ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Spam detection system proposal

2003-03-07 14:36:08
from [Chris Lewis] [Permanent Link] 
Alan DeKok wrote:

Kee Hinckley <nazgul(_at_)somewhere(_dot_)com> wrote:
I know of at least one ISP (and I'm sure there are others) that do this. He blocks based on bounces. As soon as he blocks an IP, another one starts sending him the spam. This goes on for thousands of IPs. 


  I spent a few days last year blocking IP's based on bounces.  It
went as follows:

  <block 100's of IP's>
  <wait 10 minutes>
  <repeat>



  No end in sight,
I seriously wonder if there isn't some rather sophisticated distributed server spam software running out there on rooted servers, and we just haven't figured it out yet. 


  That would fit the data I'm seeing.
Both the analysis I've done on your spamtrap, and the analysis I've done on ours, would indicate that you don't need to go to these lengths to "fit the data". 

The simpler answer is "Millions CDs and LOTS of open proxies/relays".
I've generally not seen IPs _notice_ that we're rejecting email. It's simply that certain spam variants are sent from literally thousands of different IPs. Ie: debt consolidation, viagra, HGH.
Some of this is certainly orchestrated from central points (eg: Ralsky's operations), but I don't see anything to indicate that even Ralsky makes use of the rejection information to "drive" his forwarders differentially. 


  Of course, 10,000 clueless small-scale spammers would also fit the
data, but I think that's less likely.


A few Millions CD/open proxy/socks ratware owners would explain it too.
Spot checks of both your and our data showed a high correlation between source IPs and IPs already blacklisted by BOPM, Monkeys, OSIRUS proxy/socks et al.
Note also that if they're using open relays, with the usual forged MAIL FROM (which is a pretty high percentage of spam), the spammer _CANNOT_ see the rejects or bounces.
However, I have seen reports of stealth spamware trojans from ISP abuse desks. This is where somehow a piece of software got installed onto a user's machine, that instead of listening for inbound connects (like an open proxy), periodically calls _out_ to the spammer, and retrieves instructions on what to do. No details or forensics seen yet. 

These are truly nasty, because you can't scan for them.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: False positives (was Re: [Asrg] Re: RMX Records), Hallam-Baker, Phillip
Next by Date:  [Asrg] Re: evaluating proposals against requirements, Nate W
Previous by Thread:  Re: [Asrg] Spam detection system proposal, Mark Delany
Next by Thread:  Re: [Asrg] Spam detection system proposal, Jacqui Caren
Indexes:  [Date] [Thread] [Top] [All Lists]