[Dshield] Spamhouse now listing exploited IPs in new blocklist
brad.madison at mail.tds.net
Wed Jan 14 20:14:46 GMT 2004
At 12:35 PM 1/14/2004 -0500, you wrote:
>(*) why do you call a host infected?
> for example for DShield, we list many mail servers as port 113
>scanners. This is just a normal side effect of being a mail server,
>and there is nothing wrong with these mail servers. Now this paticular
>issue is easy to clean up. But there are others, less clear cut cases.
I'd guess that Spamhaus calls the host infected if it appears to be a 3rd
party spam source. Spamhaus isn't interested in infected systems in an
abstract way - it is interested in them as spam sources, if they are spam
sources. I'd think.
>(*) what about dynamic IPs?
> this was menitioned before. It looks like they keep IPs in their list
>for 6 months. ..
Possibly too long. More below.
> > When
> > an average home user sends mail they aren't using their own personal
> > SMTP server, they're using their ISP's mail server which (hopefully)
> > isn't blacklisted.
>well, not everyone uses their ISPs mail server. Some users send
>directly. I don't think they should, but well, they do. Also, given
>false positives, a perfectly healthy ISP mail server may get on the
TCP/IP and SMTP are peer-to-peer. It's not wrong to send email direct from
a home system. Mail servers may also get on the list because of: home
systems that become infected and which follow the advice of using the ISP's
mail server to send email. That happened to my ISP.
>I think a useful blacklist has to be "fresh" and there has to be a fast
>"cleanup" process. It looks like they bounce mail with appropriate
>headers... maybe that will help, but it could hurt as well (where do
>they bounce too? Can this be used as a traffic amplifier/obfuscater in a
I fully and enthusiastically agree with the "fresh" requirement. Those who
want an IP to remain listed for a long time are looking at the wrong end
of the listing period: it's more important (I think) to get an IP listed
quickly. If the listing process is manual then I think that's a problem
from the start: there's too much work for a team of volunteers to keep up
the database. If the listing process is automatic then any IP that gets
aged off will soon get back on the list. If the spamtraps used to generate
the listings don't reject spam based on the listings (ad it would be silly
for them to do that) then the spam coming to those should keep alive the
listings for the active spam sources. There seems to be two goals for
blocklists: prevention and punishment. I think prevention is and should be
the major goal, I have little affection for the punishment goal. I also
think the punishment goal is weakly attained, at best.
On the subjects of SpamHaus and of the new blocklist in general I think
Spamhaus should receive a lot of commendation for what they are undertaking
to do. More and more spam is being sent via the abuse route and the abuse
route is being broadened by the addition of spam server zombie systems -
systems onto which the spammer in some manner puts dedicated spam
distribution software. There's a huge number of vulnerable systems and
SpamHaus is volunteering to perform a difficult task.
At the same time the entire problem deserves a fresh look. Blocklists and
filters are tools to be used at or beyond the addressee's email
server. There's a lot that could be done earlier than the final server if
ISPs and others would undertake to combat the spammer abuse. Every day
there is a tremendous volume of spam and every day there's a corresponding
tremendous volume of abuse.
Look at proxy port abuse as an example, and look only at port 1080 as a
subset of that. If ISPs would watch outgoing and incoming traffic directed
to port 1080 the ISPs would see a great deal of suspicious activity. They
could then do a simple follow-through on that (for traffic from their own
space) or report the traffic to the ISP of the source IP (for incoming
traffic.) That ISP could then watch the source. When the conclusion is
reached that the IP is a source of spam then the ISP could terminate all
service for that customer.
Individual users can run proxypot software. that allows them to capture
the actual spam being sent, if that happens (and very often it does.) The
spammers search widely on the internet for vulnerable systems. There may
be a service assigned to port 1080 but there's no obligation I know of that
what you run on port 1080 has to be as vulnerable as it appears.
Similarly, if you run SMTP server software on a computer with no real email
function you will capture very close to 100% abuse traffic. Just because
it is an SMTP server program listening on port 25 and accepting email for
elsewhere that is not a guarantee you'll deliver the email that
comes. Even if you do deliver some email (spammer open relay test
messages) you're under no obligation to deliver anything more. In my
opinion you are not intercepting any communication from anyone. One open
relay honeypot I know of warns against sending spam in its banner
message. It still captures a lot of spam. If the sender wanted the message
to be a communication he could have sent it directly form his server to the
addressee's server. Since the spammer chose to gamble on the honeypot
being an open relay he simply lost the gamble when it turned out not to
be. If he loses his account because of the attempted abuse - that's more
fallout from his gamble.
Too much bandwidth consumed by these approaches? First off notice you're
complaining about a great deal of success - that's not purely a
problem. Then notice that you have control of the system and you can
reduce the bandwidth consumed any way you wish - including simply pulling
the network connection for all but 4 hours a day (or whatever you
choose.) Your goal isn't to be the sole combatant, it's to be one of the
combatants. If your system looks like an injured system run by an
incompetent manager perhaps that attracts the spammers. The more varied
the honeypots the spammers encounter the harder it is for them to tell them
form the real abusable systems. That's even a justification for
versionitis - normally a bugbear. It is a bugbear - for the spammers.
Sorry for the length. If I have gone on too long it's OK to email me to
let me know - and I'd appreciate the feedback.
More information about the list