Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey p

At 08:54 PM 4/8/2003 -0400, you wrote:

> You keep saying that.  But you've made no attempt to respond to any of the 
> people who have pointed out problems with the idea.  You just keep 
> repeating the idea.

I think I have responded.  I apologize for my brittle attitude but I have 
been through this process once already.  Every idea has problems but many 
ideas are accepted and implemented with far less information supplied than 
what I give.  Please see the reply I just posted - I go over it again.
If I give implementation details then people probably can find 
quibbles.  I've done this for three years - the quibbles don't impress me 
in face of my success.  Others have done it for a year, still others for a 
shorter time.  Michael Tokarev in Moscow knocked hell out of Alan Ralsky 
for a while.  That didn't get much publicity at the time: why risk tipping 
off Ralsky by bragging about trapping Ralsky's spam while it was still 
happening?  Only some of his spam was trapped, of course - Ralsky has 190 
servers, the one honeypot in Moscow wasn't collecting it all.  But it may 
be that that one honeypot did bring all of Ralsky's Dallas servers to a 
halt because the one honeypot got all the throwaway dialup accounts Ralsky 
had terminated.  I can't call Ralsky and ask - I have to guess.  People did 
say in NANAE that they weren't getting Ralsky spam at the same time.
The quibble I can remember right now is that if you do this and it works 
(note WORKS) then the spammers will move to a different form of abuse.  In 
other words, it's hopeless.  How am I supposed to handle that?  In fact I 
can*, but when do people start looking at the idea and thinking about what 
it means and how they'd use it instead of submitting me to a 3rd degree 
interrogation?  It's simple: set up a system with no email function that 
accepts relay email.  That's the entire basis of the idea.  You don't want 
to be an open relay, so don't be - don't relay anything, just capture what 
comes.  You can act against spammers just on the basis of their relay tests 
- you should capture relay tests because almost certainly spammers are 
attempting them for that IP.
If you go one step further and deliver a relay test, in a timely fashion, I 
hope keeping a copy, then you should receive spam as a result.  That is 
spam that otherwise would have gone to a real open relay and would have 
been delivered.  Don't deliver it.
If a spammer figures out it's a honeypot then wait for the next spammer to 
find you.  If he doesn't continue to deliver relay tests for him (at least) 
and continue to not deliver spam.  Send appropriate complaints based on the 
spam you receive.  If you want and can, change the IP of the honeypot if it 
is discovered - that forces the spammer to do it all over again, if he 
continues to test in your range.  You coast, he works.  That's a small win 
but it is a win.
Better yet, create and run an open proxy honeypot.  There's a much greater 
chance (these days) that the spammer will connect to the honeypot directly 
from his own IP, which you will learn.  Then you have evidence of abuse to 
show his ISP.
In the other posted reply I have a link for GypsyProxy.  I've only run it 
once, I can't vouch for it.  It seems to be a  good idea.  I don't doubt a 
better idea is possible - I thought that was the focus of ASRG - better ideas.
When spammers develop countermeasures the challenge will be to defeat 
them.  Why is it required to anticipate everything they might do (and 
haven't yet done, based on successful evidence) in order to get the ideas 
considered?
Thanks again for your reply -  I continue to appreciate your interest.
--

*If honeypots work so well that spammers must move to a different form of 
abuse the entire picture will be different.  For honeypots to do that there 
have to be a lot of them.  If there's a lot of them then many people will 
be working to defeat relay spam.  If they defeat relay spam they'll know 
it, and thereby know they can, working together, end a form of abuse.  The 
expectation should be that, if there's a new form of abuse, a large number 
of people, working together, can make that end as well.  (This discussion 
is probably 95% accurate.  someone surely can find a quibble.  It is not 
productive to devote all energy to finding quibbles, is it?)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg