Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug
2003-04-08 18:33:48
At 08:54 PM 4/8/2003 -0400, you wrote:
You keep saying that. But you've made no attempt to respond to any of the
people who have pointed out problems with the idea. You just keep
repeating the idea.
I think I have responded. I apologize for my brittle attitude but I have
been through this process once already. Every idea has problems but many
ideas are accepted and implemented with far less information supplied than
what I give. Please see the reply I just posted - I go over it again.
If I give implementation details then people probably can find
quibbles. I've done this for three years - the quibbles don't impress me
in face of my success. Others have done it for a year, still others for a
shorter time. Michael Tokarev in Moscow knocked hell out of Alan Ralsky
for a while. That didn't get much publicity at the time: why risk tipping
off Ralsky by bragging about trapping Ralsky's spam while it was still
happening? Only some of his spam was trapped, of course - Ralsky has 190
servers, the one honeypot in Moscow wasn't collecting it all. But it may
be that that one honeypot did bring all of Ralsky's Dallas servers to a
halt because the one honeypot got all the throwaway dialup accounts Ralsky
had terminated. I can't call Ralsky and ask - I have to guess. People did
say in NANAE that they weren't getting Ralsky spam at the same time.
The quibble I can remember right now is that if you do this and it works
(note WORKS) then the spammers will move to a different form of abuse. In
other words, it's hopeless. How am I supposed to handle that? In fact I
can*, but when do people start looking at the idea and thinking about what
it means and how they'd use it instead of submitting me to a 3rd degree
interrogation? It's simple: set up a system with no email function that
accepts relay email. That's the entire basis of the idea. You don't want
to be an open relay, so don't be - don't relay anything, just capture what
comes. You can act against spammers just on the basis of their relay tests
- you should capture relay tests because almost certainly spammers are
attempting them for that IP.
If you go one step further and deliver a relay test, in a timely fashion, I
hope keeping a copy, then you should receive spam as a result. That is
spam that otherwise would have gone to a real open relay and would have
been delivered. Don't deliver it.
If a spammer figures out it's a honeypot then wait for the next spammer to
find you. If he doesn't continue to deliver relay tests for him (at least)
and continue to not deliver spam. Send appropriate complaints based on the
spam you receive. If you want and can, change the IP of the honeypot if it
is discovered - that forces the spammer to do it all over again, if he
continues to test in your range. You coast, he works. That's a small win
but it is a win.
Better yet, create and run an open proxy honeypot. There's a much greater
chance (these days) that the spammer will connect to the honeypot directly
from his own IP, which you will learn. Then you have evidence of abuse to
show his ISP.
In the other posted reply I have a link for GypsyProxy. I've only run it
once, I can't vouch for it. It seems to be a good idea. I don't doubt a
better idea is possible - I thought that was the focus of ASRG - better ideas.
When spammers develop countermeasures the challenge will be to defeat
them. Why is it required to anticipate everything they might do (and
haven't yet done, based on successful evidence) in order to get the ideas
considered?
Thanks again for your reply - I continue to appreciate your interest.
--
*If honeypots work so well that spammers must move to a different form of
abuse the entire picture will be different. For honeypots to do that there
have to be a lot of them. If there's a lot of them then many people will
be working to defeat relay spam. If they defeat relay spam they'll know
it, and thereby know they can, working together, end a form of abuse. The
expectation should be that, if there's a new form of abuse, a large number
of people, working together, can make that end as well. (This discussion
is probably 95% accurate. someone surely can find a quibble. It is not
productive to devote all energy to finding quibbles, is it?)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- RE: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Brad Spencer
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Chuq Von Rospach
- Message not available
- Message not available
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Kee Hinckley
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug,
Brad Spencer <=
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Matt Sergeant
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Brad Spencer
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Matt Sergeant
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Brad Spencer
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Matt Sergeant
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Brad Spencer
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Kee Hinckley
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Chuq Von Rospach
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Brad Spencer
- Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Kee Hinckley
|
|
|