ietf-asrg
[Top] [All Lists]

Re: [asrg] 6. proposal of solution: Using Relay Honeypots to Reduce Spam

2003-04-16 15:43:40
At 10:42 PM 4/16/2003 +0100, Jon Kyme wrote:
> At 06:08 PM 4/16/2003 +0100, Jon Kyme wrote:
>
>
> >I don't see that there's what the charter calls "a realistic chance of
> >wide-scale deployment" for what you propose.
>
> What evaluation of the chances have you done?

I don't have to. You're proposing it. You should do the sums.


Then I get to pick the percentage, and I don't have to pick 99%.


But here goes...

Let's see, the ORDB.org database lists 183548 open relays
as of 16 April 2003. Based on this we'll need approaching 20 million
undetected honeypots to reduce spam received by one of my users to the
level that content-filters (or blists) can achieve now.

You claim 99% success FOR YOUR USERS. If you are going to make a comparison (this is getting silly - anyone who says so has my agreement) then you should compare the OVERALL spam-stopping for the entire net, including domains that don't block and don't filter. Further, your filtering is intended to protect your users from spam, so 100% is the goal you should pursue. My action is intended to lower the amount of spam that reaches users sufficiently so that the spammers no longer profit. that number is unknown but I doubt it is 99%.


Or, we assume that maybe 1% of mail servers are open relays
(http://www.imc.org/ube-relay.html) we can see that we'll need
about about the same number of honeypots as there are mail servers

Now assuming that there are maybe 200 honeypots currently deployed
we need 5 orders of magnitude increase. Assuming that the honeypot
numbers grow at about the same rate that the number of internet hosts in
total have grown (an order of mag in 5 years
http://www.isc.org/ds/WWW-200301/index.html ) and that the absolute number
of open relays remains constant, we can see that we need something like 25
years to deploy the required honeypots.

I'd say more like 1000 years, given the starting point and the assumptions. So what? You are using a growth rate without any concerteted effort to promote honeypots and saying that would be the growth rate if ASRG recommends honeypots. That's not likely to be true. In addition what I propose is that ASRG consider all possible modes of defeating spammer abuse, not just honeypots. Get ISPs acting and honeypots are a side joke.


Of course this may be speeded up somewhat if, after the first 5-10 years,
you find the absolute number of open relays has fallen due to your
reporting efforts.

> problem won't shrink to make up for your short-sightedness.

I'm not sure how the ability to perform simple arithmetic makes me
short-sighted.

It isn't the ability to do arithmetic, it's how you chose to use it. You set out to prove that honeypots, and by extension the idea of fighting spam by fighting spammer abuse, won't work. So every place there's an estimate or a choice ot make you make the one that leads to the conclusion you wish to reach. That isn't engineering.



With the best will in the world (and making some very kind assumptions)


No, they are not kind. Note that while I dispute the validity of your assumptions I consider that to be beside the point, if you look at the real point. The real point is that all spam that doesn't go direct from the spammers' servers to the destination is sent using some form of abuse. It is that abuse I propose be stopped. I've done it for years using honeypots but honeypots are not the sole way to do it.

your plan seems to take decades to work. That's too slow. The spammers can
adapt quickly enough. The good guys won't wait that long for a return on
their investment.


That's not "my plan." I have no plan, I have proposed that ASRG consider stopping spam by stopping spam sent using abuse. ASRG someday will have a plan - my suggestion may or may not be part of it.


My subjective evaluation of the chances of deploying a system that takes
years (decades) to reduce my users spam to a level that I can achieve in a
matter of days or hours with other systems is about zero.


Yeah, right, and we have all the time in the world to devise, propose, code, and distribute an entirely new protocol. Meanwhile my honeypot was stopping actual spam Sunday. Honeypots are easy to write, there is already a Windows-compatible honeypot that could be massively deployed any time. I wouldn't - I'd want it polished more first, but it is an existing tool. ISPs at the origin of the spam (even if it goes through an open proxy in Brazil it could originate in Florida) and ISPs where the abuse is committed can detect the abuse if they wish. They could start tomorrow, ASRG or not. The problem is reaching them to educate them about what they can do. There are also surely problems of violation of privacy. I suspect these may be less severe in Brazil but I don't know. Knock a spammer down 10 times for abusing an open proxy in telesp.br and he may well decide to not try the 11th time. That's one giant block of addresses denied to the spammer without changing any configuration on any of the systems.


It's a weak idea, not made stronger by simply repeating it.

Not shown.


However, as a spam collection tool...

Whatever. I don't care if honeypots are in the final proposal. I do care that full consideration be given to fighting the abuse instead of totally and shamefully ignoring it. I can name a few spammer test message dropbox addresses off the top of my head. Can you? Sending and receiving test messages us the essential foundation of relay spam and nobody (other than a very few) pay one bit of attention to it.

The first spam trapped by the Moscow honeypot came through open proxies in Ireland and India (if I remember correctly.) totally anonymous. Unfortunately the first test message delivered, the one that led to the spam, went to an IP registered to Alan Ralsky. Sort of destroyed all his cleverness, didn't it?

I've not yet learned if the series of relay tests sent from IPs in Washington, D.C. are or are not ones sent by Dr. Fatburn. Nonetheless I have them as evidence of his (whoever "he" is) use of the IPs to engage in abuse (they're DSL addresses.) Very few people have such evidence but millions could, trivially. It is folly to ignore the abuse when it is so blatant and so easily detected. Tests are essential for the sending of spam - ignoring the tests is unbelievable.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg