spam might die just from that. No change in protocol, just a bigger effort to use what already exists.
Same for any really effective filter - get it used widely enough and the delivered spam falls below the self-sustaining level.
Why not?
You might as well sing the "secure your open relay" song. That hasn't worked and RFC 2505 tells why. The problem isn't just the clueless operators of open relays, it's also the clueful operators who have the strange notion that securing their own servers does something measurable to stop spam. You know: secure your server and then coast, bitching about all those remaining open relays and their stupid, irresponsible operators.
I'll bet 99.9% of the ones who do secure their relays are proud of that and make sure they respond to every relay attempt "550 we do not relay." That tells the spammer all he needs to know about that IP - he goes on to the next. Eventually he finds ones that don't say "we do not relay" and most of those do relay. DUH. How much easier can it be? The spammer wants to find open relays and does. He gets help from both sides.
Now if the guys with the secure relays would at least accept the spammers test message and keep mum about not relaying (why tell the spammer anything at all useful?) then the test message would be in the queue (or sompelpace) and the operator could learn from it something about that particulars spammers testing strategy. Then maybe he could send a complaint someplace (or two someplaces: the ISP of the origin, if it's not through an open proxy, and the ISP of the destination, if it's not the spammer himself.)
That would be USEFUL.
If the clueful operator would actually DELIVER the spammer's test message then the spammer would very likely think the IP was an open relay and send gobs of spam. Well, gosh, what to do? If the answer isn't "don't deliver it" you get an F. If the spam comes form the spammer (not through an open proxy, which s increasingly common) you have all you need to contact the spammer's ISP and tell them that the spammer is trying to steal service from you. Very often that causes Mr. Spammer some grief.
All because you accpeted that test message and delivered it intead of being all proud about how secure you were.
Don't do it on a server - do it on a system you set up just for this purpose. That grants you absolution for any number of "550 we do not" systems you care to run. You hardly have to think. If a message looks like a relay test, deliver it. If it doesn't, don't. That's the entire set of rules for delivery. if in doubt, don't deliver. Somebody else will be screwing the spammer real soon, if there's others doing this.
Recently I've trapped spam with thousands of recipients/message. Here's some log counts:
... Counts: Good = 202; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 2295; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 589; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 2516; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 281; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 964; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 4; Bad = 0; Ugly = 0; Dup = 0
... Counts: Good = 2596; Bad = 0; Ugly = 0; Dup = 0
It's chickenfeed trapping, but imagine the thrill of that compared to just watching nothing at all happen. Some guys hit it big. One guy, with a 120 MHz Pentium (64 Mb) trapped spam for 281 million recipients in his first year of running a fake open relay.
"spam can not be stopped. period."
I've stopped spam for years! Exclamation point! Not just spam for me, not just spam for my domain - spam for aol, msn, hotmail, and thousands of other domains. Real spam, sent by real spammers.
Run a fake open relay - you can do it, too.
That guy is a real PITA. For months all I trapped on my home honeypot was his tests and spam. He's so obnoxious that he sends spam if you merely accept his test - he doesn't rely on test delivery.
"You know this is trivial to defeat right? A simple heuristic to detect the honeypots would have no trouble dealing with this. Spammers are highly motivated at defeating stuff. Excessively slow server detection will be a standard feature of all next generation spam software. Bet on it."
/ 25xpqj
I've run what may be the world's dumbest honeypot for nigh onto 3 years. I think some spammers figure it out, I think some Florida ones figured it out this week. It took them well over a month and there were clues constantly hitting them in the face that they ignored.
It is true they can figure some of these things out, it has to be true that some have. Many don't. Ralsky, with his hundreds of spam servers, sent spam to the Moscow honeypot run by Michael Tokarev all the time it was in operation. Ralsky suffered major damage as a result.
Not only is the programming trivial it is unnecessary. Set up your honeypot on an IP that has no legitimate email function and everything that comes to it is spam. "The Mushroom Guy" somewhere in the world stopped spam to over 281 million recipients in his first year of operation with a 120 MHz Pentium, 64 Mb, running Linux and sendmail. No programming, or just a tiny bit, probably done with command files to force delivery only of spammer relay tests. These are mostly easily recognized, which you find out if you start trapping them. Duh. Exactly how many reasons are there for YOUR IP to be in the mail someone tries to send though your IP? Some do encode the IPs, either in decimal ascii in the message-id or in the body, in a MAILINF0 string.
Here's a test I've altered to encode the tested IP 123.11.22.3
MAILINFO:[234/22/33/4xpqk
MAILINF2:[77/337/342
It came from 66.226.231.14, which is encoded in MAILINF2.
Windows users can use a download: http://jackpot.uk.net/
You do not care if the spammer figures you out. What you want is a combined internet presence of anti-spam-abuse systems that is so daunting for the spammers that they give up.
"Trivial to defeat" isn't that trivial, and it is an order of magnitude (at least) more trivial to set the system up. Get large numbers of honeypots in place implemented large numbers of ways, including implemented using real MTA's, and that triviality of defeat gets less and less trivial. Drag that old Unix/Linux box out of storage and set up a honeypot. Make spamming hard.
"The article repeatedly made the point that fighting spam is no fun at all."
Suresh fights spam at a huge freemail ISP and I sympathize. He has little fun.
I fight spam using a fake open relay - that's fun.
Many months ago I sent Suresh long lists of freemail dropbox addresses in a couple of domains he administers - snowboarding.com and swirve.com. These were gleaned from relay spam I trapped. Suresh could wipe out a huge number of spammer dropboxes based on the informaiton in a single email. I suspect that had some element of fun.
Here's just a few from one of those messages:
Reply-To: sudiesteenken3594@swirve.com
Reply-To: tobiastinklenberg3264@swirve.com
Reply-To: venitaspecchio1421@swirve.com
Reply-To: alethiaturso4266@snowboarding.com
Reply-To: annemariekinloch4506@snowboarding.com
Reply-To: aureliaesqueda4489@snowboarding.com
It's been a while - that was 2/26/2002.
Should be illegal to abuse one and people should be fighting that abuse. It ain't rocket science.
http://jackpot.uk.net/
You don't know what anti-spammer fun is until you've run a fake open relay or fake open proxy.
Portscanning on proxy ports is now very often done by spammers, who either send the spam through the proxy to the destination or through the proxy to an open relay. I know - I run a fake open relay and see it done very often.
There are those who run fake open proxies that deceive the spammers. It's fine to call for defensive measures. Running an open proxy honeypot designed to snare spammers is a very good defensive measure.
Blocking is done - both kinds you describe.
Your premise isn't particularly true. Spammers abuse other system to send their spam. I imagine there are at least 100,000 open relays, far more open proxies. Surely a good numbner of both are listed on block lists but not enough ISPs use block lists to blokc spam well enough to make it unprofitable.
I'm in a better position to know some of these things than many: I trap raw spam at a fake open relay. I see the wide range of open proxies used to send the spam to my "open relay," I see the recipients spread over a large number of destination ISPs.
Rather than keep poring effort into blocking (which is pretty far along, pretty complete) I'd far rather see effort put into faking (of open relays and of open proxies.) If the spammers can't reliably find either of these then they can't reliably use either of these. Get enough fakes and the reliability is gone. Keep doing the blocking, of course, but also poson the pool of abusable systems. For instance, run Jackpot:
http://jackpot.uk.net/
Effort put into getting ISPs that don't use block lists to use them is also effort well spent. Every countermeasure against spam helps end spam.
It would make much more sense to reward people for running false open relays.
http://jackpot.uk.net/
Years have been wasted in attempots to get people (all people, everywhere) to stop running open relays. It hasn't worked. It's just as bad for the spammers if there are still open relays but the spammers can't distinguish them from fakes, and that can be achieved without universal conformance. Each fake open relay adds to the problems the spammer faces, starting with the first (mine, in fact.) I've trapped spam for something like 20,000 victims since 7:30 Sunday evening (that was the last time i wiped out excess spam - it's easy to count what's now on the system.) It's ridiculously easy to do. The spammer uses open proxies so I can't easily report him to his ISP. Here's an opportunity for forward-moving innovation: fake open proxies.
You also need to modernize your viewpoint: spam now also comes via open proxies and there has been a report of a trojan horse program somehow installed that listens on some random high port for incoming spam and then delivers it.
Of course. Not just filters but everything, even JHD (just hit delete.) Everything that reduces the incidence of a victim reading spam has the effect of inducing the spammer to send more. Even sending more spam has this effect: the enormously gullible eventually run out either of funds or of patience and quit reading spam, quit responding.
Do you have some suggestion as to how to avoid this? Practical, I mean.
Collateral damage may have had an effect about like what you say on a very few people. I see no evidence that such collateral damage is widespread. Indeed, the scarcity of such evidence suggests to me that causing collateral damage on purpose is a poor approach to stopping spam.
I agree that blocking non-spam-source IPs is wrong. I don't think that the incidence of such blocking is particularly high.
Do you have evidence your own email has been blocked as you describe or do you just assume or fear it might be blocked in that way?
"And you don't run an open relay, do you? Do you?"
I did, and it hurt spammers. I don't recommend it (because there's easier/better things to do) but you can run an open relay that's secure. That means it will accept relay email from anybody, including spammers, but only delivers the non-spam.
But forget that. If you want to play that kind of game (I rather hope you do) run a system that never receives any valid email. The only email you'd ever want that system to deliver would be the messages the spammer sends to see if it is an open relay. Delivering the test message makes him conclude it is an open relay, but he concludes wrong.
You can have great fun whacking the spammer, based on what you learn from the spam he sends and your logs, but the real goal is to have so many such systems that the spammer is in despair: he can't tell real open relays from fakes. Then what does he do?
Of course exactly the same idea works for open proxies - run a fake open proxy, fool a spammer.
If you run windows or a JVM under some other environment try out the Jackpot Mailswerver: http://jackpot.uk.net/ This enables you to deceive the spammer into thinking your Windows system is a mail relay.
Heck, I trapped a relay test message just 8 minutes ago from axis.software.powerinternetcr.com [216.25.173.245]. If I had relay enabled in my Jackpot I'd probably see spam very soon.
Interesting Spamhaus record: http://spamhaus.org/SBL/sbl.lasso?query=SBL5858
Forgot to say: he connnects to the fake relay using open proxies - he can't be traced back further than those without the cooperation of the operators of the systems with the open proxies.
If you'll read RFC 2505 (Anti-Spam Recommendations for SMTP MTAs) it will tell you that running an open relay is a bad thing but that trying to stop spam by securing all open relays isn't likely to work. This has been the experience.
So it hasn't worked, isn't likely to, you still want to do something. OK, do something: bury the true open relays in a mass of false open relays. you can't do a mass of them alone: persuade your friends. (Post on Slashdot with a plea, even.)
While doing that you can have a lot of additional anti-spam fun.
Run Jackpot: http://jackpot.uk.net/
You do like fun, don't you?
I've stopped spam to about 3000 (495+1584+990) recipients in the last hour. Thank of what it would be like if thousands did the same (and note that many who run relay spam honeypots stop more than that per hour.)
I also have a good notion about where the spam originates - the relay test that I delivered to get the spam to come to me went to a particular email address in California. Where the spammer is I can't say, but he does have that California link and I suspect he is himself in California (and not in China nor in Russia, despite his false registrations giving addresses in those countries.)
"Spam ratings:0.999999999999999"
:-)
Offhand I'd say that seems pretty certain.
Looks like more people should be using Bayesian filters - and DCC. Neither relies on some human or bunch of humans to recognize the spam, add it to a database, etc.
Which did you get: Russian wives or herbal Viagra?
Then the spammer is totally wasting his time (which is fine by me.)
One of the MIT people got press mention for his comments about this "diabolical" means of obscuring the content of the spam. Maybe he was using a traditional word-based filter. In any case the comments would fail to obscure if the filter first removed all comments.
It's most fun to do the dirty work against the spammer. What he thinks is an open relay doesn't have to be one.
This one whacked Ralsky hard for several months - Ralsky never caught on: http://www.corpit.ru/cgi-bin/h0n5yp0t
You can do it, too:
http://jackpot.uk.net/
And please do.
Hey, if you want to be naughty why waste it on a putz like the open relay operator? Go after the big cheese: the spammer himself. YOU be the "open relay."
e : Fri, 28 Feb 2003 05:46:05 -1700: 7bit
9 08 4058052057053058049058
a af aafcaffafiaejafiahibbb
If you are the "open relay" then YOU control what happens to all the spam the spammer sends you. How much do you deliver? NONE! That's right. (If the putz gets the spam he delivers it. That's what makes him a putz.)
If the spammers were still mostly sending direct from their servers to the open relays then you could even try a too-long reply packet to see if spammy has buffer-overflow properly guarded against. Since it's more likely an open proxy that's feeding you the spam that ploy doesn't work as well. (If you don't see why this makes running a fake open proxy a very attactive option think about it again.)
The only trick to running a fake open relay is that you need to deliver the relay test messages the spammer sends to deceive him into thinking you are an open relay.
Here's one (munged in spots):
Received: from dhcp065-029-068-003.indy.rr.com by X.X.X;
Fri, 28 Feb 03 04:45 CST
Message-Id: [IPindecimalasciimunged@164.100.80.127:8080]
Dat
From: a_benson@earthlink.net
Subject: Where you been?
To: sue@pop7.goodhealthclick.net
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.3018.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
04905705004604905405604604904604904805005807807
I munged in the message-ID the encoded IP for the system that captured this test. I also replaced angle brackets with square brackets. The encoding is simple: "048" encodes "0," etc. You can decode the message body, but it tells you little:
192.168.1.102:NOT:495:1:
Interesting - spammy may have a firewall. Typically the sending IP is in the body, along with fields I've never figured out.
Here's another way the sometimes encode the body:
aejafhafdaegafaaejaffaegafaafbaejaegafcafiafiaf
It's the same as before, with a second step. "A" is used to replace "0," etc.
If you are scared of receiving spam then don't deliver any test messages, just trap them. Report the source IP and the recipient(s) in a short post in news.admin.net-abuse.email. If the source IP belongs to a big ISP send them a complaint and a copy of the test, explaining that relay tests are the heart of relay spam. They won't get it (apparently, judging by history) but maybe the hundredth report will be the one that opens their eyes. Or the thousandth - I'm pessimistic tonight.
"For a particularly abused open relay, that could lead to such problems that the admin of that open relay will finally get a clue and look in to configuring their server properly."
Before I ran an open relay honeypot I ran an open relay (Bad. Yes.) It didn't need anyone slowing down receipt of email to be a problem - Spammy sent enough one Saturday to make it a problem anyway. But I'd have noticed if there'd been just one foreign message (I found the spam when I did a regular check of the queue to see if the email was moving OK.)
But the real point of this post is to say I strongly agree. I so strongly agree that I suggest that blocklist users consider giving a "disk full" code when they reject from open relays rather than "550 we do not relay." This would mean, I think, that the open relay would keep trying to deliver the spam - the point is that the open relay queue might get clogged and draw attention to the problem.
I'm not sure what would happen if it was an open proxy being used. It would be interesting to find out. For an open proxy the more intersting thing to do might be to give a completely nonstandard reply, possibly confusing the spamware into paralysis. It's nice to contemplate.
Spammers have done exactly that. A year ago almost all relay spam I trapped came as two 21-recipient spam messages followed by about an hour of silence.
My current spammer is sending 99-recipient spam, and sometimes he sends as many as 10 in one session. All the spam stays on my system - he is totaly wasting his time.
I've seen a lot of recent single-recipient spam, I've seen single spam messages with recipient counts in the thousands. Much relay spam reaches my relay spam honeypot from open proxies. I think thee was some in January that came direct from the spammer.
This (running a relay spam honeypot) is easy for many Windows users - try it yourself: http://jackpot.uk.net/
Linux users can make Jackpot work (it's in Java) or they could jimmy sendmail (or some other MTA) to be a honeypot - do it on a second Ip with no other email function. The MTA I use is so old it doesn't know EHLO. You don't need sophisticated tools to beat the spammers.
But a server of extreme virtue might relay the spammer's own test messages (and of course not relay any spam.) Do you see why that is so effective against the spammer?
Windows users can do it:
http://jackpot.uk.net/
There's a few spammers who send direct from their own IPs. If you want to tarpit them just tarpit the traffic from their Ips - you don't need to analyze anything.
9 0]"A ni[!--HVtu--]ce la[!--HVtu--]dy
- ]im[!--WPVizB--]ited
For other spam, through open proxies or open relays, you are not hurting the spammer to tarpit. If the spammer is working through open proxies and if you got enough tarpits going then you could hurt them, but until there's enough tarpits there is still zero (0.000) percent pain to the spammer. Some open proxes are slow with one or two tarpits, the others are fast enough to keep the spammer's server fully busy. He only cares if he's running his server flat out. Delays at one or more open proxies mean little.
Right now I'm trapping spam on a relay spam honeypot. It comes to the honeypot from open proxies - theer's nothig I can learn about the spammer by learning about the proxies. It comes (usually) as 99-recipient spam messages. This particular spammer uses imbedded comments in his spam to evade Bayesian filters. Makes no difference to me - I see it is spam. I have no valid email to filter out - everything is spam. That's one of the beauties o a honeypot - the spammer does yor filtering for you.
Somewhere over 20,000 recipients so far, since Wednesday. Here's a tiny sample, showing the URL's he advertises and the random comments he uses to defeat filters:
[a href="http://www.directmailorderbrides.com/?oc=23
[a href="http://www.flati.com/silagra/"]L[!--WPVizB-
(I replaced agle brackets with square brackets - tou'll have to imagine them restored.)
I have no filter, no smarts of any kind. The honeypot is a mail server with the output queue stopped. I got the spammer to start sendng spam by delivering to him three of his relay test messages - he'd sent so many I decided to see who he was, what spam I'd get if I did deliver.
I'm trying various ways to hurt the spammer but I've not yet delivered enough hurt - he's still operating. Other spammers have succumed more readily - this guy is better at hiding himself.
Note, by the way, that he puts no comments in the URL - if you filter on those (or remove comments before filtering - that would be easy) the spam instantly is revealed. One guy simply rejects any email message with three repeated comments in a line (this spam is laced with the comments throughout, not just in the http lines.) The spammer's clever way of obscuring the spam is useful in identifying the spam - no points for Spammy.
Windows users with a permanent connection can step into running a relay spam honeypot very easily: they can run Jackpot: http://jackpot.uk.net/
There is at least one open proxy honeypot out there: Google in news.admin.net-abuse.email for it. These can be very wicked - create your own for even more fun. Or create your own open relay honeypot - see if you can make it even more wicked.
(Oversize reply packets from an open proxy honeypot might have a very interesting efffect.)
"Do you think they care? They'll just move thier tasks to net providers that take no interest in security. And if that doesn't work, look for open proxies in third-world countries, etc.."
Let's suppose the spammers, though diligent use of open relay and open proxy honeypots, are down to one last 3rd world country where they can find systems to abuse. Do we (a) cry at our misfortune or (b) try to persuade operators in that one last country to run honeypots?
As it stands they still look for open relays (and I'd guess open proxies) in the good old USA. Why not be an early example for the operators in that last 3rd world country and run a honeypot now, so they can see the advantage?
Thee's been some might fine honeypot success overseas. Moscow isn't 3rd world, of course, but that honeypot was a sensation. I don't even know where (what country) the 235-million-trapping honeypot is located. Some mighty old hardware has been used for honeypots - even stuff the 3rd world might easily have to spare. They can run Jackpot on Windows systems. If they're on the net in suffucient number to matter to the spammers then there's almost certainly sufficient resources that can be used to fight the spammers.
I invite you to try Jackpot. Just load it and start it, trap relay tests only. You may be surprised.
http://jackpot.uk.net/