Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honeypot plug
2003-04-07 06:01:33
At 08:42 PM 4/6/2003 -0700, you wrote:
And the honey pot has to continue to work once spammers implement their
"test every N'th email to make sure the relay is still working" code
widely. Once honeypots become common, so will anti-honeypot technology.
And I think honeypots are easier to work around than they are to protect
from spammers hunting them; their greatest advantage now is they're rare
enough that most spammers probably aren't worrying about them much yet.
First the spammers have to do that. I delivered something like three test
messages in February. I trapped spam into March from the spammer - all
that while I wasn't even delivering his subsequent test
messages. Nonetheless he continued to send spam. There are dumb spammers,
and last year Ralsky was one of them. He trusted the Moscow honeypot so
much he used to relay reports from spam servers to himself.
I basically only trap relay test messages - I don't routinely deliver
them. The ones in February were to see what spam would follow if I did
deliver the message. The only defense I can see against a system that
traps relay test messages is to stop testing it. If it IP hops then
eventually the only defense is to stop testing that entire IP
range. That's what I want - it is a success for me. The spammer has a
measure of protection if he relay tests through an open proxy - I don't
know his real IP if he does that - but his dropbox address still is a
vulnerability. An open proxy honeypot can be the spammers downfall in this
case.
What you did by accident can be done on purpose. The spammer found you
quickly because he constantly sends relay tests (the sendmail logs should
reveal the source IP and the destination of the test - look for the first
relayed message through it.) The speed with which the spammer found your
new open relay and abused it is his vulnerability - anybody with a spare IP
in the range the spammer tests to find open relays can catch him as soon as
he sends his test.
I'll also note that although there are something like 18 known
vulnerabilities for an MTA what I trap is tests looking for the simplest
vulnerability: plain old open relay. The spammers would be far more
obvious if they did all 18 tests. I can't prove I'm not on a re-test list
(check to see if the IP is still open.)
As a side note I'm happy to see I've been tested again today by the spammer
whose test I delivered in February. Short memory, perhaps. Test from
162.39.58.75, to jela(_at_)borovo(_dot_)net(_dot_)
So if you have a honey pot, how do you make it tempting to a spammer who's
going to test that ti's working, while still make it effective as a
honeypot? Assume, for instance, that the spammer has, say, 50 AOL
accounts, 100 hotmail accounts, and 100 MSN accounts, all of which forward
to his real hideaway, and he tests a honeypot by sending every rand(5000)
email to one of his own tester addresses and validates it gets delivered.
If too many disappear, he shuts down use of the address and goes elsewhere....
Cross that bridge when I come to it. Fred Woods is working on a central
database of spammed IP addresses. If the spammer re-uses his captive
address frequently that address will show up as being hit more often. Once
you know his captive address you make sure to deliver the spam to
him. It's not likely to be an AOL address - AOL stops incoming spam so he
won't know if the relay stopped the spam or if AOL did. I also in many ways
don't care - the goal is to end spam, not to trap spam in honeypots. If
the spammer is chase away form an IP and ultimately from a range of IPs
then that is a win. That would mean you could have a true open relay and
not have it abused because all of the spammers know not to test the IP. (I
don't advocate having a true open relay - I'm just illustrating the
desirability of the effect.) If ISPs would learn about relay tests (it's
shocking and a shame that they don't inherently know about them) then
reporting a relay test would get the spammer account closed (at a
minimum.) If ISPs really learned about relay (and proxy) tests they'd act
against tests from and to their space - that would make honeypots trivial
and unnecessary.
If ISPs got truly clued then when a honeypot detected a spammer's captive
address the ISP could do creative things when that address was reported to
the ISP. Right now most ISPs, if they do anything, just close the
account. I'd far prefer they would leave the account open but divert email
addressed to that account elsewhere (like /dev/null, as far as the spammer
knows.) That way the spammer would waste some tests before he finally
figured out the diversion. The ISP could also go back through its logs and
know every open relay the spammer found using that dropbox address.
I'm anti-spammer. I look for ways to interfere with spammers. That I can
do it using an ordinary .edu system and my home system (which isn't tested
very often at the moment) is a big clue that the same approach can be used
almost anywhere.
This trapped message puzzles me. It's probably a test but my IP is well
hidden if it is. Maybe it's in the sender name or the
X-precedence-Ref. The message-ID was added by my MTA - nothing there:
Received: from colo-enc.mazmed.net by X.X.X; Sat, 5 Apr 03 05:51 CST
Message-Id: <33040505512327(_at_)X(_dot_)X(_dot_)X>
Date: Sat, 5 Apr 2003 03:59:02 -0800
From: mike0123891128632(_at_)yahoo(_dot_)com
Subject: Reduce Your Holiday Debt
To: ghfjghfj(_at_)aol(_dot_)com
MIME-Version: 1.0
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Precedence-Ref: 1234056789zxcvbnmlkj
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<a href="http://ecomms.org/debt/?N=30010"><img
src="http://ecomms.org/ad-110.jpg"></a><BR><BR><A
HREF="http://ecomms.org/remove/">remove
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|