Re: [Asrg] Spam is a security problem
2003-03-15 10:18:05
At 11:08 AM 3/15/2003 -0500, you wrote:
At 6:14 AM -0600 3/15/03, Brad Spencer wrote:
Others do this same thing. An operator elsewhere in the world, using his
massive 120 MHz Pentium with 64 Mb, stopped spam to 281 million
recipients in his first year of operation. All he does is deliver relay
You make some good points about the root problems with relay spams,
however I think there are a couple problems with your solutions.
Most people do not have the time to run around setting up fake relay
traps. In addition, speaking as someone who currently bounces a message
every two seconds, not all of us can take the risk of increasing our
bounce volume. Finally, I don't think you can get enough people running
fake relays to make even a dent in spam. 281 million recipients in one
year is really very few in the big picture. AOL bounces one billion pieces
of spam every day.
It's an action for those who have the time and inclination and are willing
to do it. More importantly the message is that most spam is a security
problem - I'm attempting to get the people who can act effectively against
it as a security problem to do so. If I trap a relay test from within the
Verizon space then it is almost certainly true that the IP traffic from
that IP has a pattern that could only be sending relay tests. If they'd
sample their traffic they could themselves find the spammers sending
tests. This guy: washdc3-ar10-4-60-219-149.washdc3.dsl-verizon.net, to be
specific. He tested again a little over 3 hours ago.
The Moscow relay spam honeypot was shut down partly for reasons such as you
describe, although more basic: the bandwidth used cost real money.
I've argued this for two years. It's a neglected area in the fight against
spam, you don't have to know anything to uses the technique, it attacks the
spammers (although it is a passive technique) where they are vulnerable.
People talk about elaborate changes to SMTP or the replacement of SMTP -
those would take much more effort than what I describe.
Do also note that what I do myself, regularly, is accept relay
messages. That's much lower in volume (or should be) since in principle
all you trap is a dozen or so relay tests per day, maximum. I did deliver
one relay test in February - that brought spam until yesterday. At home I
trap spam from an obnoxious Chinese-language spammer who doesn't wait for
tests to be delivered - he sends relay spam on the basis of the test being
accepted.
I delivered another test recently - that one was one sent by an ex-spammer
who sells open relay lists to spammers. The spammers apparently send their
own tests to check out the relays on the list - I've gotten tests from
sources I'd not seen before.
I'm aware of the billion pieces AOL bounces/day. That's after the relay
level - many spammers still send multiple-recipient spam. What I trapped
recently (the MMF spam with the "meet Russian women" subjects) comes as
99-recipient spam. I suppose the spammer thinks that protects him against
some law that criminalizes sending to 100 or more recipients. The
Chines-language spam has 10 recipients. At the relay level you trap fewer
messages to get the same effect AOL does by partially trapping at the
destination level. Twenty thousand recipients/day is about 200 spam
messages/day. I recognize I'm trapping only a tiny percentage of his total
output. This is a dirt-simple technique but to be effective it requires
many participants.
There have to be enough people willing to do this - most of the spam comes
through systems that are abused. Those people are "willing" - they don't
suffer enough discomfort to do anything about the abuse with any sense of
urgency. The load on the fake relay is much lower, since the spam comes in
only, never is delivered.
It's as easy for millions of people as downloading Jackpot, downloading a
JVM (if there's not already one installed), and starting the program. They
don't have to enable relay, they don't have to understand what the program
does. If they're on a network segment the spammers test (and that's
probably everything but dialup segments, and I'll bet even those get hit)
they will trap a relay test. Just that is enough to make a difference, if
done by enough people. That will deliver the message to the spammers that
their abuse will no longer be ignored and allowed to
continue. Continue? It has grown considerably under the policy of neglect.
He he he: Cox IS doing something about relay testers, and the Cox relay
tester just tested me again (@10:19 & 10:26.) That will be my next email
message.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|