At 02:04 PM 4/15/2003 +0100, Jon Kyme wrote:
> To really disrupt the spammers may take a number of honeypots equal to or
> greater than the number of open relays. If the numbers were equal then
> the
> honeypots would be expected to be receiving roughly half the spam, a 50%
> cut in spam volume. At that level the spammers need only double their
> output to keep the same delivery level.
Clearly. What do you think that the trend in the number of open
proxies / relays is (will be). How long will it take us to have the
neccessary number of honepots deployed?
How expensive is it for spammers to send out duplicate messages?
I suspect that open relays are approximately steady-state or slowly
declining. I put no great faith in my suspicions nor do I have any
emotional attachment to them. In any case I don't anticipate any huge
upsurge in the numbers of true open relays - the spammers surely have found
99+% of them by now, continue to scan (I assume) because there are enough
new ones appearing to make scanning worthwhile.
The length of time needed to have enough honeypots to really matter depends
a lot on the rate at which they are created. At the present rate it will
take over 1000 years, probably. Some of the emphasis in what I posted was
on the ability of ASRG to influence what people do in a way that would
speed implementation of whatever ASRG finally did recommend, which could
include honeypots. It's impossible to know how many it would take - my
inclination would be to favor adding honeypots until everybody was saying
there was no more spam. If the honeypot is created from an idle old box
the cost is the cost of the electricity to run it plus the manpower cost of
setting it up. That's if spam is dead and there is no traffic for the
honeypot. Until then there's also the cost of the network traffic. If an
organization feels it can't afford the cost of the network traffic then
probably it should do at most the absolute bare-bones honeypot: a secure
MTA that logs relay attempts.
>This analysis neglects the complaints that many honeypot
> operators can send - complaints about attempted theft of service,
> complaints about relay test messages. These complaints multiply the
> effectiveness of honeypots since they help disrupt the entire spamming
> operation.
But surely entities which receive spam are in as good (or better) position
to
complain (or sue - AOL anyone?) than the operator of what is, after all,
an entrapment device?
The concept of entrapment applies only to law-enforcement, and putting a
system on the net is not an invitation to the spammers to commit
abuse. (Entrapment occurs when a law-enforcement agency invites someone to
commit a crime and then charges that someone with the crime. I think the
discussion of entrapment belongs elsewhere, outside ASRG. A honeypot is no
more entrapment than is setting up an email address as a spam trap and
putting that address on a web page.)
Yes, ISPs and users can complain, but when they do they complain about
spam. When a honeypot operator complains he complains about attempted
theft of service or about relay tests, a prelude to attempted theft of
service. Practically speaking the honeypot operator's complaint carries
more weight. As far as I know uu.net has acted on every honeypot complaint
they've gotten, where "acted" means a spammer account was cancelled. As
far as I know they have not acted on every spam complaint. Some ISPs don't
appear to even know what I'm talking about when I report a relay
test. There's clearly not much real understanding of the spam problem in
the ISP mental space.
> counter-countermeasure may be to deposit all spammed addresses in a
> central
> database, shared by a consortium of honeypot operators. If the spammer
> uses a test address with any frequency that address will receive
> proportionately more spam than do the ordinary addresses. Once a test
> address is identified honeypots still working can simply deliver any spam
> that comes for that address, fooling the spammer.
But if the test address receives no more messages than a regular spam
target address this signature disappears. The spammer just needs a supply
of disposeable addresses.
A huge supply, if there is a huge supply of honeypots and if the honeypots
share their information. Plus there are other ploys the spammers can try
(which I don't particularly want to tell them.) In any case it is more
work than they now must do, since now they can just do their tests and
trust the results.
I can't see how honeypots can have a major impact on the quantity of
unwanted mail
reaching my users unless undetected deployments substantially outnumber
abused relays/proxies.
I can't either. There are two possible scenarios:
(1) not many honeypots, no major impact
(2) many honeypots, major impact
They'd have form a very large majority before they'd
begin to approach
the effectiveness of content-filters surely?
They work differently from content filters (and blocklists) but yes, they'd
have to ba a large majority to have a large impact.
A honeypot in the path before a good blocklist or good content filter
merely grabs the spam first - if the spam was going to be stopped anyway
the honeypot merely did it sooner. In front of no blocklist and no filter
it still grabs the spam. The honeypot grabs all the spam sent "through"
it. Blocklists and content filters apparently do not stop all spam. I can
envision the ASRG final proposal being strictly one of increased usage of
blocklists and of content filters. While those leak and aren't universal
the honeypots do grab spam that would otherwise be delivered. The
honeypots also are an irritant to the spammer in a way the other two are
not. I'd say the final proposal should combine several effective
techniques, with honeypots being one of them. Honeypots are simpler and
yet are 100% efficient - a powerful combination.
I can see that they might be useful as a research tool - but I can't see
how I could
use your arguments to persuade my boss to let me (fund me to) run one (or a
few)
on our network.
Again, trapping spam is a side effect. The real goal is to make it
impossible for the spammers to know which systems are and which are not
open relays or open proxies. Just as one more honeypot doesn't greatly
increase spam stoppage one less doesn't greatly decrease spam
stoppage. Your boss doesn't have to hear a proposal at all. If ASRG were
to recommend honeypots then part of what ASRG would do would be (I think)
to create a description of what the honeypots are and why they are needed
sufficiently detailed and sufficiently in "boss language" that many bosses
would approve. Better would be for your ISP to tackle the problem of
spammer abuse - you'd be able to continue what you are doing, your ISP
would capture the relay and open proxy tests and complain to other ISPs
about the spammers searching for vulnerable systems to abuse. All your
boos need do would be to say how glad he was the ISP was fighting
abuse. Your ISP could also simulate a flock of honeypots - pretty soon I
predict they'd be seeing no abuse traffic at all. That's the goal, for
everywhere. What I really want is for ASRG to focus part of their
attention on the abuse aspect of spam - that's an area ripe with promise
for anti-spam activity. It's so ripe with promise that individuals CAN, if
they are in the "right" network segment, stop spam to millions of
recipients with a computer that was obsolete years ago. Individuals can
also trap and report relay and open proxy tests, also causing spammers some
difficulty (if the ISPs wise up.) The abuse has been almost totally
ignored up to now. Combating the abuse is a powerful step forward in the
fight against spam.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg