At 08:35 AM 4/7/2003 -0700, you wrote:
true, but, it's a fairly easy technological tweak for them. I hate wasting
time on building tools that are clearly goign to be obsolete as soon as
the spammers decide it's worth a few days implementing a workaround.
That's not a real solution, and not even really a band-aid.
If you have a spare box you can configure sendmail to not relay. That's
the end of the tool building, for now. If you just trap relay tests tat's
the end, forever. I find that to be worthwhile. If you send complaints
(when you can) for the ISP at the source or destination of the test message
you act against the spammer.
If you choose to relay email then you might end up only getting a short run
from each spammer before he detects the honeypot, if he learns to detect
honeypots. Too bad. IF you are interested in continuing to trap spam then
you'd probably have to wait until someone else finds the solution to the
problem and makes it available.
That's lazy: lazy has my stamp of approval. Or would, if I'd just get
around to it.
This possibility (spamming their own test addresses) occurred to me 3 years
ago - I used to sort all the recipients and look for duplicates. I never
found any and quit looking. Someday it could happen - it's a possible
defense mechanism the spammers could use. They'll never get back to the
situation they had - nobody watching relay tests - if people would begin
running simple test message traps. Heck, set up sendmail in a secure mode
and just use the logs to detect relay tests - I don't care. You can set up
a system with no DNS records at all and trap relay tests. Just knowing how
(and where) different spammers scan for open relays would be a great step
forward. If you detect open relay tests with a secure MTA then the only
spammer countermeasure is to keep track of every secure system they run
across and to never test it again - that still gives the antispammers power
and that never becomes obsolete until the spammers stop sending relay
spam. Knowing who tests, where, and when is useful. some ISPs now even
realize what you are talking about if you tell them of a relay
test. Well, one. Get the effort going and a side effect will be greater
ISP awareness even if that takes a large amount of nudging.)
The huge counts of spam stopped by some honeypots are cited as evidence the
idea works and that it works today. Take no more from that than that
spammers look for open relays to abuse and you still take something that
has value in fighting spam. The real payoff will come form making it so
difficult to find an open relay that the spammers stop looking. Then
trapped spam counts won't matter - they'll all be zero.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg