ietf-asrg
[Top] [All Lists]

Re: [asrg] 6. proposal of solution: Using Relay Honeypots to Reduce Spam (fwd)

2003-04-16 09:11:53
At 12:55 PM 4/16/2003 +0100, Jon Kyme wrote:

Brad, I guess you missed my questions.

Here they are again:


> >
> >
> > >What's the incentive to deploy (requirements 4.a ?) for an ISP?
> >
> > I anticipate an ASRG plan which ASRG has analyzed and believes will end
> > spam (or reduce it by 99% - effectively end it.) It's time to get
> > serious,
> > to act against spam.
>
>
> Two questions:
> 1. How much spam reduction should we expect from the deployment of one
> more
> honeypot?

It varies. When I've run Jackpot at home most of what it has trapped has been tests from the Orient and spam from the Orient. The guy I call "the Hinet spammer." Tests everywhere and sends spam if a test is simply accepted - he doesn't look for delivery of the test. I got three tests from ATT. I'm running in a half-honeypot mode most of the time: I accept email but deliver nothing, not even tests. At "work" recently I was trapping spam at about a 60,000-recipient/day level, if I remember correctly. That system currently isn't responding and might be dead (it is OLD.) There's a bunch of spam in a couple of archive files. I remember a lot of the Hinet stuff is in the archives but can't remember if there's any other. (It sometimes appeared that the Hinet spammer was sending dictionary-attack spam. Instead of first checking to see if the account existed he just blasted away the spam. That makes me suspect he was stealing all the service used to send the spam.)

Every case I know of has been different. You are dependent on the spammers - if they don't test your segment or if they choose to send only a little spam you have to accept that (note the irony.) When I last contacted the honeypot installation in Germany (I can't recall who it was now; I could check if there' a reason) they'd already stopped spam for over 200 million people so far this year (back in February, I think.) I estimate Michael Tokarev stopped spam for 10 million or more last year, from February to July. The three complaints he sent on one weekend may have totally shut down Ralsky's Dallas operation (people were reporting that they got no Ralsky spam; the honeypot resulted in Ralsky burning through his entire stock of throwaway accounts on 3 different ISPs.)

More spam reduction than if it isn't created is the most accurate answer. In the US I'd expect the volume to be less than overseas - the spammers (in the theory I have about them) are more cautious about sending at a level that amounts to a DOS attack.



> 2. How many honeypots do we need to deploy to reduce spam by 99%?
>


If you do a simple linear model you'd come up with 99 times the number of open relays. That's assuming nothing but spam stopping is done. If there's 200,000 open relays then you need 20 million, roughly. On the other hand for a while a single 100 MHz 486 DX4 in Moscow stopped cold Ralsky in Dallas.

Why not create 1000 and get some better statistics?

If you add in ISPs and freemail providers doing all they can to screw up the spammers' relay tests then the number needed goes way down.

Most relay tests have readily recognizable strings that encode the IP of the system being tested. Freemail providers with suitably-worded TOS could simply not deliver such test messages to dropboxes (and note which addresses are dropboxes.) If the message contains, encoded or plaintext, the IP of the immediate source of that message it is highly likely to be a relay test message. I see no reason for a freemail provider to feel obligated to deliver such an abuse-enabling message, I see no reason for the freemail provider to formally close the account when abuse is detected.

It isn't just freemail providers, of course: some standard ISPs harbor test message dropboxes. The same principles probably apply there but I think that I'd prefer that paid ISPs tread very lightly when it comes to testing incoming email in any way other than for being spam. Even there I could tolerate their checking to see if the message-ID (if there is one) encodes the IP of the immediate source of the email message. That's about a 100% guarantee the message is a spammer relay test.

That would work for a while, until the spammers got more devious about how they encode tested IPs. I understand that but don't take it as a reason to never make the effort. Honeypots would continue to trap and possibly deliver the tests with the more devious encoding.

It is the ability of the spammers to reliably test that is the target. Stopping large quantities of spam is a useful by-product.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>