Spammers Using Students as Relays

Zendar writes "idg has an article about how students at the 151-year-old Tufts University were paid as little as $20/month to relay spam from computers in their dorms. Interestingly enough, the students approached the spammers about this scheme and not vice-versa."

Re:Shocking, I say.

[sirinek]

Settle down, bud.

Colleges do a lot of experimental things because of the large variety of departments with their unique needs. I do not think they should contract out anything, contractors are expensive. Talk about a money pit!

I personally think a university's money would be better spent with a dedicated staff that knows what a university needs and use student labor when they can. It works well. If your university IT department was run poorly, well, that could (and does) happen in any kind of environment, not just acadamia and wont get fixed by hiring contractors.

siri

Re:Tracked using MAC address

[Frater 219]

Interesting that they tracked the individuals down using MAC addresses for computers in their dorms...

I've never heard of any other Uni having the foresight to record this and it seems like a valid piece of info to have to include in any registration document (as per cable modem setup)

You don't even need to copy it down at sign-up time ... just take it out of the DHCP server logs, or the ARP tables on the building router, then look for the MAC address on a switch port in the hall switch. Provided you know your wiring -- and know what switch port goes to what dorm room -- you just narrowed your problem down to the spammer and his roommate.

(Why yes, I did used to be a sysadmin at a college with a bandwidth hogs problem.)

Re:Tracked using MAC address

[JackAsh]

Actually, I was a student at Tufts at the time they implemented the student network. At the time, ACS (Acedemic Computing Services) did require students to register MAC addresses, and I think I recall them assigning static IPs via DHCP or BOOTP (This was back in 95, DHCP was not very popular yet). You could let the network take care of everything for you, or you could enter it manually if you knew what you were doing...

I really don't remember if they used managed hubs/switches, but I recall it was a fairly trivial exercise to figure out where people were in a dorm by counting the IPs assigned (they had some pattern).

-Jack Ash
(Miguel if anyone else from Tufts is reading)

Re:Tracked using MAC address

[garcia]

at BGSU they started doing registration for the DHCP server via MAC in 1999 or 2000. When you started up after connecting your computer to the ethernet jack you would get a registration page. You would enter your student ID and your email login/passwd. Your MAC was recorded and a hostname that included your email id was given along w/a static IP. If you logged on from another other port on campus it would show as a "roam" address but it still knew you were authenticated so it still knew your MAC.

If you wanted to register another computer you would either have to use someone else's student ID + login/passwd or call up the people for help.

A side note, they were less than familiar about doing it w/alternative OSs that did not automatically bring up the registration page. You either had to use Windows to do it or have them do it manually. I used Windows ;)

The School is very liberal..this isn't surprising

[Migelikor1]

I'm a current student at tufts, and I'm not that surprised that there is some abuse of the system. The University is overall pretty laid back about student computing. The only things the sysadmins monitor for is virii that may cause systemwide problems (they send a person to your room with virus software if one's detected) and excessive bandwidth usage (over a gig per day for more than 3 days in month.)
While it is troubling to know that some of my fellow students abused the policy, it really isn't that hard. Though it pisses me off a little that they used University bandwidth for their little endeavor, the school has plenty, due to massive infrastructure installation in the late nineties. It hadn't caused any issues for the school (nobody I know has complained about a slowdown) so it's my opinion that the fact it's a university isn't a big deal. The kids are entrepreneurs, even if it's in a business I despise, taking advantage of the resources they've paid for. The real question is wether the school will add a clause to the acceptable use policy and start to monitor for spammers. Wouldn't be surprising.

Re:Follow the money?

[Anonymous Coward]

Money orders, gift certificates, free passes to a local bar, etc. There are lots of ways to complete that transaction clandestinely.

Re:Shocking, I say.

[kiolbasa]

You do realize that alot of university networks have been around longer than most ISPs? Universities are where alot of the early internet research happened. Also, I'd say it is more cost effective to manage the network in-house for a few reasons:

Those networks are so big they require full time support anyway. Might as well do your own hiring. It's no different than a huge corporation having its own huge IT division. Also, students studying IT are great for cheap labor to handle networking grunt work (first tier tech support, go patch this port to that, etc.). The school's IT degree program (if it has one) and a real-world network are mutually beneficial to eachother.

Re:The School is very liberal..this isn't surprisi

[ericesposito]

The plural of virus is viruses, not virii. Even if it were the Latin plural, it would be viri, not virii.

20 boxes?

[feed_me_cereal]

only 20 boxes of mac & cheese? I'm a college student and I sure as hell don't buy that kind of extravagant mac & cheese. Kroger regularly puts its "kroger brand" mac & cheese on sale for 25 cents a box!

Re:Flashbacks

[dubiousmike]

you and EVERY SINGLE OTHER PERSON I have ever spoken to that either sold them or made it through thte first day of "oreintation".

Though one could make a little money on it, it still smacked of a scam. What salesperson in their right mond would pay $500 to get started to sell anything door to door AND have to generate you OWN LEADS!!!

utterly rediculous.

Re:Why [insert deity here] Why?

[travisd]

Because blocking incoming connections will not stop the problem. The spammers are using custom written relays to do this - there's nothing stopping them from writing the app so that it actually "phones homes" to get it's workload for the day and then sends the spam.

Blocking incoming connections is good for preventing unintentional use - like when most major MTA's came pre-configured to relay anything. That's not the case now so the use from a stanpoint of preventing intentional unauthorized use by internal users it's really not an effective measure.

A more effective method would be to prevent the workstations from actually sending any mail directly - instead forcing them thru a corporate/university managed relay that can do appropriate anti-spam measures, including throttling excessive senders. This is the tactic that man commercial ISP's are taking the the exact same reasons.

Re:Crappy Student Jobs

[Anonymous Coward]

Wait, I could be selling my blood?

(Actually, I think this is part of the reason the Red Cross now encourages people to "donate" blood - my father told me they used to actually pay the donors.)

Re:Students selling information

[Erasmus Darwin]

"I have been getting spam addressed to [my_unix_username]@[my_machinename].cs.man.ac.uk"

Do you have ident running? Could a website you connected to have used ident to get your username and then prepended it to the reverse lookup of your IP?

Re:tufts ip address range

[kindbud]

did a little WHOIS digging......
the most important part (CIDR:130.64.0.0/16) just made my firewall blacklist : )

Did you read the article? The University's network admins have the problem under control. Students are being disciplined, PCs are taken off the network when they are found. Tufts runs a responsible and responsive abuse desk. By punishing an organization that has acted properly, you are undermining real anti-spam efforts.

Incomplete

[Paul E. Loeb]

Apparently John Fontana only interviewed one witness who was kept quiet until his article was published yesterday. A more complete article can be found on the Tuft's Daily Newspaper [tuftsdaily.com], here [tuftsdaily.com].