Why spam will revolutionize tech

TalkBack 23 of 24:: Next »; « Previous

Thread View
Flat View

Glad to do it.: Well, actually, I recommend that actual mail servers be just that and not toy with being honeypots. It's not all that hard to make a mail server be a honeypot but there's always a chance the spammer would counter-attack with a DDOS and that would harm the server's real function. (I've never known if the few really major spam floods I got were just ordinary spam or were meant as counter-attacks. You'd laugh if you knew how I had to scramble on one of them to just keep up with the spam and delete it before it swamped the server.) Let servers be just that: servers.

[Based on my tiny sample of IP addresses (two, plus I can see what another guy's small flock of honeypots is trapping) it looks like open relay spam started to really decline in the past year. I was trapping an average of four relay tests per day on my old honeypot (that now just accepts messages, doesn't deliver anything - it's no longer the deparmental mail server.) Now it's more like one a week, and many of those are from the same two oriental open relay testers (judging by the destination email addresses, which stay constant.) So the time for SMTP honeypots may be ending. But, see the next paragraph.]

That leaves tons of non-mail-server IP addresses that could be open relay honeypots, and why there was so much resistance to that very good idea I can't explain. There's even one for Windows:

http://jackpot.uk.net

which is a neat tool. That's what the person whose honeypot I can see uses, and it has a web interface (which is how I can take a look.)

The honeypot works one way when the spammers don't know about it, a different way when they do. My original thought was to secure what I'll call xxx.yyy.edu with honeypots. "Secure" means that eventually the spammers would realize that any open relay they found in xxx.yyy.edu space was probably a fake and that they'd avoid that block because it was so dangerous. Based on that success I hoped to expand to yyy.edu and do the same there, and then to expaind to .edu and then to . (the entire internet.) I never even got to protecting xxx.yyy.edu that well, but I was on the way. I retired 3+ years ago, but the effort had stalled before I retired.

Today I'd have operators of email servers examine the logs and find the destinations of refused relay messages - many of those are spammer dropboxes. I see no need for them to do anything different if they block illicit relay messages. If they report the illicit use of the dropbox (some have been hotmail accounts, for instance) then the freemail provider or ISP could take action (which action might be much meaner than simply cancelling the account.) That would be paying attenton to the abuse instead of ignoring it. Jackpot (the web reference above) can be run in the deliver-nothing mode, so that if it traps anything it stops there. If it's a spammer open relay test then the Jackpot operator can report the abuse - perhaps both ways (to the ISP of the source and to the ISP of the dropbox email address) and hope something happens.

I think open relay abuse is dead or is dying, but a similar approach can be taken to open proxy abuse. There's no harm in runnng open relay honeypots or deliver-nothing open relay traps and they could help. If there were 500 reports of relay tests made to the same ISP in China then the Chinese ISP might begin to see that there's a real criminal in their space. Which reminds me, some of the tests I saw on the other person's honeypot came from China but went to a US email address, one I'd already seen as the dropbox for relay tests. I concluded the ISP itself of the destination was spammer-controlled so I never reported the trapped tests to the ISP. Might as well let them make my job easier by sending their tests to an email address I know is a spammer dropbox address.

For zombie abuse it looks to me like traffic analysis by ISPs is the easiest tool. They can look to see the source of packets coming in to IP addresses in their own space reported to them as compromised sources of spam (first, of course, making sure all the spam being emanated goes somewhere harmless, like an evidence directory run by the ISP on some utility server.)

For individual honeypot operators the concern may be that they will be discovered by the spammers and that such discovery would mean the spammers would simply avoid them. That creates an incentive for the honeypot operators to keep one step ahead of the spammers and to defeat the spammer steps taken to distinguish between real open relays and fakes. For the entire flock of honeypots (if there were such a thing) the more important consideration is that there be the flock and that there be enough members in the flock that the spammers are permanently scared.

If you overcome the first-look prejudice there's a real power possible in running a true open relay (or open proxy) - one that is closely monitored. Find the sources of the spammer abuse, find the spammed IP addresses, use all the evidence gathered to cause the spammers trouble. The real beauty of this is the idea of it: to the spammer every open relay (opewn proxy) is a potential closely-monitored open relay (open proxy.) Maybe the spammer finds an open relay (open proxy) run by an FBI sting operation. That could have some very interesting and useful consequences. Imagine a spammer discovering that his last month of spam activity was all monitored, that the government had logs that showed all the spam leaving the spammer's own system and headed for victims. That's the time to plead guilty and hope for mercy. Mercy is easier to come by if the spammer rolls over on another spammer or two. Note that if an FBI honeypot discovers the spammer's own IP address the FBI can use the evidence to perhaps get a search warrant that can be served on the spammer's ISP so that the FBI can monitor all the spammer's outgoing traffic. That's how I envision getting a week or two's worth of the full spammer output logged. If that doesn't spell j-a-i-l t-i-m-e, it should.

Much of the overlooked power here is that we vastly outnumber them. If a tiny percentage of us did very reasonable things, even weakly, then they would suffer enormously while we would mostly just coast. But instead we ignore the abuse and they are the ones coasting. As another example, if a few thousand people intelligently reported the sources of scans to port 3128 on their systems then that would hobble many of the spammers using that port for proxy abuse - they'd be the ones hit by action that followed the reports. Instead, we don't do much at all.

The spammers try very hard to put evidence of their abuse into your hands. Maybe once in a while you should let them, eh?; Posted by: Minas Beede Posted on: 08/27/04 You are currently: a Guest | Members login | Terms of Use