Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Spamholes Fighting Spammers 396

mike9010 writes "A person named I)ruid has come up with an ingenious way to combat those spammers. His program, spamhole, creates a false 'open relay' that the spammer thinks he/she can send messages through. The messages then get sent nowhere, and the spammer has no idea. "spamhole is an open project. Hopefully, through user's and developer's contributions, we will amass a collection of spamhole implementations spanning all commonly used platforms, programming languages, etc. Ease of configuration and use are the primary objectives, for the easier to use by the non-techical layperson the implementations are, the more widely adopted and used spamhole will become.""
This discussion has been archived. No new comments can be posted.

Spamholes Fighting Spammers

Comments Filter:
  • How can this work? (Score:4, Insightful)

    by corebreech ( 469871 ) on Tuesday December 09, 2003 @08:12AM (#7667385) Journal
    Spammer will just send email to himself to make sure relay works. The author claims that the defense against this is to allow the spammer limited access in the beginning, but there's no way to uniquely identify the spammer, and in any case, the spammer can just continue to include himself in the mailings, so he'll know when the relay has been configured to deny him access.

    This system will only increase the number of open relays out there.

    The story of the hare and the briar patch comes to mind. Is this the idea of a spammer who is pleading with us to please not create all these open rel..., er, um, spamholes?
    • by Amiga Lover ( 708890 ) on Tuesday December 09, 2003 @08:17AM (#7667417)
      As the article says


      When an SMTP client connects to our spamhole, we note the number of times it has connected before. If this number is below a configurable threshold, we simply redirect it's connection through the spamhole to a real SMTP server and allow it an unmodified session. This provides for any potential 'test' email the spammer may attempt to send through the 'open relay' to verify successful delivery to successfuly pass through the system and be delivered. Many spammers do this to validate their open relays prior to attempting bulk mailings. The downside to this is that a few SPAM emails may actually be delivered by your spamhole. Such is the price to pay for tricking the spammer into continued use of your 'open relay'.


      So it's not quite just a dumb smtp receiver, but acts as a real one until the spam starts being sent.
      • by kinnell ( 607819 ) on Tuesday December 09, 2003 @08:33AM (#7667532)
        but acts as a real one until the spam starts being sent

        Yes, but if the spammer sends test emails alongside the spam, they won't get through, and he will know it's a spamhole. This system will likely work well until the spammers realise that it is being used, after which it will be easy for them to hack their way around it.

        • by glassesmonkey ( 684291 ) * on Tuesday December 09, 2003 @10:02AM (#7668253) Homepage Journal
          Talk about arms race.. Now spammers will maintain blacklists for spamholes!
        • by Marcus Brody ( 320463 ) on Tuesday December 09, 2003 @11:44AM (#7669305) Homepage
          This is a total Arms Race.

          The initial test email would highlight the spammers test email address. All email to this address would then be allowed through the spamhole, giving the impression to the spammer that everything is hunky dory.

          However, the spammer may use multiple test addresses, and the spamhole would not then be aware of these.

          Therefore the spamhole could check for any addresses that were used frequently/periodically, and mark these as test addresses.

          But the spammer could use a more complex set of test addresses.

          The spamhole could use a combination of Bayesian filtering with Hidden Markov Models to renumerate potential test addresses with exponentially decreasing returns, such that the k-tuple value Z1 was never equal or above the Nth degree of reductionist SPAM (SPre). This would thus allow network strategist to implement a theory-based approach to network spam usage, thus continuing ad-infintum the ARMS RACE.

          The result of this is that both spammers and anti-spammers remain in bussiness, spending exponentially increasing efforts attempting to thwart the efforts of the oposition.

          Definition of a game: "A constructed conflict with quantifiable outcomes"

          Ever get the feeling that the anti-spammers enjoy this whole malarky just as much as the spammers?

          Maybe the answer to spam is this:

          STOP wasting money and resources on using incresingly sophisticated anti-spam techniques. Re-direct this money into basic education for users, including short courses on:

          1. How to identify a spam (People are proven to be far better at pattern recognition than Bayesian models).

          2. How not to click on a spam.

          3. How to delete a spam.

          If AOL, MSN, and all other involved parties put a concerted effort towards this, then spam would soon get diminishing returns, and hence become increasingly unprofitable.
          • by FiloEleven ( 602040 ) on Tuesday December 09, 2003 @12:15PM (#7669642)
            How about redirecting money into the hiring of Hit Men to get at the root of the problem? After two or three spam queens get knocked off, I think it may dawn upon the rest that spamming isn't such a good idea anymore...
          • Taking these thoughts further, 99% of spam bussiness is based around "Trolling for Newbies".

            We have to think outside the box with the spam problem, and this fact may be a novel way to counter spam. Almost all people i know who have been "conned" by spam had been new and naive email users who had got excited becuase they had recieved email.

            We may look down on such users, but we were all naive once, its just that spam wasnt around when most of us lot started using email.

            Therefore, I suggest, all email ser
          • by Anonymous Coward on Tuesday December 09, 2003 @01:07PM (#7670273)
            It would be nice if webmail services has an option "Bounce this message", so the spammer will receive more and more bounces of actually good accounts.

            Think about...

            on yahoo mail "This message wasn't for you? Is it SPAM? _Bounce it_."
            • by Imperator ( 17614 )
              No, that's a terrible idea. I'd wager 99% of the {From,Reply-To,Return-Path} email addresses in spam are fake. I know this because my address has been used as the From: address in several spam mailings. I typically find out about it when I get a deluge of NDNs from yahoo.co.kr or something. Encouraging bounces like this would only increase the proportion of SMTP bandwidth used up in relation to spam. It's far better to just /dev/null the spam than to bounce it.
          • Maybe the answer to spam is this:

            STOP wasting money and resources on using incresingly sophisticated anti-spam techniques. Re-direct this money into basic education for users, including short courses on:

            1. How to identify a spam (People are proven to be far better at pattern recognition than Bayesian models).

            2. How not to click on a spam.

            3. How to delete a spam.

            I think you're underestimating the difference in the average computer user between the strength of will to intelligence and the strengt

      • by Anonymous Coward on Tuesday December 09, 2003 @08:34AM (#7667537)
        Sophisticated spamware sends periodically control messages to a dropbox in hotmail/yahoo/whatever and alerts user if the open proxy appears not really working.

        Open relay isn't the problem of net anymore, sophisticated spamware uses open proxies.

        Open relays are these days hard to find as most smpt software ave sane defaults these days. OTOH With idiots like analogX proxy authors [mail-archive.com] creating proxies with "default open world wide, not even dangerous ports closed" configuration, there is no sortage of open proxies.

        If you really want to blackhole/track open proxy/relay abusers, look at BuggleGum proxypot [std.com] instead. And prepare to hack it as as spamware tries to adapt the traps setup by people.
      • So, if it will allow a few "tests" to go through, i am afraid that if it were to become popular then a spammer could use many many different servers to send his spam. A few mails each.

        Distriuted spamming of some kind :)

    • by B1ackDragon ( 543470 ) on Tuesday December 09, 2003 @08:19AM (#7667436)
      They're been relying more and more on trojan'd XP machines as well, they'll probably just stick to this method because they can have more machines than they ever wanted, and they can be sure it works (for some time at least.)

      It makes me sort of sad. I'm in a unix sysadmin class, and we had a guest speaker in from a major ISP the other day, and to quote him "we've seen our email traffic quadruple over the last year, all spam" "spam is killing the internet."

      Doubt if its as bad as all that, but again, the internet would be a heck of a lot better without it.
      • by the_mad_poster ( 640772 ) <shattoc@adelphia.com> on Tuesday December 09, 2003 @09:08AM (#7667770) Homepage Journal

        Doubt if its as bad as all that...

        I don't. Spam eats up bandwidth just being delivered, even if it gets filtered at the end anyway. Then, you have the idiots that sit and open it and wait for images to load in their HTML-enabled mail clients. Despite this, from a technological standpoint, although it chews up and wastes valuable resources, it won't bring the Internet to a complete screeching halt.

        However, look at all the time and money AOL puts out trying to block incoming spam. People always talk about making spam unprofitable for the spammers and someone invariably bitches about the ideas put forth, but how long will it be until there's so much and so varied spam that it's unprofitable to allow users to use e-mail? Eventually, we may well need so many people and tools that it will chew away profits just fighting spam.

        That's why I think spammers need to be treated exactly for what they are - a parasitic infection. They just chew up resources but provide nothing in return. They must be inoculated. Make sending unsolicited e-mail a crime (our illustrous guvmint morons took a step in the totally OPPOSITE direction with their "yea, let's legitamize spamming" bill yesterday). If you're convicted of sending mass, unsolicited messages (that is, you can't prove that you were given EXPLICIT permission to send them), make it a felony and make one of the required sentences that you're not allowed to ever tough a computer again. The trick after that, of course, is to get all the spammy Asian and S. American countries to go along and punish spammers as well.

        • by Urkki ( 668283 ) on Tuesday December 09, 2003 @09:19AM (#7667865)
          • I don't. Spam eats up bandwidth just being delivered, even if it gets filtered at the end anyway. Then, you have the idiots that sit and open it and wait for images to load in their HTML-enabled mail clients. Despite this, from a technological standpoint, although it chews up and wastes valuable resources, it won't bring the Internet to a complete screeching halt.

          Don't count on it. There are worms that spread to create spam relays, and then those relays send spam. Potentially this leads to exponential growth in traffic...
        • by pipingguy ( 566974 ) on Tuesday December 09, 2003 @11:00AM (#7668826)

          Spam eats up bandwidth just being delivered, even if it gets filtered at the end anyway

          Yeah, but just think of all the extra bandwidth we'll have once UCE, viruses and scammail are finally banished by the Spamish Inquisition (nobody expects the Spamish Inquisition)!

    • by Anonymous Coward
      Spammer will just send email to himself to make sure relay works.

      Most spammers use automated tools to fire off a huge amount of messages. They wouldn't likely bother with sending a message to themselves.

      But if the spammer did decide to validate the server, it means he has to find another open relay. If there are a ton of spamholes out there, and few real open relays, then the spammer will have to waste an enormous amount of time searching for a relay he can use.

      This system will only increase the num
    • If the spammers just bounced of a number of open proxies and keep rotating around them I can see how it will just become worse.

      Rus
    • by zerocool^ ( 112121 ) on Tuesday December 09, 2003 @09:28AM (#7667927) Homepage Journal
      This system will only increase the number of open relays out there.


      Plus, for some of the more nazi-esque spam block lists, it can cause MAJOR havoc for your network. I can tell you that this will not be implemented on our network. We've delt with this already... One computer on our network had an open relay for a couple of days, and it caused *.rr.com (road runner cable, HUGE ISP on the right coast) to block ALL MAIL from our /24. It was horrible, we have hundreds of customers who could not get email from us or their clients.

      And it was pulling teeth to get us off of that block list. Send email, get response "contact your ISP", sent email explaining we were the ISP, got email "contact your ISP", sent email madly declaring that we can fix it if they'd tell us what was wrong, but with more than 100 computers in that IP range, it was kind of hard to tell who was in trouble, got email "contact your ISP"... etc.

      I'm NOT going to put anything on the network that deliberately sends spam, or even looks like an open relay. My business is too important to me.

      Thanks, but, no thanks.

      ~Will
    • Spammer will just send email to himself to make sure relay works.

      Yes, and then when all the spamhole users compare the addresses attempted to send through them, they'll have a valid email address for the spammer.
  • by bonez_net11 ( 472640 ) * <nhart00.gmail@com> on Tuesday December 09, 2003 @08:12AM (#7667387) Homepage
    This sounds like a pretty interesting project. One question though, what happens when the spammers themselves get word of this? They will just relay a message through each open relay they find to an account they can check, to see if the message went through. If the message doesn't go through then its a 'blackhole' relay and they will find another one. I just don't see something like this working. Maybe it should save all of the spam and use the messages to update spamassassin filters or something like that. Otherwise it'll be useless. Just my thoughts.
    • But what if there are millions of these spamholes? That would give em spammers a lot of trouble finding the real holes out there.

      No place to hide a diamond like in a pile of glass sherds. Finding the diamond is slow and painful work...
      • Yes, that is true. BUT, it would be quite easy to write a script that sent itself messages through a relay, then when/if the message is recieved it would start spamming and sending itself a message every 10 or 50 times or so. If messages start getting lost it would mark that relay as dead and move to the next one. After a few people write this script (there are always many) it would work like clockwork and nobody would really even notice it happening. Remember, there is always a work-around.
        • then when/if the message is recieved it would start spamming and sending itself a message every 10 or 50 times or so


          And then, as an added bonus, spamhole could be written to watch for these email addresses. Now we've got a real email address for these bastards...

          • Yeah. The address will be ajksajkshs@yahoo.com, now what?

            Even if the spamware doesn't detect this now, it will by tomorrow. As a mail admin, I current use 2 RBL blocklists, + hardcoded addresses for serious offenders telesp.net.br and shawcable.net + Bayesian filter. I still get spam in my inboxes.

            Spammers aren't stupid, just evil.

          • You don't really need the email addresses, because as another poster pointed out, many of them are forged. What you need are the IP addresses, and traceroutes to find one or two routers upstream to them, because that tells you what ISP the spammer is actually using, so the ISP can either whack their account (if they're a spammer) or get them to clean up their machine (if it's a hijacked zombie.) Sometimes that means the complaints go to the spammer themselves (so your spamhole gets outed), but if you're a
    • by cgranade ( 702534 ) <cgranade&gmail,com> on Tuesday December 09, 2003 @08:21AM (#7667454) Homepage Journal
      Stopping spam is never the point of any prudent anti-spam action. Instead, anti-spam actions work by reducing the value of spam to spammers. This can be done by reducing click-through, reducing traffic and filtering that traffic which is out there. Always, spam will get through. The only way to combat spam is to reduce the profit margin and increase the time expense so much that it is worthless, and simply bad business to spam.
      • by RobertB-DC ( 622190 ) * on Tuesday December 09, 2003 @09:09AM (#7667775) Homepage Journal
        reducing the value of spam to spammers. This can be done by reducing click-through, reducing traffic and filtering that traffic which is out there.

        That points to an interesting idea. What if you left your relay open, but modified the messages slightly? Munge the URLs, kill the scripts and web-bug images, change all the phone numbers to 800-876-7060 [fraud.org]. You could even try to de-l33t the subject lines (turn V*1*A*3*R*A back into "viagra"), if possible.

        Of course, you'd be violating any number of standards, plus you'd still get blackholed. So take it a step further... create a trojan that looks for open relays and turns them into spam-breaking open relays. Maybe you could then get someone to turn you in to Microsoft and split the reward.
      • Spam isn't the problem. Fraud is the problem. Legitimate companies don't send spam (or if they do, they usually learn their lesson). What's left is the criminals peddling worthless herbal cures, penis enlarging regimens and committing outright con games like the Nigerian spam. So lets spend a bit more money in the short term on law enforcement. Let's follow the money and put these scumbags in jail. Once the two bit operators understand the seriousness of their offenses, I think the volume will fall off dram
    • by Frisky070802 ( 591229 ) * on Tuesday December 09, 2003 @08:29AM (#7667506) Journal
      One question though, what happens when the spammers themselves get word of this?

      Oh, you mean like when they read about it on Slashdot?

    • They will just relay a message through each open relay they find to an account they can check, to see if the message went through

      RTFA

      From spamhole.net:
      When an SMTP client connects to our spamhole, we note the number of times it has connected before. If this number is below a configurable threshold, we simply redirect it's connection through the spamhole to a real SMTP server and allow it an unmodified session. This provides for any potential 'test' email the spammer may attempt to send through the 'open
  • by Glock27 ( 446276 ) on Tuesday December 09, 2003 @08:13AM (#7667391)
    Now I've got some new invective:

    Stick it in your spamhole, pal!

    Perfect...

  • Sounds good (Score:3, Insightful)

    by johnburton ( 21870 ) <johnb@jbmail.com> on Tuesday December 09, 2003 @08:14AM (#7667397) Homepage
    It's not a cure but it's another small tool which might help a little.
  • Spamming method (Score:5, Insightful)

    by rf0 ( 159958 ) * <rghf@fsck.me.uk> on Tuesday December 09, 2003 @08:14AM (#7667399) Homepage
    This is not a bad idea though it could be abused. However what the author doesn't seem to realise that open relays may only account for 25% of spam. The rest comes via open proxys which mask the connection and mean that the mail server is receiving an SMTP session from a valid IP address. It might help a bit but at the end of the day the only good solution to fix spammers is hit them where it hurts in the pockets.

    Of course that is easier said than done

    Rus
  • by SuperDuck ( 16035 ) on Tuesday December 09, 2003 @08:15AM (#7667404)
    Just watch the RBL's and ISP's shut down your IP block for having an open relay...

    How are they supposed to know the difference between a spamhole and a real open relay?
    • Just watch the RBL's and ISP's shut down your IP block for having an open relay...


      How are they supposed to know the difference between a spamhole and a real open relay?


      Don't they test that the relayed mail is actually delivered? ORDB does:

      http://www.ordb.org/faq/#mail_accepted [ordb.org]

      Any tester that doesn't isn't very intelligent...

      • by dorward ( 129628 ) on Tuesday December 09, 2003 @08:31AM (#7667513) Homepage Journal

        Don't they test that the relayed mail is actually delivered? ORDB does:

        http://www.ordb.org/faq/#mail_accepted

        Any tester that doesn't isn't very intelligent...

        ... but as this system lets the first few mails though from a source before blocking them, the tester will be able to send the test message through it - and welcome to RBH.
      • The RBL's might, but having worked for some ISP's (*koff*@home*koff*), I know that they only scan for the open port on 25, they don't actually bother to check the SMTP functionality of the relay.

      • His program delivers the first relay attempt to fool the spammer. That means that an open relay test might identify your machine as a spam source.

        That may not be a big deal since you wouldn't run this on your actual email server anyway. Most blackholes only list specific IP's and not entire blocks (at least the reliable blackholes don't list entire blocks) just because one IP in the range runs an open relay.
  • by Rogerborg ( 306625 ) on Tuesday December 09, 2003 @08:16AM (#7667408) Homepage
    + Five minutes to implement.
    + It will fool spammers for five minutes.
    + Your ISP will disconnect you after five minutes.

    Let's chalk this one up as yet another "nice try, shame about the lack of planning".
  • by Anonymous Coward on Tuesday December 09, 2003 @08:17AM (#7667415)
    I ran a very similar program to see what I would catch.. I caught my ISP, or rather they caught me - they thought I was running a deliberate open relay and sent an email warning me to shut it down. I was pretty surprised they were on to it so quickly (less than 24 hours).
    • by dcavanaugh ( 248349 ) on Tuesday December 09, 2003 @08:39AM (#7667571) Homepage
      Run an open relay, the ISP detects it, launches nastygrams and prepares to blast your ass to Mars. Complain to the average ISP about the average spammer, and the spammer is still spamming through the same ISP 6 months later. Hmmmm.
      • by Sycraft-fu ( 314770 ) on Tuesday December 09, 2003 @08:57AM (#7667678)
        Some ISPs are very vigilant. They have a take-no-shit attitude towards SPAM and/or hacking. They'll actively watch for it, shut people down, respond to abuse complaints, etc. Some just don't give a fuck, and won't stop it unless it interferes with their network or someone comes after them with a big enough stick.

        So just because you've dealt with an ISP that is in the "don't give a shit" category, doesn't mean there aren't other ones that will be very responsive.
  • by dummkopf ( 538393 ) on Tuesday December 09, 2003 @08:17AM (#7667418) Homepage
    i think it will not work for two reasons:

    a) as mentioned before, it is easy to probe the hole to make sure it really works.

    b) i seriuosly doubt that the security team of any university and / or company would enable such a hole because then they might get blacklisted and no more email for them...
  • Nahh, spamd. (Score:5, Informative)

    by grub ( 11606 ) <slashdot@grub.net> on Tuesday December 09, 2003 @08:17AM (#7667420) Homepage Journal

    OpenBSD's spamd [openbsd.org] actually tarpits the spammer down, then after a looooong held connection sends a 450 (by default) to the spammer to have the spammer-machine retry. I have it running with various autoupdated blackhole lists and very little spam sees my server anymore.
    • Re:Nahh, spamd. (Score:5, Insightful)

      by arkanes ( 521690 ) <arkanes.gmail@com> on Tuesday December 09, 2003 @08:53AM (#7667651) Homepage
      I have to say, if I were a professional spammer I'd be using custom SMTP clients that didn't bother with stuff like "standards" and waiting on long timeouts and resending after a 450. All that matters is getting as much mail out as fast as possible, so just skipping hosts that aren't keeping up at a reasonable level would probably be the best option.
      • Maybe you spend some time detecting timeouts and avoiding hosts that don't respond quickly, but you can't overdo that or everybody will add that to their SMTP servers to discourage spammers. But even adding a second of delay at the end of a message is enough to crank your bandwidth drain down a lot and slow down the spammer's average load. And if the spammer is getting a 10:1 multiplier by feeding your relay 10 recipients per message, they won't be surprised if you're only accepting incoming spam at 10-12
  • HoneyPots (Score:4, Interesting)

    by tomstdenis ( 446163 ) <tomstdenis.gmail@com> on Tuesday December 09, 2003 @08:18AM (#7667422) Homepage
    This is basically a honeypot. Various other forms of this exist [like TCP keepalives for as long as possible]. The basic idea is you want to make sure the user thinks its working while wasting their time.

    The trick is much like the polution on P2P. People often complain that the stuff they download off P2P is either renamed [e.g. no the thing they were looking for] or of very low quality. This dissuades people from using P2P.

    Likewise if lots of people setup fake SMTP servers that don't do anything it will polute the "scene". Possibly make it less attractive for spammers.

    Of course what would be nicer is just to snipe the spammers and auction off their property for Quiznos money ;-) [this last comment is aimed at the jerk who is sending the same spam twice to me about all sorts of increased sex crap. It's bad enough you send it once but twice in under 5 mins? In the ban list you go!]
  • Not going to work (Score:5, Interesting)

    by heironymouscoward ( 683461 ) <heironymouscowar ... m ['oo.' in gap]> on Tuesday December 09, 2003 @08:18AM (#7667424) Journal
    Spam is moving off open relays and onto pirated home computers. Spammers and virus writers together have already designed a distributed architecture in which they can send emails from hundreds of thousands, possibly millions of 'owned' personal computers.

    The solution is to accept that email will become 99.9(n) junk, and that the challenge then becomes to extract the signal, not filter the noise.

    One solution I foresee is "data clearing houses" which store-and-forward email, using a reputation management system to rank and score email (and other data, for the problem is general).

    • Isn't this the sort of thing outblaze.com does and has some very good filtering

      Rus
    • Spammers and virus writers together have already designed a distributed architecture in which they can send emails from hundreds of thousands, possibly millions of 'owned' personal computers.

      I won't beleive it until I see the RFC.
    • Re:Not going to work (Score:3, Interesting)

      by Urkki ( 668283 )
      Just go on blacklisting every ISP who can't stop spam originating from their customers. Soon you'll see that ISPs will find ways, such as allowing at most X mails from single user per day, blocking SMTP traffic going elsewhere than their own mail server etc.

      Then have a system where an ISP can automatically get themselves removed from the blacklist after 1 day, when they think they've solved the problem. Next time make it 2 days, if they get to the list again, then 3 days etc, perhaps maxing out at about
  • by Erik Hensema ( 12898 ) on Tuesday December 09, 2003 @08:19AM (#7667434) Homepage

    It won't work.

    On a small scale it has no impact.

    On a large scale the spammer will just send a few 'test' messages through your system and move on to the next. With a million spamholes, a spammer can send a million mails at the least. Great.

    Also, you'll get yourself blocklisted by every major DNSBL very soon. They scan for open relays too...

  • by Chip Salzenberg ( 1124 ) on Tuesday December 09, 2003 @08:19AM (#7667435) Homepage
    This is nothing new. For example, see Bubblegum Proxypot [std.com].

    Slashdot, on the cutting edge of last year.

  • by CaptainTux ( 658655 ) <papillion@gmail.com> on Tuesday December 09, 2003 @08:19AM (#7667437) Homepage Journal
    I can see this being a great "live" email harvesting tool for some spammers. Setup a spamhole and just sit back and collect the addresses that other spammers try to send to. A good majority of the addresses will be good and you don't even have to waste time harvesting. This could be a windfall for technically savvy spammers with a little time to waste. Good God. Here we go again...
  • Hmm.... (Score:4, Interesting)

    by Alphix ( 33559 ) on Tuesday December 09, 2003 @08:20AM (#7667439) Homepage
    ...has anyone been the target of a spammers affection?

    I guess that as soon as they decide that your mail server is open to relaying they will pump their mails as quickly as possible trough to the server...

    Wouldn't the bandwidth consumed while pumping all those pr0n mails trough to your server slow your xDSL (or whichever connection you have) to a grinding halt and thus make the project more suited towards those with a fat connection and something to prove?
    • Re:Hmm.... (Score:5, Informative)

      by Goldenhawk ( 242867 ) on Tuesday December 09, 2003 @10:01AM (#7668238) Homepage
      Just last weekend... this mea culpa might save someone in /. land some pain.

      Had a form.pl script handling all form submissions on our web site. The form submitted its info via sendmail, as well as logging to text files. While the address checking was pretty robust, someone figured out how to overload the contents in a manner that fooled the sendmail into thinking that the contents contained BCC: data.

      Fortunately I caught it within about five minutes, thanks to the fact that all submissions are CC:'d to a real address, thus starting a flood of mail. I saw the classic pattern: a test message, a couple revisions, a final draft test message, then the flood of "real" messages. Since I saw it start, I was able to shut down the script (I just killed the Execute permissions).

      After the initial test messages, I saw submissions from dozens of different IPs - I assume zombied PCs. It seems that the zombies were programmed to relay form POST submissions, instead of trying to relay mail directly. Smart, since that puts the mail load on a fast server, not a slow dialup PC.

      But the really interesting thing was, even after shutting down the script, the flood of submissions continued. I tweaked the form.pl to bounce the requests to another page but the bounce was never followed - indicating to me that the program didn't bother to check the server response to the submission, even for a 404 or 302 response! This continued for around 14 hours, at a rate of about 20-40 hits per minute. Based on the first messages that got through, several hundred addresses were included in each BCC: field.

      Suddenly at about T+14 hours, it simply stopped - cold. For the next several hours a few sporadic hits popped up. Haven't seen any since about T+18 hours.

      Apparently the spammer assumed his script would succeed once it was successfully started (it WOULD have unless I'd been at the PC). He obviously ran through his entire mailing list "blind". I'm happy to say 13.8 of those 14 hours were wasted, preventing about 7 million spams (14 hrs, 40/minute, 200 addresses each).

      As lessons learned, although I'm sure this is old news to most of the /. folks, I'd like to pass along some tips based on my experience.
      1) The spammer used our web site's form to build his attack, but then took it to another machine. All subsequent submissions were using a POST method but not from our site's page. No surprise there, but simply checking $ENV{'HTTP_REFERER'} could have prevented 99% of this attack - if not making it pointless to begin with.
      2) Sendmail can be fooled into reading BCC: addresses from information after the start of the message body. I don't understand the details, but an obvious preventative is to =~ s/bcc://gi on the message before sendmail gets it. Probably wouldn't hurt to do the same to To: and CC:.
      3) Sendmail can be fooled into sending encoded text from an otherwise text-only form. Filter out "Content-Type:" or "Content-Transfer-Encoding:" or "multipart/mixed" or "text/html" before sendmail gets it.
      4) If you're watching for abuse, don't rely on looking for multiple hits from one IP - it seems that once you become a target you will likely get a distributed attack.
      5) Consider replacing all @ signs... do a s/@/-at-/g on all message fields before sending to sendmail (except of course whatever hard-coded To: is at the start of the message). If all other measures fail, at least you won't get blacklisted, although you might get 7 million "undeliverable" replies.
      • Re:Hmm.... (Score:5, Informative)

        by Saint Aardvark ( 159009 ) * on Tuesday December 09, 2003 @11:24AM (#7669071) Homepage Journal
        Ah, Formmail.pl, the spammer's friend. Used to work at a small ISP where, sadly, we had copies of Matt's formmail around that would get exploited periodically. Trying to figure out which website was being hit, on a server w/maybe 100 websites and very few of them being logged (that was an extra the customer had to pay for), was nigh-impossible until I was given the root password and tried ngrep [sourceforge.net]. Then I'd replace it with the NMS formmail [sourceforge.net], which I can recommend w/o hesitation. --Well, almost no hesitation...it's been a while. But it was great: drop it in and everything would work except the spamming.

        I've written before [slashdot.org] about writing a fake formmail. Right now I've got my web server set up so that all requests for formmail (m/formmail/i) get directed to the script; as you can see, I still get hit [saintaardv...rpeted.com] about once or twice a week. I'd really like to figure out how to tarpit them, but I'm not sure I can do that on a running webserver.

        • PHP and SMTP (Score:3, Informative)

          by KalvinB ( 205500 )
          I have a web-form and use a simple PHP script that is hard coded to go through my mail server and my mail server requires a valid POP3 login from the username you plan to send e-mails with prior to being able to send e-mails with it. You get a short window of time once validated and even then you must send the e-mails from the same IP that validated the user name. So you can't figure out what e-mail address is being used, send a message from the form and then spam away with that e-mail address remotely.

          A
  • by SlightOverdose ( 689181 ) on Tuesday December 09, 2003 @08:20AM (#7667446)
    We had a spammer exploiting an incorrectly configured formmail.pl on one of our servers. We didnt actually use it, so I replaced it with a fake version that accepted pretended to accept the mail and return 100mb of data as a reply.

    Our provider gives us unlimited upstream bandwidth, so it had no real effect on us- however here would have been at least 50gb worth of data used by the time the spammer caught on, so hopefully that cost them some cash. (Although in all likelyhood it was only a minor inconvenience).
  • Isn't the spammer going to know that the supposed relay is a spam hole if he includes an account that he accesses on his list and checks to see if he's received a message from himself afterwards?
  • by Space cowboy ( 13680 ) on Tuesday December 09, 2003 @08:21AM (#7667456) Journal
    If you put this on your site, and people complain about those 'let through' spams at the start, your entire netblock will be marked as a spammers paradise (and rightly so - how can the RBL's tell the difference?). Goodbye email.

    Some RBL's do not allow changes to be made unless you pay a big fee, and you lose the fee if they consider the complaint genuine.

    This sounds real risky to me ...

    Simon.
  • Tarpitting (Score:4, Interesting)

    by isa-kuruption ( 317695 ) <kuruption AT kuruption DOT net> on Tuesday December 09, 2003 @08:22AM (#7667458) Homepage
    This is still the best method to "slow down" spammers. Having a listener on port 25 on un unadvertised box waiting for a connection from some random person, knowing this to be a relay checker and/or spammer, then holding onto the connection forever. This is what LaBrea [sourceforge.net] does, but LaBrea does it on a larger scale, for entire subnets w/ open IP addresses, and any port.
  • by StringBlade ( 557322 ) on Tuesday December 09, 2003 @08:23AM (#7667466) Journal
    if a bunch of spammers collect IP addresses of these spamholes and create a blacklist, does Spamhaus have a right to complain then?
  • by fruey ( 563914 ) on Tuesday December 09, 2003 @08:26AM (#7667485) Homepage Journal

    While the concept is somewhat interesting at first glance, the people who run spamholes might end up with it costing them a lot of bandwidth and system resources.

    • While they are not relaying mail outbound, they are targeting their IP for blacklisting by allowing tests through
    • The spammers that do think their relay is valid will then proceed to send thousands of emails via this spamhole, leading to incoming connections peaking very high and a lot of incoming bandwidth being saturated. Outgoing bandwidth will be used in all the ACK packets.
    • Most spammers will have some kind of bounce statistics processing, and the really good ones might even seed bad addresses deliberately. So they'll know quite quickly when they get no bounces back at all
    • The machines are going to be targetted not just on port 25, as they likely get port scanned, and so be very very vulnerable to other attacks. Running a half-baked spamhole on port 25 is one thing (see above reasons why I disagree with the idea) but then all your other ports had better be locked down... unless of course you're running a honeypot.
    • But then, once a honeypot has been attacked once or twice, you better have some time to do serious forensics on it before leaving it open to more and more exploits, you'll find that it's been hacked to run a REAL open relay on some other port!!!

    In short, this idea might only work if somehow you could get more spamholes on the net than open relays, and even then it would have to be coordinated by real sysadmins who know their stuff. Clueless admins are (probably) in the majority and whether or not you agree with that little flippant comment, they will surely outnumber the people who have enough time, a spare machine, and bandwidth to run a spamhole.

    This guy says that he has 'holed' over 50,000 spam messages. Well, not really. They will be retransmitted. Spending the energy on blocking spam from your users completely is a better bet, I think. Educating people and advocacy is a better bet. Spamholes will be just another 5 minute net curio.

  • by Asprin ( 545477 ) <gsarnoldNO@SPAMyahoo.com> on Tuesday December 09, 2003 @08:28AM (#7667492) Homepage Journal

    That's not what a 'spamhole' is around *my* office. Pfft!
  • by tacocat ( 527354 ) <`tallison1' `at' `twmi.rr.com'> on Tuesday December 09, 2003 @08:28AM (#7667497)

    I see two potential problems with this approach, one more insipid than the other.

    1. Albeit minor, I've now lost my IP port 25 mail server. This is a big problem if I only have one IP address. I would still like to have a mail server, thank you.
    2. Spamhole only works as long as it's population is much less than the population of potential open relays. Spam hole will send ~2 emails free to allow some meathead spammer to verify the relay works. After two, or when rate exceeds some value, you /dev/null the traffic. Now you have a really popular tricksy and you have 50,000 spamholes on the internet. This will delivery 50,000 X 2 free test emails. Why not just use that free 100,000 emails to deliver spam instead.

    Haven't you only succeeded in sponsoring a low volume spam relay that not only delivers spam, but at such a low per-boxen rate that no one will ever be the wiser for it.

    I see that even on your homepage you mention that a few spam emails might get delivered, but you are acting as a relay for a few spam emails times 50,000. You will eventually get blacklisted via OpenRelay RBL's.

    I think if you sit down for a day and just watch your email logs, you will find that a lot of spammers don't bother to test a connection for open relay status. They just test by pushing as much email through it that they can as quickly as possible. Daily I have hundreds of attempting mail relay deliveries.

    • Now you have a really popular tricksy and you have 50,000 spamholes on the internet. This will delivery 50,000 X 2 free test emails. Why not just use that free 100,000 emails to deliver spam instead.

      Because to send each of those two 'free' emails from each of the 50,000 spam holes, you have to bring up 50,000 separate SMTP connections and send the email text 50,000 times, thus completely maxing out your connection. This is not the way spammers want to work.

      Instead, they find high bandwidth open relays

  • by gorbachev ( 512743 ) on Tuesday December 09, 2003 @08:29AM (#7667503) Homepage
    monkeys.com used to have one, until the spammers DDOSed him.

    Several other people are still running proxy honeypots with great success. They are a great resource for finding out which ISPs harbor proxy hijacking criminals.

    For all of you, who think spammers will check whether the proxy works first, spammers do no such thing. They actively scan for open proxies and immediately start blasting away. That's just like with spamming. You really think spammers check every Email address on their lists is real?

    Proletariat of the world, unite to kill spammers. The more painful and slower, the better.
  • by dcocos ( 128532 ) on Tuesday December 09, 2003 @08:36AM (#7667552)
    Since it seems that a lot spam I get comes from my e-mail address being on my homepage, I've toyed with the idea of putting two address up on the page
    like dan@example.com and danc@example.com since danc only exists as a harvestable address any messages that show up at danc are compared to the messages in the spool for dan and a 95% or more match pushes them both to the trash. Has anyone else tried this or something similar?
    • It's been done. The Vipul's Razor portion of Spamasassin generates signatures from known spam. People feed spam sources into it.

      The only problem is that dan@example.com would receive kretiv1y R/\N|)0/\/\][Zed di||erent tipes of spam. Twinkies limes in spain. \/|AGRA \/|AGRA \/|AGRA.

      I thought that maybe applying pattern equivalencies, dictionary and grammar checkers to create signatures based upon "real sentences" would improve things, but before I could do it, randomized jibberish like this came out:

    • try Enkoder [hiveware.com] (also available as an OS X app), which converts your mailto: link to a javascript thingy which works correctly but cannot be read by bots. It's free.
  • Perhaps this can be used to trace them down, I am a tad doubtful that this would really work, however, it could be used to catch folks who test for these and try to use them, thereby identifying potential spammers. Perhaps, a follow up email to ISPs getting them disconnected for life (hehe)?
  • Just a thought (Score:3, Insightful)

    by fr0dicus ( 641320 ) on Tuesday December 09, 2003 @08:39AM (#7667575) Journal
    Everyone being blacklisted for using this might have the nice side effect of making more effective blacklists :)
  • by c.herwig ( 720742 ) on Tuesday December 09, 2003 @08:43AM (#7667591)
    Everybody is complaining about spam. And at the same time almost everybody comes up with yet another brand-new-weired-looking workaround. Why the hell?

    May I suggest just doing a few basic things:
    1) Make a law (if your country doesn't have one already) which makes it illegal to send emails with forged FROM fields (= email addresses you don't own)
    2) Slightly improve RFC2821 (smtp): Convert the optional ssl layer to a mandatory one. An smtp sender should only allowed to send mail to a server if
    a) it uses an ssl encrypted connection and the Hostname in Reverse-DNS matches the name provided with the ssl certificate OR
    b) it uses username and password to login into some kind of mailaccount
    3) Sue spammers violating law 1) to hell. If you want to find them, you only have to look at the ssl certificate used for the connection.

    Yes, I know this prevents everybody from having his own pretty little smtp server. No, I'm perfectly well with that. Use a provider.
    Yes, ssl certificates are expensive for now. But any serious provider should be able to afford one.
    • 1) Make a law (if your country doesn't have one already) which makes it illegal to send emails with forged FROM fields (= email addresses you don't own)

      And when people violate it, you track them down how, exactly? Please explain.

      Slightly improve RFC2821 (smtp)

      What you term "slightly improve", I would call "change EVERY mail server and client in the world". Oh, wonderful solution. Even if this was pushed through today, it would take years (at best) to happen. As a much smaller-scale example, all new X.
  • there are two major issues unsolved by this.
    This does nothing to address the traffic/bandwidth usage. I've seen spammers continue to hit mail servers for several years (yes YEARS) after they were locked out, they just don't care. The bandwidth costs become seriously problematic.

    and the second thing, sort of the first, or related, is what the issue never getting addresses about EGRESS filtering.

    Now if everyone, or at least every major ISP would actually use egress filtering, the spam problem would be reduc
    • his does nothing to address the traffic/bandwidth usage. I've seen spammers continue to hit mail servers for several years (yes YEARS) after they were locked out, they just don't care. The bandwidth costs become seriously problematic.

      Well, wouldnt merely locking them out cause mail to bounce?
      But this Spamhole thing will at least make the Spam disappear at the first relay. Not bounce back. Not propagate on. It'll reduce some of the overall bandwidth usage.

      Plus, from a purely users' PoV, whether it sav

  • spamhole.com [spamhole.com]!

    It lets you set up a temporary forwarding address, which can be very useful for those "free registration" things that just scream "SPAM!".

  • by waldoj ( 8229 ) * <waldo@NOSpAM.jaquith.org> on Tuesday December 09, 2003 @09:06AM (#7667744) Homepage Journal
    As I'm sure many of us that run our own mail servers have found, I've got a good dozen addresses that have never existed to which spammers attempt to send mail. I get hundreds of attempts to send spam to these addresses each day. For a while, I was forwarding these messages to an RBL, but my mail queue just got too huge.

    What I would like is a tool that hooks into Postfix (or whatever MTA; I use Postfix) that not only blacklists the sending IPs on my machine, but even reports the sending IP to an RBL. At a bare minimum, this would be a useful tool for me, since it would keep these spammers from proceeding to send spam to any other addresses on my server. At best, this simple method of confirming that a spammer is a spammer could help to reduce spam on the whole.

    -Waldo Jaquith
  • by lamename ( 655712 ) on Tuesday December 09, 2003 @09:07AM (#7667753)
    It seems to me the reason people spam is because it is cheap to do. Sending out hundreds of thousands of emails for next to nothing.

    What if everyone who got spam took 5 minutes a day and replied to a few? I am not saying they need to actually be interested in the pitch, but just send a nice polite letter saying you are. Could you send me some info by postal mail? Do you have an 800 number I can call? Could you contact me with greater detail to this question? Now, the spammer has to invest some time and possibly some money.

    Millions of people get spam. If a small percentage would do this, would it deter spammers?
  • by dentar ( 6540 ) on Tuesday December 09, 2003 @09:14AM (#7667813) Homepage Journal
    1: They'll get blacklisted.

    2: The spammers will eventually be able to find a way to test it first (like they have with everything else.)

    3: It'll just suck up bandwidth and dump it to /dev/null.

    4: Even if the idea did work in theory, there won't be enough people believing in the idea to make it actually work.

  • Surely this idea (Score:4, Interesting)

    by goldcd ( 587052 ) * on Tuesday December 09, 2003 @11:23AM (#7669060) Homepage
    coule be developed a bit more. We all install a spamhole on our PC and then they all P2P themselves together to form, what I have decided to call, a 'Spamnet'
    When one of our servers detects a spammer it communicates this to all it's little peer friends and they launch a DDOS for a few minutes. If the same spammer hits the same (or another) node in the Spamnet he gets hit for longer etc.
    It's not a perfect idea (and probably illegal) but it would certainly get the attention of whoever is responsible.
  • by KC7GR ( 473279 ) on Tuesday December 09, 2003 @11:39AM (#7669239) Homepage Journal
    Google for 'honeypot' or 'proxypot.' In fact, Security Focus ran a series of comprehensive articles on honeypots, one of which is here. [securityfocus.com] There's also a huge web site devoted to nothing but honeypots at this link. [honeypots.net]

    Proxypots are a variation of the honeypot idea. A proxypot pretends to be an open proxy server which, instead of actually passing traffic sent to it, simply logs what's going on and sends the actual traffic to a specific destination specified by the proxypot operator. This can be Dave Null's in-box or anywhere else said operator wants.

    Details of proxypots may be found here, [stupidspam.co.uk] and here, [std.com] just to name a couple.

    Keep the peace(es).

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...