ietf-asrg
[Top] [All Lists]

Re: [asrg] 6. proposal of solution: Using Relay Honeypots to Reduce Spam

2003-04-15 17:17:40
From: Brad Spencer <brad(_dot_)madison(_at_)mail(_dot_)tds(_dot_)net>
At 02:48 PM 4/15/2003 -0600, John Fenley wrote:
1. using a test address to detect honeypots.(there are an infinite number of addresses available, they will not run out.)

Doing something an infinite number of times does tend to tie up your days.

No it doesnt...
It is all automated.


Forget honeypots.  Spammers send spam through abusable systems everywhere.

Agreed.

That means that anywhere (everywhere is the collection of all the anywhere's) can be a point at which spammers suffer hardship, if people anywhere would do it.

Incorrect, that means that as long as other systems exist, there will be abuse.

Stopping one form just makes spammers adapt.



3. send even more spam through the real open relays.

Yes.  But we coast, they struggle.

No, we struggle, they coast.
They have cheap automated systems to do all their work for them.

We, on the other hand, would have to set up potentially hundreds of thousands of honeypots to make any difference to the automated systems. And even then all spammers have to do is wait a little longer for their system to find an open relay.

It is a supremely flawed idea with no forseeable fixes.


and As you mention:
4. send spam directly

Which honeypots can't and don't touch. Blocklists don't just touch, they wallop.



The first analysis of spam is easy: spam has two types, direct, and non-direct. Direct spam should be completely controllable by use of block lists, at least direct spam from spam-only sources.

Blocklists don't work. Again, there are an infinite number of email addresses for spammers to use.


Yeah, but spammers send direct from IPs. If they're their own IP's it's a small subset of all IPs.

Saying things to the effect of "all spammers ______", whatever that blank is, underestimates the human ability to adapt.


A spammer could buy a domain, and do a mailing using real begginning addresses with their real domain endings. each unique address would only be used once. everyone would have to block every address in that spammers list, untill it is RBLed, and by that time the dammage is done. the spammer can just buy another domain.

I can't stop that with honepots - that's someone else's baby.

Yes, I know. Everyone knows.

We must not give spammers an easy slope to climb.
If they realy become proficient in adapting to our solutions then we are hosed.

In order to win this we must hit them all of a sudden with something that will work perfectly, and stop them dead in their tracks. something that they won't be able to defeat easily using any sort of automated system.

If they are used to getting around things, it will just be that much easier for them to adapt in some other way. The chances that they will defeat the final(near term) solution go up if they have practice.


These plans were not spur of the moment plans. They took years of effort to formulate and pass. This is what is needed if the system is not self adopting, and backward compatable. (color tv was like this... a Black & White tv could display color signals, just not the color.)


Whereas honeypots use existing protocols, existing MTA's. You can do a sendmail honeypot. I ran a mixed server/honeypot using command files. It was a low-volume server and a Vaxstation, but it worked. I don't recommend mixing a server and a honeypot now but it can be done.

It doesn't matter wether honeypots use existing protocols. They don't solve the problem.

Honeypots, in this context, are systems set up to appear to the spammer to be vulnerable to abuse but not be vulnerable - some key part of the abuse is intercepted, usually delivery of spam.


The real power of honeypots comes when they exist in large numbers...

The number of honeypots does not effect the validity of the workarounds mentioned earlier.


The workaround (the effort the spammer has to put into finding real open relays) is the payoff of the honeypots. He can no longer just send a test and find an open relay - he has to ascertain that the system that passed the test is an open relay.

Oh my...
Do you actually think that the spammer is actually sitting at a computer looking at a screen full of IPs trying to figure out which ones are real?

Automated systems do all that for them. all that happens is the conputer takes longer to find a real relay, they find it just the same.

Once they find enough real open relays they only need to search for more if one they are using goes down!

This takes NO EFFORT!!!
THEY DO NOTHING!!!



RFC 2505 says that securing open relays is not an approach to ending spam. The reason is that spammers will continue to discover open relays, so that even a 95% success in securing open relays won't stop spam. The key word is discover: the problem is that spammers can discover open relays. Anyone can: try to relay an email message through a million IPs and you'll find some that will.

RFC 2505 also says:
     "The Non-Relay rules are not in themselves enough to stop spam.
      Even if 99% of the SMTP MTAs implemented them from Day 1,
      spammers would still find the remaining 1% and use them. Or
      spammers would just switch gear and connect directly to each and
      every recipient host; that will be to a higher cost for the
      spammer, but is still quite likely."


As it says "spammers would still find the remaining 1%." I wish to destroy their ability to find the remaining 1%, or to make it so difficult they quit trying.

You won't be able to do that with honeypots.
There is a method I can think of that would solve the problem of open relays, but it would be unethical.


The prime countermeasure a spammer can take is to stop sending spam to the honeypot, once he discovers it is a honeypot.

The best possible course of action for the spammer is to hack through your simple security, and turn your "honeypot" into a "zombie cash cow".


If the spammer sends spam to his own address then he probably will use that same address multiple times.

Not if that is what you are depending on.
random bot generated free addresses used only for 3 or so runs.


So the spammer finds an IP to not use more quickly. I don't care. The value of the idea is in the sheer overwhelming number of honeypots, not in an isolated few.

A zombie is a system under the control of a third party without the owners consent. I am suggesting that with many honeypots around on the internet with good connections, there is a chance that spammers would use them as a source of email. Without you knowing it they compromise the system, and use it to send the spam, while reporting to you that everything is normal.

With an overwhelming number of honeypots it would be easy for spammers to find systems with bad security to zombify.

I wish you the best of luck building a better honeypot.
John Fenley

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg