At 12:55 PM 4/16/2003 +0100, Jon Kyme wrote:
Brad, I guess you missed my questions.
Here they are again:
> >
> >
> > >What's the incentive to deploy (requirements 4.a ?) for an ISP?
> >
> > I anticipate an ASRG plan which ASRG has analyzed and believes will end
> > spam (or reduce it by 99% - effectively end it.) It's time to get
> > serious,
> > to act against spam.
>
>
> Two questions:
> 1. How much spam reduction should we expect from the deployment of one
> more
> honeypot?
It varies. When I've run Jackpot at home most of what it has trapped has
been tests from the Orient and spam from the Orient. The guy I call "the
Hinet spammer." Tests everywhere and sends spam if a test is simply
accepted - he doesn't look for delivery of the test. I got three tests
from ATT. I'm running in a half-honeypot mode most of the time: I accept
email but deliver nothing, not even tests. At "work" recently I was
trapping spam at about a 60,000-recipient/day level, if I remember
correctly. That system currently isn't responding and might be dead (it is
OLD.) There's a bunch of spam in a couple of archive files. I remember a
lot of the Hinet stuff is in the archives but can't remember if there's any
other. (It sometimes appeared that the Hinet spammer was sending
dictionary-attack spam. Instead of first checking to see if the account
existed he just blasted away the spam. That makes me suspect he was
stealing all the service used to send the spam.)
Every case I know of has been different. You are dependent on the spammers
- if they don't test your segment or if they choose to send only a little
spam you have to accept that (note the irony.) When I last contacted the
honeypot installation in Germany (I can't recall who it was now; I could
check if there' a reason) they'd already stopped spam for over 200 million
people so far this year (back in February, I think.) I estimate Michael
Tokarev stopped spam for 10 million or more last year, from February to
July. The three complaints he sent on one weekend may have totally shut
down Ralsky's Dallas operation (people were reporting that they got no
Ralsky spam; the honeypot resulted in Ralsky burning through his entire
stock of throwaway accounts on 3 different ISPs.)
More spam reduction than if it isn't created is the most accurate
answer. In the US I'd expect the volume to be less than overseas - the
spammers (in the theory I have about them) are more cautious about sending
at a level that amounts to a DOS attack.
> 2. How many honeypots do we need to deploy to reduce spam by 99%?
>
If you do a simple linear model you'd come up with 99 times the number of
open relays. That's assuming nothing but spam stopping is done. If
there's 200,000 open relays then you need 20 million, roughly. On the
other hand for a while a single 100 MHz 486 DX4 in Moscow stopped cold
Ralsky in Dallas.
Why not create 1000 and get some better statistics?
If you add in ISPs and freemail providers doing all they can to screw up
the spammers' relay tests then the number needed goes way down.
Most relay tests have readily recognizable strings that encode the IP of
the system being tested. Freemail providers with suitably-worded TOS could
simply not deliver such test messages to dropboxes (and note which
addresses are dropboxes.) If the message contains, encoded or plaintext,
the IP of the immediate source of that message it is highly likely to be a
relay test message. I see no reason for a freemail provider to feel
obligated to deliver such an abuse-enabling message, I see no reason for
the freemail provider to formally close the account when abuse is detected.
It isn't just freemail providers, of course: some standard ISPs harbor test
message dropboxes. The same principles probably apply there but I think
that I'd prefer that paid ISPs tread very lightly when it comes to testing
incoming email in any way other than for being spam. Even there I could
tolerate their checking to see if the message-ID (if there is one) encodes
the IP of the immediate source of the email message. That's about a 100%
guarantee the message is a spammer relay test.
That would work for a while, until the spammers got more devious about how
they encode tested IPs. I understand that but don't take it as a reason to
never make the effort. Honeypots would continue to trap and possibly
deliver the tests with the more devious encoding.
It is the ability of the spammers to reliably test that is the
target. Stopping large quantities of spam is a useful by-product.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg