At 09:19 PM 4/7/2003 -0600, you wrote:
Be careful what you wish for. A spammer who can't tell an open relay from a
fake one might become a script kiddie. There by compromising Cable/DSL modem
residential users to send the spam. Then there are department stores with
Internet connections which you can:
-Insert spammer CDROM.
-Turn off computer.
-Turn on computer.
-Leave department store.
I'm sorry, I don't see the problem as being fatal. I don't doubt that
spammers may do all number of things that are wrong but I can't see how
that leads to the conclusion that you should just let them do what they are
now doing. If you believe the spammer response to losing the open relay
pathway to send spam might lead them to start hacking computers instead I
can't say you are wrong - I tend to think the same thing. That, though, is
real offense - for that existing laws would, I think, put the spammers at
risk. There's no fiction anymore that the spammers aren't breaking any
laws, aren't committing abuse (I imagine the spammers tell themselves that
if someone runs an open relay he implicitly authorizes its use by anyone.)
Once there is evidence that an IP is the source of abuse of the type you
suggest I'd think the possibility exists that a search warrant could be
issued to monitor all packets from that IP. If the spammer escapes that by
doing the department store trick he's going to have one or two free shots
and then the department store security is going to get much tougher and the
spammer will risk having videotape made of his next attempt to steal
service at the department store. If a spammer needs 190 servers I don't
think he's going to hit 190 department stores.
Before he begins to rely on the department store trick I think the spammer
is more likely to try a Trojan horse approach or try rooting home systems
through a long proxy pathway (so he's hard to trace.) The Trojan horse,
once analyzed and understood, gives a beautiful way to combat the spammer -
instead of waiting to be tested (as you must for a regular honeypot) you
simply "phone home" to the spammer's system and tell him your system has
been Trojaned. He sends you the spam, you throw it away.
Speculation can go on forever. Spammers do send relay tests and do make
themselves vulnerable thereby. Same for open proxy tests. There's no
subtlety - they just send the tests - all over, every day. Do some
spammers specialize in testing one part of the IP space, others specialize
in testing other parts? I can guess but I don't know - the data is
incredibly sparse even though it is tremendously easy to collect.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg