Spammers Using Students as Relays

Zendar writes "idg has an article about how students at the 151-year-old Tufts University were paid as little as $20/month to relay spam from computers in their dorms. Interestingly enough, the students approached the spammers about this scheme and not vice-versa."

Hey, they have bandwidth...

[Anonymous Coward]

And time to waste... and fewer inhibitions (amazing how college does that!)... so it's pretty easy to understand and believe. Oh well, most schools would yank your access for the rest of your time there. Not really worth $20/mo to me.

Restricting SMTP

[wowbagger]

Unfortunately, this is the sort of thing that makes sysadmins block all outbound SMTP from anything that isn't registered as a mail server, or at a minimum redirect all such access to their mail server.

Gripe about it all you want, but had the uni been forcing all outbound SMTP traffic through their mail server, they would have seen this a great deal sooner.

As for a fitting punishment - if these students live in the dorm, they probably eat at the dorm cafeteria. Tell the cafeteria to only server them SPAM.

Shocking, I say.

[Skyshadow]

Look, in college I sold my fucking *blood* for a few dollars. Why should it be surprising that students would sell bandwidth?

IMO, colleges should get out of the general IT business all together and contract these services out. They already contract out other things, like food service, landscaping, maintainance, etc. Some departments (CS, etc) obviously may need their own networks, but otherwise it's just a hugely wasteful money pit. Hell, at my university, they spent so much money on useless IT projects that it just boggled the mind -- a lot of the trouble was that they employed fresh grads who would pick up a couple years' experience then skate, so there wasn't enough adult supervision...

Anyhow, back on track: Colleges should concentrate on education and offload these other problems to professionals.

When I was in college...

[billmaly]

$20 a month was serious money. That's one week of clean laundry and GOOD pizza on Sunday night (and not the cheap stuff). Back then, $20 a month would have bought a lot of personal ethics. Can't say as I blame them.

Re:Crappy Student Jobs

[Pxtl]

Or got jobs as telemarketers (hell, most universities even run extensive official telemarketing systems to harass alumni for donations). If you're willing to telemarket, I don't see why you wouldn't be willing to spam. Sure its less money, but its also less work.

Can we say expulsion?

[www.sorehands.com]

Let see, a kid sets up a computer to steal on the college network. If the student hacked in the the dean's computer to get porn, it would be all over the news, the kid would be arrested.

The kid should be charged the same as the person who put the distributed decryption software, that was all over the news, and expelled.

Re:Tracked using MAC address

[sirwired]

No, they probably don't keep track of the MAC's students are using, but it is relatively trivial to ask a managed hub or switch which MAC's are one which port, ergo, which room the offender occupies.

AUP?

[redneck_kiwi]

Doesn't the IT Department at any college, university etc enforce their AUP? Doh! They don't have an AUP.....

Seriously, I would imagine that surely the IT Department has an AUP that would prevent this behavior along with appropriate actions for dealing with violators?

Re:Shocking, I say.

[PlanetJIM]

Look, in college I sold my fucking *blood* for a few dollars. Why should it be surprising that students would sell bandwidth?

The difference, of course, is that you actually owned your blood in college. These students are selling something that they're permitted to use in the hopes that it will make them better and more successful students. It's a vulgar abuse of access, and don't gimme that "I pay X*10^y dollars a year to go to school here" crap. If those kids had to pay for the actual bandwidth they consume they'd be paying a fair chunk of that without all those education value-adds.

What I don't understand is why colleges don't make use policies part of housing contracts (most consider and bill bandwidth as a utility like electricity). Do something stupid or commit some vulgar abuse like this and you're out fending for yourself off-campus. Pay your own damn cable bill...

Spam is worth something

[OECD]

The interesting thing is that the spammers are now paying people to put out their spam. Now each outgoing spam costs something above the overhead costs. Sure, it's something really tiny ($20/??) but it's not zero. I wonder what the price point is that spammers are willing to pay? Would schemes that would charge spammers for their spam really be a deterent? How much would you have to charge?

Christ I hope not

[siskbc]

IMO, colleges should get out of the general IT business all together and contract these services out. They already contract out other things, like food service, landscaping, maintainance, etc

That would be wonderful. Then they could have the network equivalent of the crappy food they serve at the cafeteria. Aaargh.

Also, you mention that the problem is that they only employ recent grads. That's true - but often these kids work at a "hometown discount" while they wait for their gf to graduate or whatever. The college could never afford people as good as their own grads, generally, if they had to pay them what they were worth. If they have to outsource, the cost will skyrocket - or the service will tank. Admittedly, a few adults wouldn't hurt, but the kids usually do a pretty good job. Hell, at our school the permanant hires were paid so little only the braindead took the job. You prayed you got an ex-student to solve your problem if you had one.

Re:Students selling information

[igaborf]

That's one possibility. Another is that someone just built a spam list by Googling the domain man.ac.uk:

http://www.google.com/search?q=cb%40cs.man.ac.uk

Moral: Put your email address ANYWHERE on the 'Net and you'll get spam.

Re:Restricting SMTP

[RT Alec]

This is exactly what all ISPs ought to do, particularly for low cost, "residential" or "consumer" access accounts. I know this will be responded to with a number of "but I want to run my own SMTP server" or of course "who are you to deny me business level access at a residential price"-- sorry folks.

Running your own server requires some responsibility! If it's a MS/SQL server, you should keep it patched so we don't have Slammer (etc) bogging down the internet. If it's an Apache server, make sure you don't have an unrestricted proxy turned on. Too difficult for you? Well, perhaps you should not be running a server. Is it your job to run such a server? Do your job and secure your servers!!

There is nothing wrong with an ISP refusing to accept the responsibility of running a server for you, particularly if all you are paying for is the lower cost, residential service. If you want to run your own mail server, you ought to have only two choices:

1. Pay for a static IP (your ISP can now hold you responsible)
2. Use (or co-locate) a remote SMTP server that accepts initial mail submission over SSL (which uses a different port)

Why [insert deity here] Why?

[korny69]

What I do not understand is why don't they just block all incoming traffic to the dorms and labs? Why is it that they allow for this traffic to even make it to the PC in the first place?

Frank Grewe, manager of Internet services for the University of Minnesota in Minneapolis-St. Paul, also wasn't surprised. He says the university does not let client machines be used as servers, employs static IP addresses and tracks the amount of traffic going to and from those addresses.

Why track ... just do not allow it in the first place and it will be a whole lot easier. I just do not see a reason in allowing inbound traffic to a static IP address on a campus unless it is a server owned (no pun intended) and operated by the staff. When you allow anyone and everyone to do as they please, all hell will break lose.

I can see the point of some PCs and not others, but it should always be a special case when a PC needs access to it from the outside. This is how most corporate companies run their network. I just do not understand why in most cases all I have to do is 'host -l -t any uni-net.edu' and get a list of hosts to look at and forward my spam on from.

As for the out-sourcing of CS to someone else, I would have to disagree, because it is incidents like this that usually teach people. And when they go on to the corporate world, hopefully, they will remember that they need to lock their network down . It teaches fundamentals, and in this industry, unlike a lot of others and what a lot of corporate big-heads think, it is experience more than education that counts in the long run.

Re:The School is very liberal..this isn't surprisi

[rhizome]

The kids are entrepreneurs, even if it's in a business I despise, taking advantage of the resources they've paid for.

Are we supposed to believe that university network resources are completely supported by tuition? I would venture (though in typical Slashdot fashion I have no numbers) that there's a certain amount of taxpayer money involved. Furthermore, it's very common for end-user bandwidth agreements to include a clause prohibiting the resale of any portion of a connection.

Re:Restricting SMTP

[oyenstikker]

Result: not a single open relay problem anymore and it doesn't inconvenience any (legit) users either.

My evil college [rit.edu] blocks incoming port 25 on the entire residential network. No exceptions. I cannot run my own mail server. They do provide me with an email address, but do not offer SSL on IMAP or POP. Yeah. Lets send my password that can be used to change my registration and financial info in cleartext over the network of a college with lots of students who know enough to take advantage of it.

Re:Restricting SMTP

[kiolbasa]

They don't want to make the Internet a better place. They just want to get as much money as possible.

This is why we have a spam problem.

Re:They got bought cheap!

[FunWithHeadlines]

"Let me guess, you were the arsehole who had the porche parked in the school lot."

Bzzzt! Wrong, try again.

"Did you see the old beat up Ford Escort with a different color fender, no muffler, and a broken windshield?"

Ding! Ding! Ding! We've got a winner! That would have been me.

"The guy that owned the Escort (and I know him well) would have sold his self-respect for a tuna-freakin-fish sandwich. That guy had LESS than $20/mo for food, toiletries, and beer. You wouldn't survive a week in that guys shoes. $20/mo means another case of mac-n-cheese."

No excuse. You find other ways of making money rather than blatantly leeching off society and contributing to a problem that is despised. If you sell out for a price, regardless of circumstances, it means you sold out. Some people hold their integrity in high esteem and will find some other way to make the necessary money.
-------

Re:They got bought cheap!

[Valdrax]

Let me guess, you were the arsehole who had the porche parked in the school lot. Did you see the old beat up Ford Escort with a different color fender, no muffler, and a broken windshield? The guy that owned the Escort (and I know him well) would have sold his self-respect for a tuna-freakin-fish sandwich. That guy had LESS than $20/mo for food, toiletries, and beer. You wouldn't survive a week in that guys shoes. $20/mo means another case of mac-n-cheese.

Well, gee, that excuses everything! I see the light now! After that guy broke into my friend's apartment last year and stole all his electronics, I should've excused him too because he was jobless and living in government housing! After all, I "wouldn't have survived a week in that guy's shoes," now would I?

You know what I did in college when I needed money? I got a freaking job; that's what I did. I spent my days sitting at a desk in a computer lab checking student IDs for $5/hour. I didn't throw in with parasites to get by.

Those students did sell themselves cheap. They could've gotten a real job, but instead they decided to let the bottom-feeders of the Internet take advantage of university resources so that they could get a small token sum of money without having to do a damn thing. They whored themselves out probably because they were too damn lazy to actually try to hold down a part time job while in school. As someone who worked for my food, I have absolutely no sympathy for them. They should be kicked out of housing and maybe even expelled for abusing the university network at the expense of others.

Re:Hmm

[Patrick13]

The one guy I know making $30k a year doing spam

Yeah, but don't forget that according to the article this guy sold his Uni access for $20/month - that doesn't add up very many pizzas or beers.

My guess is that guy should have sold his connection for more like $200 - $500 per month, or based on the # of mails or something. $20/month is laughable, considering that he now most likely has been forbidden to connect to the University's network with his personal machine and may have some sort of procedural punishment on his University records.

Re:Why [insert deity here] Why?

[ftobin]

Jeez, what an awful road to go down. The very idea that you cannot be a participant in the internet, and provide your own services, is abhorrent. There should be no problem with a student having his own webserver, mail server (as long as it's not an open relay), finger server, or whatever. Solve problems with specific solutions, not these broad, sweeping, castrating ones.

The way of thinking that you suggest, that only "powers that be" may provide services, promotes consumerism, and prohibits the freedom of individuals.

Your suggestions are antithetical to the very principles that the net was built on, end-to-end.