ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Spam is a security problem

2003-03-15 10:18:05
from [Brad Spencer] [Permanent Link] 
At 11:08 AM 3/15/2003 -0500, you wrote:

At 6:14 AM -0600 3/15/03, Brad Spencer wrote:
Others do this same thing. An operator elsewhere in the world, using his massive 120 MHz Pentium with 64 Mb, stopped spam to 281 million recipients in his first year of operation. All he does is deliver relay
You make some good points about the root problems with relay spams, however I think there are a couple problems with your solutions.
Most people do not have the time to run around setting up fake relay traps. In addition, speaking as someone who currently bounces a message every two seconds, not all of us can take the risk of increasing our bounce volume. Finally, I don't think you can get enough people running fake relays to make even a dent in spam. 281 million recipients in one year is really very few in the big picture. AOL bounces one billion pieces of spam every day.
It's an action for those who have the time and inclination and are willing to do it. More importantly the message is that most spam is a security problem - I'm attempting to get the people who can act effectively against it as a security problem to do so. If I trap a relay test from within the Verizon space then it is almost certainly true that the IP traffic from that IP has a pattern that could only be sending relay tests. If they'd sample their traffic they could themselves find the spammers sending tests. This guy: washdc3-ar10-4-60-219-149.washdc3.dsl-verizon.net, to be specific. He tested again a little over 3 hours ago.
The Moscow relay spam honeypot was shut down partly for reasons such as you describe, although more basic: the bandwidth used cost real money.
I've argued this for two years. It's a neglected area in the fight against spam, you don't have to know anything to uses the technique, it attacks the spammers (although it is a passive technique) where they are vulnerable. People talk about elaborate changes to SMTP or the replacement of SMTP - those would take much more effort than what I describe.
Do also note that what I do myself, regularly, is accept relay messages. That's much lower in volume (or should be) since in principle all you trap is a dozen or so relay tests per day, maximum. I did deliver one relay test in February - that brought spam until yesterday. At home I trap spam from an obnoxious Chinese-language spammer who doesn't wait for tests to be delivered - he sends relay spam on the basis of the test being accepted.
I delivered another test recently - that one was one sent by an ex-spammer who sells open relay lists to spammers. The spammers apparently send their own tests to check out the relays on the list - I've gotten tests from sources I'd not seen before.
I'm aware of the billion pieces AOL bounces/day. That's after the relay level - many spammers still send multiple-recipient spam. What I trapped recently (the MMF spam with the "meet Russian women" subjects) comes as 99-recipient spam. I suppose the spammer thinks that protects him against some law that criminalizes sending to 100 or more recipients. The Chines-language spam has 10 recipients. At the relay level you trap fewer messages to get the same effect AOL does by partially trapping at the destination level. Twenty thousand recipients/day is about 200 spam messages/day. I recognize I'm trapping only a tiny percentage of his total output. This is a dirt-simple technique but to be effective it requires many participants.
There have to be enough people willing to do this - most of the spam comes through systems that are abused. Those people are "willing" - they don't suffer enough discomfort to do anything about the abuse with any sense of urgency. The load on the fake relay is much lower, since the spam comes in only, never is delivered.
It's as easy for millions of people as downloading Jackpot, downloading a JVM (if there's not already one installed), and starting the program. They don't have to enable relay, they don't have to understand what the program does. If they're on a network segment the spammers test (and that's probably everything but dialup segments, and I'll bet even those get hit) they will trap a relay test. Just that is enough to make a difference, if done by enough people. That will deliver the message to the spammers that their abuse will no longer be ignored and allowed to continue. Continue? It has grown considerably under the policy of neglect.
He he he: Cox IS doing something about relay testers, and the Cox relay tester just tested me again (@10:19 & 10:26.) That will be my next email message. 


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Thoughts so far, mathew
Next by Date:  Re: [Asrg] Position paper, in zipped HTML, Chris Lewis
Previous by Thread:  Re: [Asrg] Spam is a security problem, Kee Hinckley
Next by Thread:  Re: [Asrg] Spam is a security problem, Kee Hinckley
Indexes:  [Date] [Thread] [Top] [All Lists]