Re: Relay honeypots (RE: [Asrg] define spam)

At 05:01 PM 4/6/2003 -0400, you wrote:

> It's a pain to do, and it can get my mail server shut down if I make a 
> mistake.  That's not a very complex piece of psychology.
> Show me a risk-free, automatic process to do it, and then you'll have some 
> takers.  Please do not assume that everyone fighting spam is sitting 
> around with spare IP addresses and lots of free time.
OK.  Run your MTA with delivery stopped and write software that recognizes 
relay tests of your IP and delivers those.  To make it even safer write 
software that does that just once per day, maximum.
Even easier, do what I do: run an MTA with delivery stopped and report 
relay tests to the appropriate ISP.  If you claim you are going to get 
blacklisted because spammer relay tests go in to your system and disappear 
you'll need to explain how that happens.
Here's part of a reply (April 5) from an ISP.  I reported the dropbox used 
by the spammer:
   Subject: Re: Spammer dropbox for relay tests

   Hi there,

   Thanks, I've been chasing this person, hadn't seen the last one yet 
though - closed now!
   Regards,

   (etc.)

There's a guy who kept testing me from a Cox IP address, with the dropbox 
address on Cox (this is another case, not the one above.)  I don't know 
whether he was in the sending of spam but he lost his accounts.  How many 
techniques do you know of that can detect a spammer and get him removed 
before he spams?
I'm describing actual factual occurrences, not things I imagine.  If you 
have any reason at all to not do it that's OK with me.  I think the focus 
and intent of ASRG go beyond what you find worthwhile or are able to 
do.  I'm trying to convince people that a tool already exists that can have 
a major effect against spam.  You asked how many honeypots it would 
take.  I don't know, but even if the answer is millions it is 
possible.  One hundred would be a big step beyond what exists now (I 
think.)  Right now I'm trying to get one hundred going.  After that yes, I 
will want to go to 200.  And then 300.  That works, that has power, that 
doesn't require any change in any MTA or any protocol.  Before AOL started 
blocking spam to themselves I and others were already doing it for them 
(and hundreds or thousands of other ISPs, big and small.)  The effect was 
so small that they didn't notice but at the blocking end the effect was big 
enough to matter.  Perhaps you could better answer your own "how many" 
question if you could say how many IPs have been abused as open  relays in 
the last 24 hours, how many have been abused as open proxies.  Multiply the 
sum by 9, create that many honeypots, and statistically you have removed 
90% of the spam.  To a first approximation the same percentage being 
stopped by other techniques will still be stopped.
I understand that the numeric illustration I just gave can be easily 
criticized, I know that if spammers start feeling the hurt of honeypots 
they will start trying harder to detect them.  Every technique so far used 
has been met with a spammer countermeasure while the antispammers have 
completely neglected the opportunities to stop spam at the relay level (the 
closest they've come is teergrubing.)  Before devoting immense resources to 
complex solutions, before concluding that a complete rework of email is 
needed, I suggest that more attention need be paid to existing solutions 
that are underutilized. There's nothing I can do to combat encrypted relay 
spam - it's already covered.  If it comes to my relay it is spam - I don't 
care how cute or how clever the spammer is I won't deliver it. You can't 
fool a honeypot.  The best you might do is send spam disguised as relay 
tests - rate limit delivery of those and you kill the effectiveness of that 
ploy.  Further, if the spammer knows your IP is a honeypot his better 
strategy is to stop trying to send spam through it - there's no percentage 
for him in trying to beat the honeypot.
I can't/won't go through all the analysis I've done of how spammers could 
try to defeat honeypots (I've thought of things they may not have - why 
risk telling them?)  Get just 1000 honeypots, run by above-average 
operators, and watch what happens.  If a spammer figures out how to detect 
(and hence defeat) one of those honeypots pretty quickly one of those 1000 
will find a way to continue deceiving the spammer.   I like honeypots based 
on real MTA's - the spammer has to send something through (or fail to send 
something through) to detect the honeypot.
For over 3 months I've been reporting the same relay tester to Verizon.  So 
far I don't even know if they appreciate/understand what I'm telling 
them.  I know the guy is either spammer or is a supplier of open relay 
information to spammers.  Honeypots work and are an effective tool at the 
user level - at the level of someone with a single IP and a single network 
connection.  The abuse should be visible to the ISPs at both the 
sending  (e.g., Verizon) and receiving end.  A huge portion of spam is sent 
using abuse.   Actively work to end that abuse and that abuse will be ended 
- it is that easy.  That permanently eliminates a huger portion of spam, 
and the portion that remains (direct spam) is easily stopped (for chronic 
senders) by blocklists.  If ever Verizon would get a clue then they could 
act to stop this guy.  Beyond that they could act to stop every guy doing 
the same thing form their space or to their space.
That's the bottom line of what I say: Actively work to end that abuse and 
that abuse will be ended - it is that easy.
I understand there are considerations and details.  I still maintain what I 
say is true. If spammers start feeling a sting from doing abuse pretty soon 
they will avoid the sting, if the sting hurts enough.  That psychology 
should work on them - they're the ones taking the larger risk, not the 
honeypot operators.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg