At 03:39 PM 3/16/2003 -0500, Kee Hinckley wrote:
Okay. A practical question.
Let's say I extract from my logs a list of IP addresses that are
attempting to relay through my server.
1. There is no way I'm going to set up a relay tarpit. I'm already
bouncing one message every two seconds--I can't handle any additional hits
on my bandwidth. It's been doubling every year since '96.
OK. Do what makes sense for you. I used to emphasize trapping spam, now I
concentrate on passively capturing relay tests (although I did deliver some
to one particular tester just to see what he spams. Its' a MMF scheme and
some "MEet Russian Women" crap.) I also delivered one for someone I'm told
now sells lists of open relays to spammers.
2. But I'd be happy to auto-report those relay attempts. Do you have
tools to do that?
No, I don't.
Are they safe (e.g. no more than N reports about the same IP address in a
certain amount of time, consolidate multiple IP reports to the same report
address)? How do I keep from auto-reporting my own users when they forget
to authenticate, or when they are using pop-before-smtp and the
authentication has timed out?
Keep in mind that there are always border cases. For instance
194.100.84.20 tries to relay through me (always to
anssi(_dot_)karhu(_at_)skynetworks(_dot_)fi) a thousand times or more a day. How do you
auto-determine who owns that IP? The reverse DNS lookup doesn't match.
I favor a conservative approach: if in doubt do whatever is least likely to
cause any harm. If you have doubts about a relay attempt then you could
either not report it or you could tell the ISP you rejected the attempt but
you don't know the nature of the email you rejected - t could be spam
related.
It would seem worth your time to try to track down what is going on with
194.100.84.20 - that's a lot of attempts.
Another option would be a central location that accepts reports of
attempted relay and correlates them. Many relay tests now come through
open proxies, I think some destinations are false and that the tester
actually relies on the bounces rather than on delivery (the destination is
a particularly vulgar:
<http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=Xns93068404FFFF8someuser999nwsupcom%40192.168.1.6>
Cripes - that was 2 months ago.
Keep in mind that this is the ASRG mailing list of the IETF. It is my
impression that the goal is to seek effective ways to combat spam, the E in
the parent group's name makes me think it is to be engineered. There's
plenty of opportunity in taking the approach I suggest, I do not suggest
simply doing what I do.
There could be alternative IETF recommendations: a really good blocklist,
suitable for even large ISPs (like AOL, although I doubt AOL would ever
trust any list from outside unless it's use is completely voluntary on the
part of the user.)
It's my impression that the desire is to move, as opposed to remain
static. I'm for that, I put forth my suggestion, I can see it might be
chosen as the basis for further and wider action. This is not (I hope) a
place to have religious wars about which approach is best, it's a place for
the planning of effective action.
Spam is a strange crime (insofar as it is a crime, and I don't mean to
trigger discussion on that question.) In principle every step taken by a
relay spammer can be fully logged, once it is known where he connects to
the internet. All the spam that originates on a major ISPs network could be
monitored, if it is determined to be a crime somewhere and if the proper
search warrant is issued. That's an important consideration but the point
I wish to make is that spammers are able to operate secretly largely
because people who could watch them don't. I believe that watching them is
worth doing, in particular watching their abuse attempts.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg