Contributed by jose on from the no-more-spam dept.
Wow, looks like the Spews approach was good enough for Theo. Now it's even more accessible.From: Theo de RaadtDate: Wed, 18 Dec 2002 19:25:02 -0700 To: misc@cvs.openbsd.org Subject: spam blocking engine This is a start at a spam blocking engine I have been working on. Very simply, this hangs the full list of ~12,000 spam-sending IP/mask entries listed at www.spews.org off a pf(4) rdr-anchor (which is only entered for port 25). When connections from these spammers arrive they are redirected to a daemon which minimally fakes the SMTP protocol with very low overhead -- for multiple connections at the same time -- and then the message is left on the sender's queue by providing a 550 return code. The theory here is that most spam still comes in via open relays, and the only way we are going to convince them to clean up their act is to waste _their_ disk space, their time, and their network bandwidth more than they waste ours. For those spammers who drop messages when they received a 550, well, we have not wasted any further time or network bandwidth, and even in that situation I think some of the might remove an address if they receive a 550. This will be chrooted and locked down further... and I also plan on adding stuttering to it, to waste the spammer's time further. If you use this, you must have very current pf code.
(Comments are closed)
By captain^k () on
Comments
By X-Nc () me@x-nc.net on mailto:me@x-nc.net
Well, maybe a little. It would be better if it were cross-platform and portable to other OSs.
Comments
By Anonymous Coward () on
By mirabile () on
*cool* *cool* *cool*
/me going to update to latest -current ASAP
By Anonymous Coward () on
Comments
By captain^k () on
..that gives the impression it is going to become a part of the OpenBSD distribution.
As for "being enabled by default" ? Time will tell.
By petr () on
I thing it will be in new releases, but it will definitely not be enabled by default.
Comments
By pravus () on
By sb () on mailto:sb(at)cash.nss.scs.wsu.edu
Comments
By captain^k () on
http://marc.theaimsgroup.com/?t=104026481600003&r=1&w=4
By Anonymous Coward () on
By Anonymous Coward () on
By Passo () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By pravus () on
you should be able to set something similar working for iptables in linux. the main rewrite would be in converting the spammer list to iptables format. i have a friend that does something similar except he blocks the IP addresses of machines infected with codered that have hit his server. it's all automated.
By Anonymous Coward () 20ys1bi02@sneakemail.com on mailto:20ys1bi02@sneakemail.com
in case spammer ignores 5xx, in addition to the mail staying in the queue,
(s)he also ends up using resources for the outgoing SMTP connection (the sending process, network buffers, etc.).
if using the SPEWS list to get the IPs to block,
filter out duplicates with aggregate:
http://freshmeat.net/projects/aggregate/
from file
cvs/netfilter/patch-o-matic/extra/ipt_TARPIT.patch.help
Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources. Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds. Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.
This offers similar functionality to LaBrea
but doesn't require dedicated hardware
or IPs. Any TCP port that you would normally DROP or REJECT can instead
become a tarpit.
To tarpit connections to TCP port 80 destined for the current machine:
iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
To significantly slow down Code Red/Nimda-style scans of unused address
space, forward unused ip addresses to a Linux box not acting as a router
(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
forwarding on the Linux box, and add:
iptables -A FORWARD -p tcp -j TARPIT
iptables -A FORWARD -j DROP
You probably don't want the conntrack module loaded while you are using
TARPIT, or you will be using resources per connection.
By Anonymous Coward () on
What is 'current pf code'? Is standard 3.2 ok?
Comments
By Clay Dowling () clay@lazarusid.com on http://www.lazarusid.com
By Peter Hessler () spambox@theapt.org on http://www.sfobug.org
Comments
By Anonymous Coward () on
if you are anxious to fight spam....
By Brett Glass () on
Comments
By Pete () on
550 Requested action not taken: mailbox unavailable
[E.g., mailbox not found, no access]
Perhaps 421 would be better, as it indicates a distinctive transient failure.
421 Service not available, closing transmission channel
[This may be a reply to any command if the service knows it must shut down]
Or, perhaps, the IETF could sanction a new reply code specifically for source-based spam filtering, i.e.
555 Requested action not taken: open-relay suspected
[Sender should reconfigure server to get removed from the open-relay list and retry]
Comments
By gas () on
666 Don't mess with the Daemon!
By Shane () on
By Anonymous Coward () on
Re-read your message. Do you really want these spammers hitting your servers twice for the same spam?
Comments
By Anonymous Coward () on
But I'd rather tar-baby the spam on a separate host, really. That way it's just bandwidth...
By Shane () on
By Anonymous Coward () on
step 2: ?????
step 3: Profit!
Comments
By zil0g () on
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
599 F*ck off, and stop sending me spam.
or
499 Hit me again. I like the punishment.
If you choose the 499 code, you have more time and resources on your hands than most. Why be polite with a spammer? They're obviously not being polite to you. Spammer mail blasting software just doesn't care what error code you've sent.
async_printf(fd, "helo msn.comnmail from: random@aol.comnrcpt to: list,of,addresses,to,your,usersndatanMESSAGEn.nQUITn");
The only place where it's practical to mess with a spammer (use 4xx, add delays) is when they use a well-behaved open mail relay, and even then, it's not the spammer's resource you're wasting.
-ez
By kristina83yu@yahoo.com () kristina83yu@yahoo.com on mailto:kristina83yu@yahoo.com
Well mister, 'blocking' mail with 400 isn't going to do any good for you, since it doesn't waste much of our time. Our software is capable of sending up to 7.000.000 emails (personalized - not multiple rcpt to) per hour, and at average rate of 2.000.000 per hour. Upon receiving of error 400, we just retry several times in next hours, and *do not* remove address from our database.
Please use 550, since it will do good for you. We DO NOT retry delivering to domains which answer to HELO/EHLO with 550, (simply, just because we are not interested in delivering mail to those who doesn't accept it). Also all addresses from those domains are removed from our lists. 550 responses to RCPT TO: / MAIL FROM: / DATA / are also removed from lists, but it doesn't apply to other addreses i same domain.
Also, please, do NOT drop connection in the middle of response, or before sending anything at all, since this will also generate temporary error, and we will retry later. Droping packets (i.e. not accepting connections) is generaly o.k. since it doesn't waste much of your bandwidth, but on the other hand, your domain doesn't get removed from our system.
So, the thing to keep in mind is, that we are always going to have more resources (cpu time, network bandwidth, and so on) to send mail out, then you will ever have for receiving it, no matter what happens.
It is just a simple matter of money. We are paid to send it out, but you are not paid to receive it, and also not paid to not receive it.
So,
Have a nice day. Bye.
Comments
By Anonymous Coward () on
uule #2: see rule #1
Comments
By kristina83yu@yahoo.com () kristina83yu@yahoo.com on mailto:kristina83yu@yahoo.com
Comments
By gdi () on
By Chris () on
Judging by the spelling and sometimes even visible tokens ("Subj: @user Get Rich Now!"), I get the impression most spam I get is from newbies who barely know how to operate the software they're using to send out the spam in the first place.
By Anonymous Coward () on
If you send a 5xx code, the sending machine will stop trying to connect to you. Now, as Theo said, the assumption here is that the client is an open relay. And we also know that a ton of this spam (probably MOST of it) has bogus/undeliverable sender addresses.
So if you use a 5xx, what does it mean? It means that the client (the open relay moron who is connecting to you) will stop trying to hand you the message, and will instead try -- for a very long time, quite possibly -- sending the bounce/failure notification back to the original "sender address."
Using 5xx makes it HIS problem, not YOURS. I'm fully in favor of using 5xx.
By Anonymous Coward () on
It's kinda like the Simpsons episode where Bart tries to continuously take the muffin even though it's electrified.
Comments
By C. Frank Bernard () cfrankbernard@linuxmail.org on mailto:cfrankbernard@linuxmail.org
http://www.iana.org/assignments/ipv4-address-space
When new spam gets by your firewall rules, add more rules to block their particular IP or even their whole range (from a WHOIS search at http://www.arin.net/ )
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By mulc () mulc@zapha.com on mailto:mulc@zapha.com
How is this different from rblsmtpd?
( http://cr.yp.to )
You gain MTA independence at the
price of platform dependence.
Black-lists are a flawed solution.
In practice, users do not tolerate
false positives.
I eagerly followed the link to this story thinking
that Theo might have come up with something new and unique, but this is just old-news RBL stuff.
This is 'in-the-box' thinking.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
i'll go elevate my conciousness now or something.
christ.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By anonymous niekze () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
(There are also ideas to implement mail-processing in hardware, so basicaly, you will just have to plug in PCI card to your server, and to plug etherinet into it)
By BAM () on
By Dan Anderson () dant@drydog.com on http://dan.drydog.com/
By Anonymous Coward () on
I have a feeling this antispam system will be modified to better accept a blacklist something other than spews when openbsd.org or some developers company gets fucked over by the "collateral damage" policy. Hopefully this will happen before 3.3 is released, I look forward to using the system..:)
Comments
By mb () matt.b@myrealbox.com on mailto:matt.b@myrealbox.com
It's a two pronged attack, one on the spammer such that they need to find a new isp, and also the ISP in which its legitmate customers are suffering due to their negligence.
Comments
By bleh () on
Spews and all blacklisting methods are drastically ineffective because they always 1 or 2 steps behind the spammer. Having had to contend with many spam gangs myself in this regard, I see the way they operate.
Typically, they have an office, with several means of inbound connectivity. For instance, maybe 2 or 3 dsl lines, a t1, and a cable modem to boot. They start spamming on 1 line, inevitably, that line gets terminated. They know this (obviously this is why they have 2 or 3 others waiting). They move the operation to one of the other lines, reorder service under different pretenses on the one that got shut down, and keep right on going.
The whole rabid nanae/spews mentality is so off base it's amazing. Their product review of Brightmail (the most powerful use of checksums in existence for antispam) says it all:
"Only filters spam in progress can't be used to block IP ranges. Somewhat pointless in the grand scheme of things as it does not put pressure on spammers to shut down."
The effectiveness of the software is completely disregarded because it doesn't "skewer" spammers?
Let's apply a little logic here: If spamvertising
sales generation is decreased, this drastically reduces the attractiveness of spam as a marketing tool. Marketers would eventually seek other (possibly more conventional) avenues of promotion if spam stopped panning out.
(no I don't work for brightmail, I'm just a big fan)
By walter suwalski () walter_suwalski@hotmail.com on mailto:walter_suwalski@hotmail.com
By John Oliver () im.easy.to.find@xampl.com on http://www.john-oliver.net/
http://www.spews.org/faq.html
After you've done so, you'll understand that *you* aren't listed... your ISP is. Because they've ignored reports about their spammers for so long, SPEWS escalates the listings. This has the intended effect of having you call your ISP and put pressure on them to boot their spammers. They don't listen to anyone else, maybe they'll listen to their paying customers. And if they don't, well, it ought to tell you somthing if the spammers business is more important to them than yours. In that case, there are a lot of ISPs who're eager to earn your business... you'll have a better ISP, and the spam-friendly ISP looses revenue. Eventually, they become totally rogue and/or go out of business, or they clean up thir act and boot the spammers.
Is this "fair" to you? No, it isn't. But remember... it's your ISP who's put you in this position. No one else. All SPEWS does is publish an opinion. That opinion has weight because a lot of people trust it. If SPEWS "sucked", then nobody would use it, and who would care if they listed 0.0.0.0/0 for spam support?
Comments
By Anonymous Coward () on
Why would an ISP listen to someone who isn't their customer over a paying customer.
By Noel Duffy () m_aurelius@inbox.net on mailto:m_aurelius@inbox.net
From the spews faq:
Q41: How does one contact SPEWS?
A41: One does not. SPEWS does not receive email -
it's just an automated system and website,
general blocklist related issues can be
discussed in the public forums mentioned
above.
There are no mx records for the spews domain.
Methinks someone is telling lies, or is very very mistaken.
By Anonymous Coward () on
Comments
By Noel Duffy () m_aurelius@penguins.org on mailto:m_aurelius@penguins.org
> their newsgroup and hope the read it to become
> unblocked.
Well, news.admin.net-abuse.email isn't their group. The FAQ tells you that, if you want to get out, you need to remove the spammer and then post to news.admin.net-abuse.email with the Spews case number.
Then it is likely that someone from Spews will see it and delist you, after they verify the problem is resolved.
The group exists for discussion of email abuse, Spews admins happen to read it, though they do not post. The group existed before Spews did.
The original poster claimed that he emailed Spews, and that Spews told him to fuck off. He could not have emailed Spews, so this poster is either lying or else exchanged mail with someone that he thought was Spews, but who really wasn't.
By coolvibe () on
Your ISP is getting you blocked, not SPEWS. You are in a bad net-neighbourhood, just move out.
By submicron () i.hate.spammers@127.0.0.1 on mailto:i.hate.spammers@127.0.0.1
That said, I think this is a great idea, I just wish Theo had chosen a more reliable blackhole list source.
Comments
By Anonymous Coward () on
It works exactly the same for any list of IP addresses, doesn't have to be spews.
If you understand how this works, you'll see that it's trivial to add a whitelist. Or why it wouldn't make sense to send DNS queries to check the RBL.
By Anonymous Coward () on
Don't get me wrong, I think it's a great idea. Just OBSD developers tend to write something they're interested in or need done. Which is the way it should be (not least because vested interest gives good results most of the time).
Comments
By Gimlet () on
By Gandalf () on
By James () james@firstaidmusic.com on http://james.firstaidmusic.com
Theo, keep the great ideas flowing!
By chris cappuccio () chris@nmedia.net on mailto:chris@nmedia.net
I gotta say, doing this at the network layer is cool, and is useful for downstream mail servers where you may not necessary want to make changes on the host. Or at least, it would be useful if there was ever an IP based blocking list out there that didn't give you a huge false positive rate.
Heuristic filters like Spamassassin are really much better tools than {SPEWS, ORBL, etc..}, with a much lower false positive rate. And the new stuff like the bayesian filters, where the software develops heuristics for you based on the messages you say are spam, that is also a good way to do it. These filters are much more processor intensive, so I guess it really depends on your application.
By John Sokol () sokol@dnull.com on www.dnull.com
Make any server that's not doing mail act as a virtual open relay.
Also all mail servers that when blocking a relay should report a sucessful relay message.
If the spammers can't seperate real open relays from bogus one's it will increase there cost of doing bussiness.
They key here is to make it not as profitable for them or for them to have to get there own DLS/T1's to spam from. Then these are easier to block and hunt down.
JLS
Comments
By Anonymous Coward () on