ietf-asrg
[Top] [All Lists]

Re: [asrg] 6. proposal of solution: Using Relay Honeypots to Reduce Spam

2003-04-15 09:13:54
At 02:04 PM 4/15/2003 +0100, Jon Kyme wrote:

> To really disrupt the spammers may take a number of honeypots equal to or
> greater than the number of open relays. If the numbers were equal then
> the
> honeypots would be expected to be receiving roughly half the spam, a 50%
> cut in spam volume.  At that level the spammers need only double their
> output to keep the same delivery level.

Clearly.  What do you think that the trend in the number of open
proxies / relays is (will be). How long will it take us to have the
neccessary number of honepots deployed?
How expensive is it for spammers to send out duplicate messages?

I suspect that open relays are approximately steady-state or slowly declining. I put no great faith in my suspicions nor do I have any emotional attachment to them. In any case I don't anticipate any huge upsurge in the numbers of true open relays - the spammers surely have found 99+% of them by now, continue to scan (I assume) because there are enough new ones appearing to make scanning worthwhile.

The length of time needed to have enough honeypots to really matter depends a lot on the rate at which they are created. At the present rate it will take over 1000 years, probably. Some of the emphasis in what I posted was on the ability of ASRG to influence what people do in a way that would speed implementation of whatever ASRG finally did recommend, which could include honeypots. It's impossible to know how many it would take - my inclination would be to favor adding honeypots until everybody was saying there was no more spam. If the honeypot is created from an idle old box the cost is the cost of the electricity to run it plus the manpower cost of setting it up. That's if spam is dead and there is no traffic for the honeypot. Until then there's also the cost of the network traffic. If an organization feels it can't afford the cost of the network traffic then probably it should do at most the absolute bare-bones honeypot: a secure MTA that logs relay attempts.


>This analysis neglects the complaints that many honeypot
> operators can send - complaints about attempted theft of service,
> complaints about relay test messages.  These complaints multiply the
> effectiveness of honeypots since they help disrupt the entire spamming
> operation.


But surely entities which receive spam are in as good (or better) position
to
complain (or sue - AOL anyone?) than the operator of what is, after all,
an entrapment device?

The concept of entrapment applies only to law-enforcement, and putting a system on the net is not an invitation to the spammers to commit abuse. (Entrapment occurs when a law-enforcement agency invites someone to commit a crime and then charges that someone with the crime. I think the discussion of entrapment belongs elsewhere, outside ASRG. A honeypot is no more entrapment than is setting up an email address as a spam trap and putting that address on a web page.)

Yes, ISPs and users can complain, but when they do they complain about spam. When a honeypot operator complains he complains about attempted theft of service or about relay tests, a prelude to attempted theft of service. Practically speaking the honeypot operator's complaint carries more weight. As far as I know uu.net has acted on every honeypot complaint they've gotten, where "acted" means a spammer account was cancelled. As far as I know they have not acted on every spam complaint. Some ISPs don't appear to even know what I'm talking about when I report a relay test. There's clearly not much real understanding of the spam problem in the ISP mental space.



> counter-countermeasure may be to deposit all spammed addresses in a
> central
> database, shared by a consortium of honeypot operators.  If the spammer
> uses a test address with any frequency that address will receive
> proportionately more spam than do the ordinary addresses.  Once a test
> address is identified honeypots still working can simply deliver any spam
> that comes for that address, fooling the spammer.


But if the test address receives no more messages than a regular spam
target address this signature disappears. The spammer just needs a supply
of disposeable addresses.


A huge supply, if there is a huge supply of honeypots and if the honeypots share their information. Plus there are other ploys the spammers can try (which I don't particularly want to tell them.) In any case it is more work than they now must do, since now they can just do their tests and trust the results.



I can't see how honeypots can have a major impact on the quantity of
unwanted mail
reaching my users unless undetected deployments substantially outnumber
abused relays/proxies.

I can't either.  There are two possible scenarios:

(1) not many honeypots, no major impact
(2) many honeypots, major impact


 They'd have form a very large majority before they'd
begin to approach
the effectiveness of content-filters surely?

They work differently from content filters (and blocklists) but yes, they'd have to ba a large majority to have a large impact.

A honeypot in the path before a good blocklist or good content filter merely grabs the spam first - if the spam was going to be stopped anyway the honeypot merely did it sooner. In front of no blocklist and no filter it still grabs the spam. The honeypot grabs all the spam sent "through" it. Blocklists and content filters apparently do not stop all spam. I can envision the ASRG final proposal being strictly one of increased usage of blocklists and of content filters. While those leak and aren't universal the honeypots do grab spam that would otherwise be delivered. The honeypots also are an irritant to the spammer in a way the other two are not. I'd say the final proposal should combine several effective techniques, with honeypots being one of them. Honeypots are simpler and yet are 100% efficient - a powerful combination.


I can see that they might be useful as a research tool - but I can't see
how I could
use your arguments to persuade my boss to let me (fund me to) run one (or a
few)
on our network.


Again, trapping spam is a side effect. The real goal is to make it impossible for the spammers to know which systems are and which are not open relays or open proxies. Just as one more honeypot doesn't greatly increase spam stoppage one less doesn't greatly decrease spam stoppage. Your boss doesn't have to hear a proposal at all. If ASRG were to recommend honeypots then part of what ASRG would do would be (I think) to create a description of what the honeypots are and why they are needed sufficiently detailed and sufficiently in "boss language" that many bosses would approve. Better would be for your ISP to tackle the problem of spammer abuse - you'd be able to continue what you are doing, your ISP would capture the relay and open proxy tests and complain to other ISPs about the spammers searching for vulnerable systems to abuse. All your boos need do would be to say how glad he was the ISP was fighting abuse. Your ISP could also simulate a flock of honeypots - pretty soon I predict they'd be seeing no abuse traffic at all. That's the goal, for everywhere. What I really want is for ASRG to focus part of their attention on the abuse aspect of spam - that's an area ripe with promise for anti-spam activity. It's so ripe with promise that individuals CAN, if they are in the "right" network segment, stop spam to millions of recipients with a computer that was obsolete years ago. Individuals can also trap and report relay and open proxy tests, also causing spammers some difficulty (if the ISPs wise up.) The abuse has been almost totally ignored up to now. Combating the abuse is a powerful step forward in the fight against spam.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg