As to who is responsible, an intelligent analysis would reveal that those who herd-like joined the "secure all open relays" crusade without even bothering to read the RFC (2505) that said that was a failed approach are more to blame - they pissed away years that could have been spent in an effective battle against spam (which would have been long gone if that had been done.) Now the herds follow SPEWS - more years of ineffectuality are being risked.
It is smaller ISPs and less technological countries that are to blame? Let me just mention a few entities that stand in stark contradiction to your claim: the United States, Worldcomm (uu.net), Broadwing, Sprint, Verio, Starnet, Rackspace. You gonna tell me that the 50 spam servers Ralsky uses in Dallas are on a smaller ISP? OK, name it - let's start telling them to act. I don't care if it's big or small - name it. I'd like to know.
Still, I agree that the case made against DNSBLs by the web page is weak - too weak to heed. I loudly oppose collateral damage but I see no evidence that it is rampant.
What? With most blocklists the blocks are aimed verified spam sources, exclusively. SPEWS alone escalates, and it appears you assume you know how they escalate. Who, other than SPEWS, operates in a manner even remotely resembling what you claim?
If you would limit yourself to dealing with facts then you'd find factual episodes in which SPEWS escalated a listing long after the spammer was removed, escalating apparently because some non-useful, non threatening vestige of the spam operation (like a DNS entry) remained. In such a case there is no spam threat, no need to list, no need for collateral damage. Your glib explanation doesn't apply: it's a screw-up, an over-zealous action taken carelessly. SPEWS apparently started to believe the extravagant claims being made for it. It's often dangerous to start believing your own PR. Apparently it's dangerous even when you don't originate the PR.
There have been episodes of egregious collateral damage. The total of these do not begin to approach a reason to stop using DNSBLs. Even one episode is reason enough to re-examine and revise a listing policy - the enemy is spam, make sure you hit spam and spam only. Fight the enemy. Making excuses for shooting the innocent is not fighting the enemy, nor is making incorrect claims about what is done.
As one who has argued long against collateral damage in NANAE I heartily agree - don't use a DNSBL that causes collateral damage. As far as I know only SPEWS does, and most SPEWS defenders cite the blocking success of SPEWS as the reason to use it. Most of these can't seem to grasp the difference between blocking spam from spam sources and blocking legitimate email from non-spam sources but you have to figure the SPEWS people recognize the difference - that's what matters most. SPEWS could give up blocking of non-spam-source IPS and hardly make any change in their effectiveness. If it weren't for its policy of sometimes blocking non-spam-source IPs SPEWS would be an excellent DNSBL (it is, anyway) without any taint of unfair damage.
If you want to get a message to an ISP or to the customers of an ISP: send a message. Don't assume the right to screw with their legitimate email in order to get their attention. It pisses off large numbers of the ones affected and has little practical effect. It is arrogant to assume the need and the right to act in such a brutal manner. SPEWS is over a year old - see any improvement due to their actions?
Move on. It's a failed approach. Let block lists do what they do (block spam sources) and quit trying to make them into a persuasion tool. It isn't working, it isn't helping.
Just try to get the ISPs in Dallas to act with integrity, seek out the spam servers (they should leap out in any traffic analysis) and shut them down. The DNSBL's are close to useless here, it seems. Ralsky spams from Dallas using asymmetric IP routing: he spoofs the IPs of dialup systems from the servers. If anything gets nuked its the dialup account, not the high-speed-linked system that actually sends the spam (the dialups only receive the return packets from the systems that receive the spam.)
(Maybe Ralsky spams from Dallas differently - earlier this year he surely was using the asymmetric IP approach. Ralsky did lose throwaway accounts on three different ISPs because of the actions of one honeypot operator: Michael Tokarev in Moscow. Unfortunately Michael shut the honeypot down in July:
http://www.corpit.ru/cgi-bin/h0n5yp0t )
Getting Ralsky in jail wuld be nice, and he deserves it. Before that it would be effective to so disrupt his spam operation that he experiences a negative cash flow. Honeypots are the way:
http://jackpot.uk.net/
Setting up the honeypots is the first step. Once enough are intercepting Ralsky spam notify the spam advertisers that huge amounts (don't tell them the actual amount) of their spam is being intercepted. Get them in billing disputes with Ralsky. If they also see sales going down (as they should) they may have a flash of intuition that tells them spam doesn't work any longer, and the interceptions are the reason.
But don't stop doing what works for you, of course - add in the honeypot for its effect on the spammers beyond your own system.
In your case it worked out. If you had simply been asked to persuade your ISP to boot the spammer would you have ignored the request? Are you actually so dense that it takes blocking your email to get you to act?
Note that I'm not trying to claim you are dense or prove it - my point is that you could have been reached in a way that led to the same result but that DID NOT block your valid email. Is there any reason why the brutal method should be the one chosen first? Uh, any good reason - surely there are thugs who enjoy using their power to abuse others.
Not to mention that there's been more than one case in NANAE where the collateral damage was suffered by someone related to an ISP that had long ago booted the spammer but had not removed all traces. No spam flowed because of the omission, the listing was long after the spammer was removed, no risk to anyone existed. Still, the IP of an innocent party was wrongly listed, wrongly blocked, much time and energy was spent discussing it in NANAE, a person and organization that could perhaps have become spam opponents were given reason to hate the guts of spam fighters. No win of any kind I can see in that.
And, of course, the brutal blocking actions haven't ended spam, other than the occasional anecdotal victory. I ran an open relay honeypot, I saw how modern bulk spammers operate. The DNSBLs are a weak tool to deal with that. Don't take my word for it: run your own open relay honeypot. You'll quickly learn a lot about how spammers operate. All the while you'll be stopping their spam, too. Open proxy honeypot? Bless you - you'll also do wonders.
(Any of you sendmail experts able to figure out my pseudonym?)
I have been a very loud protestor about collateral damage in news.admin.net-abuse.email. I well understand the problem but I think you over-estimate it. SPEWS deliberately lists non-spam-source IPS - that's collateral damage, that's wrong and avoidable. Take that away and the remaining collateral damage is unfortunate but not severe.
Many have changed how they use RBLs - instead of simply rejecting they send a reply asking for confirmation the sender is a real human. If that confirmation is made the original message is delivered. That seems to be simple, straightforward, and capable of reducing collateral damage to a very low level. It even has intelligence behind it.
I advocate relay spam honeypots (and open proxy honeypots - move with the times, keep up with the spammers). The white paper doesn't even mention these. The WP has the section asking if open relays are necessary. Well, no, they probably aren't. Is there a point? For how many years has there been an effort to secure open relays? Has it succeeded? The fact is that they are there - asking if they are necessary may inform you but it doens't change the situation in any useful way.
For all these years the spammers have been given free access to the relay level - there's a self-satisfying division into the secure systems run by the wise and the open relays run by inept administrators. that division allows the operator of a secure system to condemn the operator of an open relay with confidence - he can strut. Yipee. As a spam-fighting tool it's a close to a complete bust. Well, yeah, lots of open relays have been secured. BFD - there's still enough for the spammers, and RFC 2505 said it would be this way. Yo: RTFM (in this case RTFRFC.)
You want to hurt the spammers? OK, hurt them. It's not like you have to go out of your way - accept and deliver one of their relay tests and the chances are excellent they'll send you spam that you can discard. That's still a secure system, but it has teeth instead of gums.
There's all these people falling over themselves devising elaborate filters. If you simply open up a relay enough to accept the spam but not deliver it there's no filter needed - a non-mail-server system that receives relay email receives close to pure spam - you will never get a filter as selective as that. Accept and deliver the relay tests and you have screwed the spammer. I won't even enumerate all the ways he is or can be screwed but there's a bunch.
If 5% of the Windows systems with network connections ran Jackpot then spam would be dealt a mortal blow:
http://jackpot.uk.net/
It isn't hard, and it does tremendous good. Check it out.
Didn't this start out as a spam filter conference? Glad to see the broadening of focus. Is there anyone planning to attend who advocates and understands open relay honeypots and open proxy honeypots? There should be. I'm trapping spam from Taiwan, to Taiwan, on my home system in Wisconsin right now by running Jackpot. What I trap depends on which spammer finds my "open relay" and on what he sends.
At work I got spam from all over, including from top spammers like Ralsky and Rizler. Spam for millions of recipients, stopped dead at the relay. By an obsolete Vaxstation 4000/90.
Looks like you are correct. The IP of the first-listed Google hit is in DFW, where the Free Press article says Ralsky has 50 servers.
No doubt the IP was a dialup - Ralsky uses asymmetric IP addresses from DFW. He has some high-speed link to send the packets and spoofs the IPs of dialups on those. The return packets come back to the dialups and are then routed to the sending system. You never see the IP (if there is one) from which the packets are sent.
As I recall there is trapped porn relay spam on file in Moscow, but I think Michael Tokarev thought the porn spammer wasn't Ralsky.
I'm perfectly willing to believe Ralsky sent porn spam: spammers lie.
Re:Why content filtering is not enough
on
As the Spam Turns
·
· Score: 1
"What really needs to be done is EDUCATE isps that an open relay can get you in a whole heap of trouble."
There's a lot to discuss here. An "open relay" can be a superb anti-spam weapon, for one thing. It's dirt simple: accept relay mail, deliver test messages, don't deliver the rest. This can be an IP-nameless box. The only email it sees will be spammer email - whack the spammer when he sends it. It's 100% accurate.
Then there's the rather obvious truth: open relays exist and will continue to exist. Bitching and moaning about them doesn't help (attempts to contact and assist the operator might.) But why wait for all open relays to be secured? If you dilute the pool of apparent open relays with fake ones the spammers are screwed. That's enough. Putting the focus on the open relay operators takes the focus off those who are the real source of the problem: the spammers. Continue doing whatever you do about open relays if you want, if it does any good at all. ADD to that fake open relays (open relay honeypots.) Then you start to fight the spammers at the relay level. When enough fight the spammers at the relay level the spammers lose. Forever.
"No. Email has _never_ been completely reliable. There is nothing in the RFC [livinginternet.com]s that guarantee delivery of
every email."
OK, spam blocking, as done by SPEWS (mostly) makes email less reliable. You'd be hard pressed to document your claims about unreliability of email - what guide to the internet supports you in this claim, for instance? It isn't 100% reliable. You can't mask the ill effects of intentional blocking of IPs known not to be spam sources by the lack of perfect reliability, just as you can't mask murder by saying everyone is bound to die sooner or later.
"The goal of most spam blockers is to eliminate commercial use of the Internet.
"No. Consensual commercial email usage is preferred. Unsolicited and unwanted email in volume is what we seek to
eliminate."
Right on. The ARPAnet was beautiful - very few if any desire to return to that. Commercial use of the internet can be a marvelous thing but that doens't mean that anyone should have to receive unwanted email. The "eliminate commercial use" claim is a plain and simple lie. Chances are about 99% that anyone making this claim will not admit that most spam (including the spam sent by the one making the claim) is sent using deliberately abusive techniques - exploitation of open proxies and open relays being chief among these.
Re:$5 to anyone who proves this statement wrong-
on
The Economics of Spam
·
· Score: 1
"she doesn't pay for the open relays or open proxies that she abuses."
Yep, and you can intercept spam at the proxy level or at the relay level and thwart the spammer. (Which level depends on what the spammer does, of course - trapping spam is passive.)
I've got spam for several thousand recipients I've trapped since yesterday (and loads before that). Been doing it for about 3 years now - changed my open relay to a semi-open relay (let's it in, doesn't let it out.)
http://fightrelayspam.homestead.com/
Better yet, come to NANAE and look for information about Jackpot.
The last two trapped spams are for one of those "know anything about anybody" products and porn.
"Your honeypot success gives me an idea. What if yours and other honeypots were used to cooperate to capture the spam to seed spam filters?"
Could work, should work. But there's already a service that captures spam using spamtraps that otherwise works almost exactly as you describe: DCC. It sends out fuzzy checksums, and I'm not the one to tell you how the fuzzy checksums are computed. As I recall there's a place on the web site where you can paste in a spam message and see if it would have been identified as "bulky" (DCC detects bulkiness rather than spamishness - it needs a whitelist for mailing list sources.)
This one's web page is even better than the cached page you'll see if you Google for "corpit honeypot" and look at thr cached copy of the hit. You can examine any spam it has trapped.
Start here:
http://fightrelayspam.homestead.com/
Also, Google for "corpit honeypot" and look at the cached page. Really wicked. A honeypot with a real-time log of the incoming spam on a web page. Send the URL to the abuse@ISP and watch the throwaway accounts drop like flies. Sadly, now most relay spam seems to come through open proxies so that doesn't work.
"Interesting idea, but easy to verify. Send one thousand emails, and include a verifiable email in it. Check the email a few hours later - if it's not there, then don't use the relay."
Easy and obvious. So far most spammers don't. Honeypots are in use now, and have been for some time. The evidence suggests they haven't gtten this smart.
When I first ran a honeypot I checked to see if there were dupliate addressses, thinking that they'd lazily use the same address to test. I never found a duplicate and I quit looking.
When the Windows honeypot comes out home users with Windows using DSL or Cable can run a honeypot. What would you guess the number of such users to be?
"I'm fairly sure a false relay won't work. Just like snail mail list sellers, the spammers salt their victim lists with their own valid addresses that they can check to see if the message is getting out."
MAYBE some do salt, but demonstrably some don't. As recently as 17 minutes ago one spammer sent relay spam to my (2 1/2 year old) honeypot. It isn't being delivered. If he salted the list with his own address (as you say he does) he'd have figured out the honeypot last week already.
The Moscow honeypot trapped Ralsky spam from February to July. Not only did Ralsky not salt the addresses he ended up sending spam run statistics reports back to himself THROUGH THE HONEYPOT. The entire episode was one long cause for ROFL.
I'll grant that there may be some smart spammers and smart spamware vendors. Please don't assume that this smartness prevails. It does not.
Um. Now it's trapped relay spam as recently as 9 minutes ago - I took some time to compose this, he's still busy. 88 recipients on this one. He's going alphabeticallly, he's in the bobxxxx's right now.
Oh, foo. Think, man - can't it only deliver the test messages? (The answer is: YES.)
And there are some spammers who actually do start sending spam if their test messages are merely accepted. I should know: my honeypot got a test message yesterday, I didn't deliver it, the spam came anyway. Still coming today. Fascinating: some single spam messages have over 1000 recipients. Tens of thousands of recipients will not see THIS spam. Sadly, hundreds of thousands will: open relays vastly outnumber open realy honeypots.
Set up your own honeypot and you may also be fascinated.
Tonight? For Linux it's easy: see
http://fightrelayspam.homestead.com/
For Windows it's in Beta, so you'll have to wait a while. (I'm not the author of the Windows version; it isn't mentioned on the web page.)
There was a Perl honeypot for Linux posted in news.admin.net-abuse.email 24 February this year, by John Collins.
Funny. While I was composing this ZoneAlarm notified me that an SMTP attempt had been made to my Windows system.
"Building a "honeypot" mail server for spammers is appealing, but could be more trouble than its worth, especially since it's more or less irreversible. I'd advice against it."
Too late: I already do it. Mine is a combined server/honeypot (the honeypot grew out of my way of voiding open relay for the server.) What is this "irreversible" bit? If you are on the network, can afford the trafic, and have a spare unix/linux box and spare IP you can run a honeypot. You may see a lot of spam, you can do some real damage. What I see now is almost exclusively spam that comes through open proxies so you now no longer have information on the spammer himself. That awaits development of the open proxy honeypot (this is a sideways invitation for you to do that.)
Spammers send relay tests all over - check your email logs, if you're a system manager. Accept and deliver just one of those and the spammer will probably conclude the IP is an open relay. If you can't guess what he'll do next you haven't been paying attention.
Do a Google search for "corpit honeypot" and look at the cached page. That was the Moscow honeypot run by Michael Tokarev. I can tell you that many spammer dialup accounts got nuked because of that web page. The count of 3.6 million spam recipents protected is low: the counter got reset a couple of months before the cached page. It's more like 10 million.
There have only been a few relay spam honeypots, and some of those (European ones, IT, NL) are very quiet about their existence and about what they see. It is quite likely that if you run a honeypot you will see something that no one else has yet reported. It is well worth doing if you wish to help end relay spam.
I've run such a honeypot for 2 1/2 years. It is a combined server/honeypot but I don't recommend doing that. As someone else said, use a dedicated server.
At one time all you needed to make sendmail be a honeypot was to run it sendmail -bd. That's no longer true, and even if you did that there was a manual step needed now and again: what makes a honeypot powerful is to deliver the spammer relay tests.
More here: http://fightrelayspam.homestead.com/
and a new development is in the works (by someone else) that will be a giant leap forward.
You said: "If you want to feel frustrated, ignored, and almost powerless, try fighting spam."
I fight spam for many reasons, revenge being one. I don't like spam, I don't like (in particular) relay spam and relay spammers. I fell into a way to fight them and by golly YES! it does give me a feeling of power. Many others can, if they want, also feel the power. Run a relay spam honeypot. If you start trapping spam you will feel immense power. You will be stopping spam dead in its tracks, you will have evidence to show the ISP if the spam is coming from the spammer (it might come through an open proxy), you have all the things in the spam you know how to lart from the spam you get yourself. You will feel in control. You will be in control.
I have set a modest goal: end relay spam in July, 2002. 29 days left. It can be done. See:
http://fightrelayspam.homestead.com/
which I haven't even updated to reflect my goal. I say defeating relay spam is easy, if enough people partipate. Look in your mail server logs. If you see relay message rejection events set up a honeypot in the same IP block. If you get a test message force it's delivery. If you trap spam tell two sysop friends what you have done and continue to deliver test messages (only: not spam. If in doubt, don't deliver.) If spam stops change the IP. Hit back. Try to imagine any circumstance in which a random IP will get valid relay email. If you just did it's pretty far out, right? Is it worth worrying about, that you might fail to deliver a valid message if you trap realy messages on a non-mail-server? Please explain it to me if it is.
The author (John Collins) says contact him for a copy.
I did a Google Groups search for an article by Collins with "honeypot" in its subject, in case the above link fails. I guess that rather shows in the link if you look.
You are quite right. My method is highly successful but the amount of spam vastly exceeds the amount of trapped spam. There are two ways to make this proportionately more effective:
(1) Decrease the number of open relays (fertile females)
(2) Increase the number of honeypots (infertile females)
(1) has been going on for years. I'm sure it has had an effect and strongly suspect that the honeypot success I see is because of it. (2) has been going on for some time, if you include all the time in which the number of honeypots hasn't increased at all. There's a pitiful handful of honeypots, leading, as you point out, to a very negligible effect.
A honeypot is not some grand, complex thing. In esssence it's an intentionally broken mail relay. Give a mail administrator a system with no real email function and he can probably come up with a broken mail relay in a few hours. For older sendmail it was very easy: run sendmail -bd (for added points figure out my pseudonym). That accepts remote email but doesn't deliver. Current sendmail is more complex and you have to make sure it doesn't deliver spam. Instructions are in my web page:
http://fightrelayspam.homestead.com/
Here's an example of a very good honeypot:
http://www.corpit.ru/cgi-bin/h0n5yp0t
Imagine what you could do with a honeypot that traps spam and logs it on a web page. Few ISPs can ignore that for long. so far none has.
Slashdot Mirror
I suggest you grow up.
DNSBLs function to block spam, not to punish.
As to who is responsible, an intelligent analysis would reveal that those who herd-like joined the "secure all open relays" crusade without even bothering to read the RFC (2505) that said that was a failed approach are more to blame - they pissed away years that could have been spent in an effective battle against spam (which would have been long gone if that had been done.) Now the herds follow SPEWS - more years of ineffectuality are being risked.
It is smaller ISPs and less technological countries that are to blame? Let me just mention a few entities that stand in stark contradiction to your claim: the United States, Worldcomm (uu.net), Broadwing, Sprint, Verio, Starnet, Rackspace. You gonna tell me that the 50 spam servers Ralsky uses in Dallas are on a smaller ISP? OK, name it - let's start telling them to act. I don't care if it's big or small - name it. I'd like to know.
Still, I agree that the case made against DNSBLs by the web page is weak - too weak to heed. I loudly oppose collateral damage but I see no evidence that it is rampant.
What? With most blocklists the blocks are aimed verified spam sources, exclusively. SPEWS alone escalates, and it appears you assume you know how they escalate. Who, other than SPEWS, operates in a manner even remotely resembling what you claim?
If you would limit yourself to dealing with facts then you'd find factual episodes in which SPEWS escalated a listing long after the spammer was removed, escalating apparently because some non-useful, non threatening vestige of the spam operation (like a DNS entry) remained. In such a case there is no spam threat, no need to list, no need for collateral damage. Your glib explanation doesn't apply: it's a screw-up, an over-zealous action taken carelessly. SPEWS apparently started to believe the extravagant claims being made for it. It's often dangerous to start believing your own PR. Apparently it's dangerous even when you don't originate the PR.
There have been episodes of egregious collateral damage. The total of these do not begin to approach a reason to stop using DNSBLs. Even one episode is reason enough to re-examine and revise a listing policy - the enemy is spam, make sure you hit spam and spam only. Fight the enemy. Making excuses for shooting the innocent is not fighting the enemy, nor is making incorrect claims about what is done.
As one who has argued long against collateral damage in NANAE I heartily agree - don't use a DNSBL that causes collateral damage. As far as I know only SPEWS does, and most SPEWS defenders cite the blocking success of SPEWS as the reason to use it. Most of these can't seem to grasp the difference between blocking spam from spam sources and blocking legitimate email from non-spam sources but you have to figure the SPEWS people recognize the difference - that's what matters most. SPEWS could give up blocking of non-spam-source IPS and hardly make any change in their effectiveness. If it weren't for its policy of sometimes blocking non-spam-source IPs SPEWS would be an excellent DNSBL (it is, anyway) without any taint of unfair damage.
If you want to get a message to an ISP or to the customers of an ISP: send a message. Don't assume the right to screw with their legitimate email in order to get their attention. It pisses off large numbers of the ones affected and has little practical effect. It is arrogant to assume the need and the right to act in such a brutal manner. SPEWS is over a year old - see any improvement due to their actions?
Move on. It's a failed approach. Let block lists do what they do (block spam sources) and quit trying to make them into a persuasion tool. It isn't working, it isn't helping.
Ralsky. He says, in a Detroit Free Press interview, that he has 50 spam servers in Dallas.
2 .h tm
http://www.freep.com/money/tech/mwend22_2002112
Just try to get the ISPs in Dallas to act with integrity, seek out the spam servers (they should leap out in any traffic analysis) and shut them down. The DNSBL's are close to useless here, it seems. Ralsky spams from Dallas using asymmetric IP routing: he spoofs the IPs of dialup systems from the servers. If anything gets nuked its the dialup account, not the high-speed-linked system that actually sends the spam (the dialups only receive the return packets from the systems that receive the spam.)
(Maybe Ralsky spams from Dallas differently - earlier this year he surely was using the asymmetric IP approach. Ralsky did lose throwaway accounts on three different ISPs because of the actions of one honeypot operator: Michael Tokarev in Moscow. Unfortunately Michael shut the honeypot down in July:
http://www.corpit.ru/cgi-bin/h0n5yp0t )
Getting Ralsky in jail wuld be nice, and he deserves it. Before that it would be effective to so disrupt his spam operation that he experiences a negative cash flow. Honeypots are the way:
http://jackpot.uk.net/
Setting up the honeypots is the first step. Once enough are intercepting Ralsky spam notify the spam advertisers that huge amounts (don't tell them the actual amount) of their spam is being intercepted. Get them in billing disputes with Ralsky. If they also see sales going down (as they should) they may have a flash of intuition that tells them spam doesn't work any longer, and the interceptions are the reason.
But don't stop doing what works for you, of course - add in the honeypot for its effect on the spammers beyond your own system.
Yes, and didn't she lie (like Ralsky) and say she didn't send porn spam? You are talking about the gal in Florida ho spammed from home, right?
In your case it worked out. If you had simply been asked to persuade your ISP to boot the spammer would you have ignored the request? Are you actually so dense that it takes blocking your email to get you to act?
Note that I'm not trying to claim you are dense or prove it - my point is that you could have been reached in a way that led to the same result but that DID NOT block your valid email. Is there any reason why the brutal method should be the one chosen first? Uh, any good reason - surely there are thugs who enjoy using their power to abuse others.
Not to mention that there's been more than one case in NANAE where the collateral damage was suffered by someone related to an ISP that had long ago booted the spammer but had not removed all traces. No spam flowed because of the omission, the listing was long after the spammer was removed, no risk to anyone existed. Still, the IP of an innocent party was wrongly listed, wrongly blocked, much time and energy was spent discussing it in NANAE, a person and organization that could perhaps have become spam opponents were given reason to hate the guts of spam fighters. No win of any kind I can see in that.
And, of course, the brutal blocking actions haven't ended spam, other than the occasional anecdotal victory. I ran an open relay honeypot, I saw how modern bulk spammers operate. The DNSBLs are a weak tool to deal with that. Don't take my word for it: run your own open relay honeypot. You'll quickly learn a lot about how spammers operate. All the while you'll be stopping their spam, too. Open proxy honeypot? Bless you - you'll also do wonders.
(Any of you sendmail experts able to figure out my pseudonym?)
I have been a very loud protestor about collateral damage in news.admin.net-abuse.email. I well understand the problem but I think you over-estimate it. SPEWS deliberately lists non-spam-source IPS - that's collateral damage, that's wrong and avoidable. Take that away and the remaining collateral damage is unfortunate but not severe.
Many have changed how they use RBLs - instead of simply rejecting they send a reply asking for confirmation the sender is a real human. If that confirmation is made the original message is delivered. That seems to be simple, straightforward, and capable of reducing collateral damage to a very low level. It even has intelligence behind it.
I advocate relay spam honeypots (and open proxy honeypots - move with the times, keep up with the spammers). The white paper doesn't even mention these. The WP has the section asking if open relays are necessary. Well, no, they probably aren't. Is there a point? For how many years has there been an effort to secure open relays? Has it succeeded? The fact is that they are there - asking if they are necessary may inform you but it doens't change the situation in any useful way.
For all these years the spammers have been given free access to the relay level - there's a self-satisfying division into the secure systems run by the wise and the open relays run by inept administrators. that division allows the operator of a secure system to condemn the operator of an open relay with confidence - he can strut. Yipee. As a spam-fighting tool it's a close to a complete bust. Well, yeah, lots of open relays have been secured. BFD - there's still enough for the spammers, and RFC 2505 said it would be this way. Yo: RTFM (in this case RTFRFC.)
You want to hurt the spammers? OK, hurt them. It's not like you have to go out of your way - accept and deliver one of their relay tests and the chances are excellent they'll send you spam that you can discard. That's still a secure system, but it has teeth instead of gums.
There's all these people falling over themselves devising elaborate filters. If you simply open up a relay enough to accept the spam but not deliver it there's no filter needed - a non-mail-server system that receives relay email receives close to pure spam - you will never get a filter as selective as that. Accept and deliver the relay tests and you have screwed the spammer. I won't even enumerate all the ways he is or can be screwed but there's a bunch.
If 5% of the Windows systems with network connections ran Jackpot then spam would be dealt a mortal blow:
http://jackpot.uk.net/
It isn't hard, and it does tremendous good. Check it out.
Nevermind. I looked at the conference description - it's still filters. Too bad.
Didn't this start out as a spam filter conference? Glad to see the broadening of focus.
Is there anyone planning to attend who advocates and understands open relay honeypots and open proxy honeypots? There should be. I'm trapping spam from Taiwan, to Taiwan, on my home system in Wisconsin right now by running Jackpot. What I trap depends on which spammer finds my "open relay" and on what he sends.
At work I got spam from all over, including from top spammers like Ralsky and Rizler. Spam for millions of recipients, stopped dead at the relay. By an obsolete Vaxstation 4000/90.
See: http://jackpot.uk.net/
Looks like you are correct. The IP of the first-listed Google hit is in DFW, where the Free Press article says Ralsky has 50 servers.
No doubt the IP was a dialup - Ralsky uses asymmetric IP addresses from DFW. He has some high-speed link to send the packets and spoofs the IPs of dialups on those. The return packets come back to the dialups and are then routed to the sending system. You never see the IP (if there is one) from which the packets are sent.
As I recall there is trapped porn relay spam on file in Moscow, but I think Michael Tokarev thought the porn spammer wasn't Ralsky.
I'm perfectly willing to believe Ralsky sent porn spam: spammers lie.
"What really needs to be done is EDUCATE isps that an open relay can get you in a whole heap of trouble."
There's a lot to discuss here. An "open relay" can be a superb anti-spam weapon, for one thing. It's dirt simple: accept relay mail, deliver test messages, don't deliver the rest. This can be an IP-nameless box. The only email it sees will be spammer email - whack the spammer when he sends it. It's 100% accurate.
Then there's the rather obvious truth: open relays exist and will continue to exist. Bitching and moaning about them doesn't help (attempts to contact and assist the operator might.) But why wait for all open relays to be secured? If you dilute the pool of apparent open relays with fake ones the spammers are screwed. That's enough. Putting the focus on the open relay operators takes the focus off those who are the real source of the problem: the spammers. Continue doing whatever you do about open relays if you want, if it does any good at all. ADD to that fake open relays (open relay honeypots.) Then you start to fight the spammers at the relay level. When enough fight the spammers at the relay level the spammers lose. Forever.
Same for open proxies.
"Spam blocking makes email unreliable.
"No. Email has _never_ been completely reliable. There is nothing in the RFC [livinginternet.com]s that guarantee delivery of
every email."
OK, spam blocking, as done by SPEWS (mostly) makes email less reliable. You'd be hard pressed to document your claims about unreliability of email - what guide to the internet supports you in this claim, for instance? It isn't 100% reliable. You can't mask the ill effects of intentional blocking of IPs known not to be spam sources by the lack of perfect reliability, just as you can't mask murder by saying everyone is bound to die sooner or later.
"The goal of most spam blockers is to eliminate commercial use of the Internet.
"No. Consensual commercial email usage is preferred. Unsolicited and unwanted email in volume is what we seek to
eliminate."
Right on. The ARPAnet was beautiful - very few if any desire to return to that. Commercial use of the internet can be a marvelous thing but that doens't mean that anyone should have to receive unwanted email. The "eliminate commercial use" claim is a plain and simple lie. Chances are about 99% that anyone making this claim will not admit that most spam (including the spam sent by the one making the claim) is sent using deliberately abusive techniques - exploitation of open proxies and open relays being chief among these.
"she doesn't pay for the open relays or open proxies that she abuses."
Yep, and you can intercept spam at the proxy level or at the relay level and thwart the spammer. (Which level depends on what the spammer does, of course - trapping spam is passive.)
I've got spam for several thousand recipients I've trapped since yesterday (and loads before that). Been doing it for about 3 years now - changed my open relay to a semi-open relay (let's it in, doesn't let it out.)
http://fightrelayspam.homestead.com/
Better yet, come to NANAE and look for information about Jackpot.
The last two trapped spams are for one of those "know anything about anybody" products and porn.
Could work, should work. But there's already a service that captures spam using spamtraps that otherwise works almost exactly as you describe: DCC. It sends out fuzzy checksums, and I'm not the one to tell you how the fuzzy checksums are computed. As I recall there's a place on the web site where you can paste in a spam message and see if it would have been identified as "bulky" (DCC detects bulkiness rather than spamishness - it needs a whitelist for mailing list sources.)
See: http://www.rhyolite.com/anti-spam/dcc/
This truly is an excellent idea.
Visit http://jackpot.uk.net to download it.
You also need a JVM, obviously.
This one's web page is even better than the cached page you'll see if you Google for "corpit honeypot" and look at thr cached copy of the hit. You can examine any spam it has trapped.
Start here: http://fightrelayspam.homestead.com/ Also, Google for "corpit honeypot" and look at the cached page. Really wicked. A honeypot with a real-time log of the incoming spam on a web page. Send the URL to the abuse@ISP and watch the throwaway accounts drop like flies. Sadly, now most relay spam seems to come through open proxies so that doesn't work.
"Interesting idea, but easy to verify. Send one thousand emails, and include a verifiable email in it. Check the email a few hours later - if it's not there, then don't use the relay." Easy and obvious. So far most spammers don't. Honeypots are in use now, and have been for some time. The evidence suggests they haven't gtten this smart. When I first ran a honeypot I checked to see if there were dupliate addressses, thinking that they'd lazily use the same address to test. I never found a duplicate and I quit looking. When the Windows honeypot comes out home users with Windows using DSL or Cable can run a honeypot. What would you guess the number of such users to be?
"I'm fairly sure a false relay won't work. Just like snail mail list sellers, the spammers salt their victim lists with their own valid addresses that they can check to see if the message is getting out." MAYBE some do salt, but demonstrably some don't. As recently as 17 minutes ago one spammer sent relay spam to my (2 1/2 year old) honeypot. It isn't being delivered. If he salted the list with his own address (as you say he does) he'd have figured out the honeypot last week already. The Moscow honeypot trapped Ralsky spam from February to July. Not only did Ralsky not salt the addresses he ended up sending spam run statistics reports back to himself THROUGH THE HONEYPOT. The entire episode was one long cause for ROFL. I'll grant that there may be some smart spammers and smart spamware vendors. Please don't assume that this smartness prevails. It does not. Um. Now it's trapped relay spam as recently as 9 minutes ago - I took some time to compose this, he's still busy. 88 recipients on this one. He's going alphabeticallly, he's in the bobxxxx's right now.
Oh, foo. Think, man - can't it only deliver the test messages? (The answer is: YES.) And there are some spammers who actually do start sending spam if their test messages are merely accepted. I should know: my honeypot got a test message yesterday, I didn't deliver it, the spam came anyway. Still coming today. Fascinating: some single spam messages have over 1000 recipients. Tens of thousands of recipients will not see THIS spam. Sadly, hundreds of thousands will: open relays vastly outnumber open realy honeypots. Set up your own honeypot and you may also be fascinated.
Tonight? For Linux it's easy: see http://fightrelayspam.homestead.com/ For Windows it's in Beta, so you'll have to wait a while. (I'm not the author of the Windows version; it isn't mentioned on the web page.) There was a Perl honeypot for Linux posted in news.admin.net-abuse.email 24 February this year, by John Collins. Funny. While I was composing this ZoneAlarm notified me that an SMTP attempt had been made to my Windows system.
"Building a "honeypot" mail server for spammers is appealing, but could be more trouble than its worth, especially since it's more or less irreversible. I'd advice against it." Too late: I already do it. Mine is a combined server/honeypot (the honeypot grew out of my way of voiding open relay for the server.) What is this "irreversible" bit? If you are on the network, can afford the trafic, and have a spare unix/linux box and spare IP you can run a honeypot. You may see a lot of spam, you can do some real damage. What I see now is almost exclusively spam that comes through open proxies so you now no longer have information on the spammer himself. That awaits development of the open proxy honeypot (this is a sideways invitation for you to do that.) Spammers send relay tests all over - check your email logs, if you're a system manager. Accept and deliver just one of those and the spammer will probably conclude the IP is an open relay. If you can't guess what he'll do next you haven't been paying attention. Do a Google search for "corpit honeypot" and look at the cached page. That was the Moscow honeypot run by Michael Tokarev. I can tell you that many spammer dialup accounts got nuked because of that web page. The count of 3.6 million spam recipents protected is low: the counter got reset a couple of months before the cached page. It's more like 10 million. There have only been a few relay spam honeypots, and some of those (European ones, IT, NL) are very quiet about their existence and about what they see. It is quite likely that if you run a honeypot you will see something that no one else has yet reported. It is well worth doing if you wish to help end relay spam.
I've run such a honeypot for 2 1/2 years. It is a combined server/honeypot but I don't recommend doing that. As someone else said, use a dedicated server.
At one time all you needed to make sendmail be a honeypot was to run it sendmail -bd. That's no longer true, and even if you did that there was a manual step needed now and again: what makes a honeypot powerful is to deliver the spammer relay tests.
More here: http://fightrelayspam.homestead.com/
and a new development is in the works (by someone else) that will be a giant leap forward.
I fight spam for many reasons, revenge being one. I don't like spam, I don't like (in particular) relay spam and relay spammers. I fell into a way to fight them and by golly YES! it does give me a feeling of power. Many others can, if they want, also feel the power. Run a relay spam honeypot. If you start trapping spam you will feel immense power. You will be stopping spam dead in its tracks, you will have evidence to show the ISP if the spam is coming from the spammer (it might come through an open proxy), you have all the things in the spam you know how to lart from the spam you get yourself. You will feel in control. You will be in control.
I have set a modest goal: end relay spam in July, 2002. 29 days left. It can be done. See:
http://fightrelayspam.homestead.com/
which I haven't even updated to reflect my goal. I say defeating relay spam is easy, if enough people partipate. Look in your mail server logs. If you see relay message rejection events set up a honeypot in the same IP block. If you get a test message force it's delivery. If you trap spam tell two sysop friends what you have done and continue to deliver test messages (only: not spam. If in doubt, don't deliver.) If spam stops change the IP. Hit back. Try to imagine any circumstance in which a random IP will get valid relay email. If you just did it's pretty far out, right? Is it worth worrying about, that you might fail to deliver a valid message if you trap realy messages on a non-mail-server? Please explain it to me if it is.
Good luck. Thanks.
http://groups.google.com/groups?q=insubject:honeyp ot+author:collins&hl=en&lr=&ie=UTF-8&as_drrb=b&as_ mind=12&as_minm=5&as_miny=2002&as_maxd=2&as_maxm=7 &as_maxy=2002&selm=3D1C8FD6.1080600%40xisl.com&rnu m=1
The author (John Collins) says contact him for a copy.
I did a Google Groups search for an article by Collins with "honeypot" in its subject, in case the above link fails. I guess that rather shows in the link if you look.
(1) Decrease the number of open relays (fertile females)
(2) Increase the number of honeypots (infertile females)
(1) has been going on for years. I'm sure it has had an effect and strongly suspect that the honeypot success I see is because of it. (2) has been going on for some time, if you include all the time in which the number of honeypots hasn't increased at all. There's a pitiful handful of honeypots, leading, as you point out, to a very negligible effect.
A honeypot is not some grand, complex thing. In esssence it's an intentionally broken mail relay. Give a mail administrator a system with no real email function and he can probably come up with a broken mail relay in a few hours. For older sendmail it was very easy: run sendmail -bd (for added points figure out my pseudonym). That accepts remote email but doesn't deliver. Current sendmail is more complex and you have to make sure it doesn't deliver spam. Instructions are in my web page:
http://fightrelayspam.homestead.com/
Here's an example of a very good honeypot:
http://www.corpit.ru/cgi-bin/h0n5yp0t
Imagine what you could do with a honeypot that traps spam and logs it on a web page. Few ISPs can ignore that for long. so far none has.