Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Spam Operating Systems BSD IT

Name and Shame Spam Senders With OpenBSD 166

Peter N. M. Hansteen writes "Once you've identified spam senders, OpenBSD provides all the tools you need to take one step further: exporting their addresses and publishing the evidence. You can even trap them yourself using known bad addresses. It's easy, fun and good netizenship."
This discussion has been archived. No new comments can be posted.

Name and Shame Spam Senders With OpenBSD

Comments Filter:
  • by Anonymous Coward on Saturday February 07, 2009 @06:42PM (#26767809)
    ...NO!
    • Re: (Score:3, Insightful)

      by Dan541 ( 1032000 )

      How can we be expected to take someone seriously when they invent more bullshit.

    • by shermo ( 1284310 )

      It's not good netiquitte to post in caps.

  • Hmmm? (Score:5, Interesting)

    by BCW2 ( 168187 ) on Saturday February 07, 2009 @06:44PM (#26767819) Journal
    Wouldn't it be more fun to go to their house and either serve them with a civil suit for a $Million+ or just beat their computer into a cube with a sledge hammer?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Wouldn't that require beating a million computers into a million cubes to take down their bot net? Perhaps hammering their toes would be better.

    • by Zarluk ( 976365 )
      I would rather suggest using the sledgehammer on themselves... then, we could use their computers to do some useful stuff ;-)

      OK, just kidding, but there is a hole in my brain that would like to to do it anyway ;-)

  • The list should have these five as well:
    • xsalsa@gmail.com
    • domains@locu.st
    • domains@surink1.com
    • domains@nosnos.com
    • domains@suremoon.com

    These have all been used by Leo Kuvayev (often under his alias "Alex Rodrigez" (note the last name spelling)) in his spamming operations. I'm sure there are more recent ones as well.

  • by Trepidity ( 597 ) <delirium-slashdotNO@SPAMhackish.org> on Saturday February 07, 2009 @06:51PM (#26767851)

    I agree the vast majority of email sent to "known bad" addresses will be sent by spambots, and that'll probably be the exclusive source for never-published addresses. But in the case where they publish these known-bad addresses on a page that they hope spambots will index, it seems blacklisting based on them is vulnerable to abuse. If I want to get some server blacklisted, and I have any sort of access to send mail from it, I can just send mail to the known-bad addresses. For example, good way for mischievous students to cause mayhem by getting their university's mail servers blacklisted.

    • And you don't even have to have access to send mail from that server - you can just fake the headers, the server on the other side has no way of knowing.
      • by Trepidity ( 597 ) <delirium-slashdotNO@SPAMhackish.org> on Saturday February 07, 2009 @07:48PM (#26768153)

        I could be misreading, but I think he's using the IP of the server that actually connects to his server and attempts to deliver mail, not the IP reported in the mail headers.

        • Re: (Score:3, Interesting)

          by Dynedain ( 141758 )

          And you missed the parent...

          If a blackhat already has access to something like a university's mail system (say through someone's weak password), and sends a message to these known-bad addresses (aka, honyepot) through the university's mail system, then he's successfully blacklisted the university's mail servers.

          • by dkf ( 304284 )

            If a blackhat already has access to something like a university's mail system (say through someone's weak password), and sends a message to these known-bad addresses (aka, honyepot) through the university's mail system, then he's successfully blacklisted the university's mail servers

            You seem to assume that this isn't already a problem. If only you were right; if only...

            OTOH, in practice most spam (well, using the sample that gets in my mailbox) actually seems to be routed via hacked home systems.

      • The logs aren't based on trusting the headers in the spam. They're based on which machine tried to deliver the spam.

        Re the GP: You could cause mayhem at a university by getting bsdly.net to block all mail from them? I don't think so.

        Now, if there was actually any value to this name and shame list it might cause trouble, but there isn't. It's just a bad idea. There are lots more spambots than addresses in that list.

      • $ man 2 accept
        ACCEPT(2) Linux Programmerâ(TM)s Manual ACCEPT(2)

        NAME
        accept - accept a connection on a socket
        ...
        int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
        ...
        The argument addr is a pointer to a sockaddr structure. This structure
        is filled in with the address of the peer socket, as known to the com-
        munications layer.
  • by thermian ( 1267986 ) on Saturday February 07, 2009 @06:51PM (#26767853)

    Sorry, I'd never claim citizenship on the internet, after all, who'd want to live in a place that was almost entierly composed of porn?

    Oh wait...

  • Not Really (Score:5, Interesting)

    by IsMyNameTaken ( 1362911 ) <IsThisNameTakenA ... m ['il.' in gap]> on Saturday February 07, 2009 @06:56PM (#26767879)

    I think someone tried the latter approach [washingtonpost.com] already and it didn't end up helping her much

    • Re:Not Really (Score:4, Insightful)

      by Ethanol-fueled ( 1125189 ) on Saturday February 07, 2009 @08:12PM (#26768267) Homepage Journal
      Are you kidding? She got to beat the shit out of a Comcast office while scaring away everybody inside!

      Shaw received a three-month suspended sentence for disorderly conduct, a $345 fine in restitution and a year-long restraining order barring her from the Comcast office.

      I assure you that if I could get away with that kind of punishment I'd do the same thing! Only I'd use a bat instead.

  • by carou ( 88501 ) on Saturday February 07, 2009 @06:57PM (#26767885) Homepage Journal

    Your post advocates a

    ( ) technical ( ) legislative ( ) market-based (X) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    (X) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop spam for two weeks and then we'll be stuck with it
    ( ) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it
    ( ) Requires too much cooperation from spammers
    (X) Requires immediate total cooperation from everybody at once
    ( ) Many email users cannot afford to lose business or alienate potential employers
    (X) Spammers don't care about invalid addresses in their lists
    (X) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    (X) Lack of centrally controlling authority for email
    (X) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    (X) Asshats
    (X) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    (X) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of spam
    (X) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    (X) Dishonesty on the part of spammers themselves
    (X) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    (X) Ideas similar to yours are easy to come up with, yet none have ever
    been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    ( ) Blacklists suck
    ( ) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    (X) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    (X) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    ( ) Sorry dude, but I don't think it would work.
    (X) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your
    house down!

    • Wouldn't "blacklists suck" also be appropriate?

  • Easy, fun... (Score:5, Insightful)

    by subreality ( 157447 ) on Saturday February 07, 2009 @07:10PM (#26767939)

    They can call it easy, fun, and good netizenship... But I say they're just putting a friendly face on vigilanteism.

    From a technical perspective this isn't that different from other collaborative filtering systems (though since the listing criteria is based on secondary sources, it's going to be susceptible to confirmation bias and other sampling errors, so this isn't likely to be a good one). I take big issue with the naming, though: Other collaborative filters say that "This machine is listed because it met these criteria", which you then make your own decisions on.

    It crosses a line when you're saying they should be "shamed", especially when you're not taking extensive precautions to make sure you're not listing innocents.

    • Re: (Score:3, Interesting)

      by Blakey Rat ( 99501 )

      That's why they do it.

      Seriously, it's almost trivial to completely avoid spam now. All of the three major free email vendors, Yahoo, Microsoft and Google, all have excellent spam filters. Every mail client has excellent spam filters. In a world of streaming video being one of the most popular internet uses, the bandwidth consumed by spam isn't a huge deal anymore. (Bittorrent on the other hand...)

      Point is, these "spam vigilantes" basically have to go out of their way to even see spam. They enjoy seeing the

      • Seriously, it's almost trivial to completely avoid spam now. [...] They enjoy seeing the spam, because then they can get outraged and do stuff like this.

        I wouldn't attribute that much malice to it.

        Sure, the big players have great spam filtering, but the work it takes to get there isn't trivial. And there are a lot of us who don't use webmail. Having configured a few mail systems, it takes a lot of poking and prodding and fine tuning to get an anti-spam configuration that works really well. In the course of doing it, you see these strong spam signals, and get drawn into them. "Hey, what if I just turn up this setting here? That'd catch a ton of spam!"

      • by Deagol ( 323173 )

        So you're saying that every company and organization should now use the big free email vendors for their email? Dude, what are you smoking? That's a fine solution for Grandma and even myself, but I'd never recommend that some organization rely on a 3rd party server for anything, especially for email. Spam vigilantes aren't random people who get offended by seeing Viagra spam, but most likely people who administer mail servers and know first-hand how insane the problem of spam is, in terms of management h

      • by kasperd ( 592156 )

        Seriously, it's almost trivial to completely avoid spam now.

        It is trivial if you tolerate false positives. But if you cannot accept false positives, it is not trivial. The problem isn't solved until everybody who has a legitimate use for email can set up their own server on which they don't receive any significant amount of spam and at the same time gets all legitimate emails through. Try it, and you will see, that it is not easy. In fact it is already almost impossible to set up a server in a way that give

    • Right. It's a blacklist, and suffers from all of the problems that blacklists suffer from. Except, like you say, it's deceitful because they want to dumb things down so that you can treat it like a game.

      Maybe blacklists don't grow quickly enough when people are careful. I'd guess that in that case the solution is to start whitelisting. But regardless of what's effective or ethical there will always be some moron who says "let's just make a bigger blacklist".

  • by Anonymous Coward

    If you want to "name and shame" someone, you need to be 100% sure you got the right person. E-Mail is such a vague and diverse system that you really need to know your network technologies to be able to find who's spamming you with any certainty. There's no automatism which can do it for you. Besides, you don't want to turn into one of those bitter and overzealous anti-spammer types, do you? Work with people who operate or host compromised computers which send spam, improve your spam classification systems,

  • Really? (Score:5, Informative)

    by Darkness404 ( 1287218 ) on Saturday February 07, 2009 @07:24PM (#26768017)
    Really is spam that big of a problem anymore? Ever since I've switched to Gmail all my spam has been blocked by it or blocked by a simple mail filter. Now then again, I don't give my real e-mail address to everyone and their brother, but individual spam blockers have come a long, long ways.
    • Re:Really? (Score:5, Insightful)

      by John Hasler ( 414242 ) on Saturday February 07, 2009 @09:18PM (#26768603) Homepage

      > Really is spam that big of a problem anymore?

      For people who actually run email servers the fact that 99% of their traffic is spam is a problem, yes.

      • by davecb ( 6526 ) *

        I used to run the main mail router for a major Canadian university. Incoming mail to us was accepted, outgoing from us was sent. Through email, except to bitnet and uucp, was not. While total spam volume increased without bound, the spam volume we had to deal with climbed only rather slowly.

        The problem space is harder these days, but these basic steps limited it substantially. If I were still running the service, I'd be concentrating on spotting outgoing spam and notifying the sender that they'd been z

    • Re:Really? (Score:5, Insightful)

      by Brandybuck ( 704397 ) on Saturday February 07, 2009 @10:54PM (#26769201) Homepage Journal

      Really is pollution that big of a problem anymore? Ever since I've switched to BigAssFilter air conditioning system, all of the pollution has been filtered out of my home.

    • Re: (Score:3, Informative)

      by subreality ( 157447 )

      You don't get spam because of a combination of anti-spam techniques similar to this one. We have to keep developing them, or else the spammers will get ahead.

      YOU may not have much of a spam problem, but mail admins everywhere - including google's - most certainly do.

    • by Phroggy ( 441 )

      Tools like these are precisely why many users don't perceive spam to be a problem anymore. If the people running your e-mail servers weren't already using these kinds of spam-fighting tools, then you wouldn't think spam was no longer a problem, because your inbox would be full of it.

  • Shame!? (Score:5, Insightful)

    by Dahamma ( 304068 ) on Saturday February 07, 2009 @07:30PM (#26768053)

    What's the point of trying to *shame* a spammer? You can't shame someone who has no shame.

    Naming them is pointless, too. "Oh, hey, I found out it's a guy named Viktor in the Ukraine sending me all this spam!" Now what?

    • Nuke it from orbit?
    • by Suicyco ( 88284 )

      You have to shame the idiots buying crap from spam. If spam didn't make money, their would be no spam. Its not the spam that is the problem, its that it is a viable business model. You can't stop people from making money from something that works, and obviously works really well.

  • That spammers couldn't just be very selective in their targeting. "Oh, sweet, I just got an e-mail about cheap Canadian b33r!"
  • Asking for trouble (Score:4, Insightful)

    by EdIII ( 1114411 ) * on Saturday February 07, 2009 @08:19PM (#26768313)

    Most of the article is about grey listing. That's nearly suicidal for most mail server administrators. When I tried it, it did make a difference.

    Of course, while it is working..........

    Executive A, "This guy just sent me a contract 60 seconds ago. I keep clicking the damn send/receive button but it's not coming in. Are you a fucking moron or something? What the HELL is going on?!!"

    Either paranoia, or people trying to send email with attachments to each other while *on the phone*, makes grey listing a huge hassle for the administrator. You just can't force a delay in email of 10 or 20 minutes for most users. The pitch forks and torches come out.

    Once you do use it, you cannot control the duration of the delay either. The other mail server has its own settings on how often it retries mail as well. So yours is set to 3, theirs is set to 20. The delay is 20.

    I also find it hard to believe that the spammers have not figured this out. It's not like they are stupid. They try very hard to deliver their payloads. It would be trivial to update their software to retry messages that receive those codes.

    Oh, and if you have high volume get ready to drain some resources. Keeping track of thousands and thousands of IP addresses in a grey list to determine which one can communicate at what point is resource intensive.

    • Most of the article is about grey listing. That's nearly suicidal for most mail server administrators.

      That would depend on a lot of things

      Executive A, "This guy just sent me a contract 60 seconds ago. I keep clicking the damn send/receive button but it's not coming in. Are you a fucking moron or something? What the HELL is going on?!!"

      Chances are high that anyone sending contracts has already sent previous messages, so the receipt of the contract would not be subject to any delay. That's assuming that you

      • Re: (Score:2, Interesting)

        by troll8901 ( 1397145 ) *

        Chances are high that anyone sending contracts has already sent previous messages, so the receipt of the contract would not be subject to any delay.

        I did not have such luxury.

        1. The mail daemon was proprietary, supported manual whitelist only.
        2. Adding to the whitelist didn't seem to solve the problem.
        3. The mail server was under the control of a third-party company. I was not supposed to touch it.
        4. Due to some issues between the two companies, they've stopped providing support.
        5. I can't route the mails to my own mail server, because the DNS record and server were under their control too.

        So yes, I received Executive A's anger sometimes while not being able to do a

        • It is nice to have some feedback from someone who has actually tried something of the sort, instead of the usual gut-driven reactions. How does just posting 'No' get moderated to 5? Kinda makes you distrust all trust-based networks.

          I would have thought the original articles description ought to work. You don't slam someone from white to black because their posting has crossed some arbitrary line. You slowly crank up the delay. Just asking for a resend ought to filter out most of the dumber spambots. If

    • by ewhac ( 5844 )

      Executive A, "This guy just sent me a contract 60 seconds ago. I keep clicking the damn send/receive button but it's not coming in. Are you a fucking moron or something? What the HELL is going on?!!"

      BOFH: "What the hell is going on is that the message is currently working through our anti-spam measures -- the ones that filter out all the \/!Agr/\ ads because you keep visiting pr0n sites -- and if you really wanted it right now dammit, you would have had him FAX it.

      "But, for a modest rise in salary, I can

    • Most of the article is about grey listing.

      Not really. Maybe you just saw what you wanted to see.

      That's nearly suicidal for most mail server administrators.

      Not really. There are many thousands of administrators who have the skill to implement it properly.

      When I tried it, it did make a difference.

      Of course, while it is working..........

      Executive A, "This guy just sent me a contract 60 seconds ago. I keep clicking the damn send/receive button but it's not coming in. Are you a fucking moron or something? What the HELL is going on?!!"

      You must not have been one of the competent admins.. sounds like executive A knows it too

      Either paranoia, or people trying to send email with attachments to each other while *on the phone*, makes grey listing a huge hassle for the administrator.

      Again, not for admins who implement greylisting in a sane way.

      You just can't force a delay in email of 10 or 20 minutes for most users. The pitch forks and torches come out.

      True, and greylisting (when implemented correctly) does not do this.

      Once you do use it, you cannot control the duration of the delay either. The other mail server has its own settings on how often it retries mail as well. So yours is set to 3, theirs is set to 20. The delay is 20.

      I also find it hard to believe that the spammers have not figured this out. It's not like they are stupid. They try very hard to deliver their payloads. It would be trivial to update their software to retry messages that receive those codes.

      Some have, most haven't. Despite your beliefs, evidence of greylisting's effectiveness is quite easy to come by.

      Oh, and if you have high volume get ready to drain some resources. Keeping track of thousands and thousands of IP addresses in a grey list to determine which one can communicate at what point is resource intensive.

      No, it isn't. Compared t

    • Re: (Score:3, Interesting)

      by LackThereof ( 916566 )

      also find it hard to believe that the spammers have not figured this out. It's not like they are stupid. They try very hard to deliver their payloads. It would be trivial to update their software to retry messages that receive those codes.

      Most spam-sending agents are very simple, and don't even bother looking at the SMTP error codes. Which is pretty sensible, given that most of what they get is probably 550 for bad addresses in their lists. Why even bother spending the time parsing these errors - there's going to be a whole lot of them, and it's mostly trash because your mailing list is mostly trash.

      But lets say a spammer does make a spambot that looks for 451 errors and properly tries again later. Many sites recommend a greylist delay of

    • by 87C751 ( 205250 )

      I also find it hard to believe that the spammers have not figured this out. It's not like they are stupid. They try very hard to deliver their payloads. It would be trivial to update their software to retry messages that receive those codes.

      Actually, some have. I started greylisting about a year ago, initially with a 1200 second interval. It cut the amount of spam actually delivered to the filters by 90%. Experimentally, I cut the delay period to 60 seconds and the numbers stayed steady, implying that

      • Who are the "legitimate" vendors who mail servers don't implement the protocol? It would be a public service if you could help people avoid them.
        • by 87C751 ( 205250 )

          Who are the "legitimate" vendors who mail servers don't implement the protocol? It would be a public service if you could help people avoid them.

          I suppose this can't be construed as libel, right? ;)

          T-Mobile and Capital One. Logs showed no retries for either one. They just took 451 as a permanent failure.

    • ``Most of the article is about grey listing. That's nearly suicidal for most mail server administrators.''

      How so?

      ``Of course, while it is working..........

      Executive A, "This guy just sent me a contract 60 seconds ago. I keep clicking the damn send/receive button but it's not coming in. Are you a fucking moron or something? What the HELL is going on?!!"''

      I use greylisting, but only for addresses that are on a blacklist. The idea is that, if there is no indication that the mail is spam, it gets through right

  • Wow, what a stupid idea. He is just adding to the problem.

    Most spammers never look at return mail. The return address is usually bogus, or, worse, somebody ELSE's legitimate email address.

    As a one-time victim I can attest to the potential damage of the approach this idiot is advocating. (My domain name was used in a prolific spammer's return address - the resulting deluge shut-down my ISP for a few hours. My domain at the time was live.net - the spammer was advertising a phone service with "live girls"...)

    S

    • You're an idiot. (Score:2, Informative)

      by Narcocide ( 102829 )

      Wow you're an idiot and you don't understand email. He's using the TARGET address to blacklist the IP ADDRESS from the SMTP CONNECTION. That's the envelope sender, not the mail header's return address.

      Do your research before you start casting wild allegations around.

    • He's generating a list of spamtrap addresses, based on his server logs of the unknown addresses in his own domain. If your address isn't in his domain, you're unaffected.

      He is publishing his list of bad addresses on a page as a spamtrap. If you don't harvest email addresses off this page, you're unaffected.

      He's publishing a list of IPs which have sent messages to those spamtrap addresses (at his own domain, using his own mailserver). If your server didn't send mail to a spamtrap address on his server, yo

  • But... (Score:3, Insightful)

    by Sigvatr ( 1207234 ) on Saturday February 07, 2009 @08:45PM (#26768463)
    ... is it good Nietzscheanship?
  • spamd has been around since OpenBSD 3.3. Not news at all. Anyway, I probably read this on undeadly.org, but one feature is particularly funny. When a probably spammer is connecting to your server, the greeting is sent with a TCP window size of 1 byte and a rate of 1 byte per second. Most spammers won't expect a connection to be so incredibly slow, so you end up wasting their time. It isn't meant to stop spam, but you can make spammers frustrated.
    • That "frustration" can stop spammers. If they cannot deliver spam quickly and cheaply, they cannot be profitable.

      But is it worth the consequences of slowing down legitimate traffic? No.

  • I'm a contributing member of Project Honeypot, having been responsible for "catching" several spammers with my little honeypot, and I'm also contributing an MX record for its use. I think that's good enough. If everyone who had even a simple blog contributed to the Project, there'd be no place left for spammers to hide. Its http:BL [bl] database exists as a free resource for anyone to use. Not only do I contribute to Project Honeypot, I also use http:BL [bl] to help keep the comment spammers out of my blog:

    http:/ [vulcantourist.info]

  • Razor/Spamcop, Pyzor, and DCC are heading in about the same direction, just without using such caveman tools as compiling huge webpages. So how is that BSD caveman's blog worth all the fuss?
  • The best thing about this solution is that it is not passive filtration. It actively fights the spammer or spamming bot engine back. In fact, it is delightfully evil because it is fundamentally both an economic and technical solution. Spam has been a popular method of advertising because it is economical compared to mass market fliers, mailers, and faxes. The greytraps, tarpits, and the name of shame list takes the economics right out of sending spam. Better yet, it is not a solution that spammers can

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...