[Dshield] Spamhouse now listing exploited IPs in new blocklist

Brad Spencer brad.madison at mail.tds.net
Wed Jan 14 20:14:46 GMT 2004

At 12:35 PM 1/14/2004 -0500, you wrote:

>(*) why do you call a host infected?
>    for example for DShield, we list many mail servers as port 113
>scanners. This is just a normal side effect of being a mail server,
>and there is nothing wrong with these mail servers. Now this paticular
>issue is easy to clean up. But there are others, less clear cut cases.

I'd guess that Spamhaus calls the host infected if it appears to be a 3rd 
party spam source.  Spamhaus isn't interested in infected systems in an 
abstract way - it is interested in them as spam sources, if they are spam 
sources.  I'd think.

>(*) what about dynamic IPs?
>    this was menitioned before. It looks like they keep IPs in their list
>for 6 months. ..

Possibly too long.  More below.

> > When
> > an average home user sends mail they aren't using their own personal
> > SMTP server, they're using their ISP's mail server which (hopefully)
> > isn't blacklisted.
>well, not everyone uses their ISPs mail server. Some users send
>directly. I don't think they should, but well, they do. Also, given
>false positives, a perfectly healthy ISP mail server may get on the

TCP/IP and SMTP are peer-to-peer.  It's not wrong to send email direct from 
a home system.  Mail servers may also get on the list because of: home 
systems that become infected and which follow the advice of using the ISP's 
mail server to send email.  That happened to my ISP.

>I think a useful blacklist has to be "fresh" and there has to be a fast
>"cleanup" process. It looks like they bounce mail with appropriate
>headers... maybe that will help, but it could hurt as well (where do
>they bounce too? Can this be used as a traffic amplifier/obfuscater in a
>DOS attack).

I fully and enthusiastically agree with the "fresh" requirement.  Those who 
want an IP  to remain listed for a long time are looking at the wrong end 
of the listing period: it's more important (I think) to get an IP listed 
quickly.  If the listing process is manual then I think that's a problem 
from the start: there's too much work for a team of volunteers to keep up 
the database.  If the listing process is automatic then any IP that gets 
aged off will soon get back on the list.  If the spamtraps used to generate 
the listings don't reject spam based on the listings (ad it would be silly 
for them to do that) then the spam coming to those should keep alive the 
listings for the active spam sources.  There seems to be two goals for 
blocklists: prevention and punishment.  I think prevention is and should be 
the major goal, I have little affection for the punishment goal.  I also 
think the punishment goal is weakly attained, at best.

On the subjects of SpamHaus and of the new blocklist in general I think 
Spamhaus should receive a lot of commendation for what they are undertaking 
to do.  More and more spam is being sent via the abuse route and the abuse 
route is being broadened by the addition of spam server zombie systems - 
systems onto which the spammer in some manner puts dedicated spam 
distribution software.  There's a huge number of vulnerable systems and 
SpamHaus is volunteering to perform a difficult task.

At the same time the entire problem deserves a fresh look.  Blocklists and 
filters are tools to be used at or beyond the addressee's email 
server.  There's a lot that could be done earlier than the final server if 
ISPs and others would undertake to combat the spammer abuse. Every day 
there is a tremendous volume of spam and every day there's a corresponding 
tremendous volume of abuse.

Look at proxy port abuse as an example, and look only at port 1080 as a 
subset of that.  If ISPs would watch outgoing and incoming traffic directed 
to port 1080 the ISPs would see a great deal of suspicious activity.  They 
could then do a simple follow-through on that (for traffic from their own 
space) or report the traffic to the ISP of the source IP (for incoming 
traffic.)  That ISP could then watch the source.  When the conclusion is 
reached that the IP is a source of spam then the ISP could terminate all 
service for that customer.

Individual users can run proxypot software.  that allows them to capture 
the actual spam being sent, if that happens (and very often it does.)  The 
spammers search widely on the internet for vulnerable systems.  There may 
be a service assigned to port 1080 but there's no obligation I know of that 
what you run on port 1080 has to be as vulnerable as it appears.

Similarly, if you run SMTP server software on a computer with no real email 
function you will capture very close to 100% abuse traffic.  Just because 
it is an SMTP server program listening on port 25 and accepting email for 
elsewhere that is not a guarantee you'll deliver the email that 
comes.  Even if you do deliver some email (spammer open relay test 
messages) you're under no obligation to deliver anything more.  In my 
opinion you are not intercepting any communication from anyone.  One open 
relay honeypot I know of warns against  sending spam in its banner 
message.  It still captures a lot of spam. If the sender wanted the message 
to be a communication he could have sent it directly form his server to the 
addressee's server.  Since the spammer chose to gamble on the honeypot 
being an open relay he simply lost the gamble when it turned out not to 
be.  If he loses his account because of the attempted abuse - that's more 
fallout from his gamble.

Too much bandwidth consumed by these approaches?  First off notice you're 
complaining about a great deal of success - that's not purely a 
problem.  Then notice that you have control of the system and you can 
reduce the bandwidth consumed any way you wish - including simply pulling 
the network connection for all but 4 hours a day (or whatever you 
choose.)  Your goal isn't to be the sole combatant, it's to be one of the 
combatants.  If your system looks like an injured system run by an 
incompetent manager perhaps that attracts the spammers.  The more varied 
the honeypots the spammers encounter the harder it is for them to tell them 
form the real abusable systems.  That's even a justification for 
versionitis - normally a bugbear.  It is a bugbear - for the spammers.

Sorry for the length.  If I have gone on too long it's OK to email me to 
let me know - and I'd appreciate the feedback.

More information about the list mailing list