[Dshield] DDoS by spam-bounces & DSL blacklists

Brad Spencer brad.madison at mail.tds.net
Thu Jan 15 03:24:26 GMT 2004

I'm sorry to be negative here.  I agree it is important to get insecure 
computers secure and I have no problem with blocklisting an IP that is a 
source of spam.  I'd hope such an IP would be blocklisted.

That said, I don't think the focus should be on securing the 
systems.  That's not the right approach, and not the right approach in a 
security mailing list.  Spam is very much a security issue and security 
actions can help end spam. If spammers abuse open proxies to send spam or 
seize control of PCs to send spam those are both, at heart, security issues.

I am not a security person so my perspective is from the outside looking 
in.  There is massive abuse going on and it appears that most of the effort 
toward dealing with that abuse centers on securing vulnerable 
systems.  I've watched that approach taken for open relay systems that are 
abused to send spam.  Securing those was long a goal - and still is a goal 
- but it has not happened, has not ended relay spam.  If the intent is to 
end the abuse (I think that's a very fine intent) then securing the systems 
is _off the table_ as a means of fulfilling that intent.  It will not 
work.  I don't mean to offend those who want the systems to be secured but 
that is not going to accomplish the goal.  Keep it in mind as something it 
is worthwhile to do - but look elsewhere for a way to end the problem.

At the same time there are very fine network monitoring tools that could be 
used to find the sources of the abuse.  There are millions of insecure 
systems and at most thousands of actual sources of major abuse.  Deal with 
those thousands of sources of abuse properly and the abuse largely ends.

Right now you all know the net is awash in attempts to find 
vulnerabilities.  Deal with the major offenders properly and the abuse 
level will go way down.  Deal with the remaining minor offenders properly 
and the abuse level will go lower still.  In an ideal internet there would 
be both almost no vulnerability scans and prompt action against anyone 
making a vulnerability scan.  That is an attainable goal.  While that makes 
the net safer for vulnerable systems that isn't my goal: I want the net 
safer.  Even with almost no scans the need is still there for systems to be 
made secure.

It always will be a good policy to secure systems - I don't argue against 
that.  But the way to make rapid progress is to go after the abusers.

Many spammers still send their spam by abusing open proxies.  Last year Ron 
Guilmette  got over 100 spammer accounts terminated in under 3 months, 
using data he collected with a small network of open proxy 
honeypots.  Right now the DShield database has to have data that identifies 
many centers of open proxy scanning.  Probably every major spammer's open 
proxy scan IP is in the database (for those spammers who scan from their 
own IP rather than through an already-found open proxy.)  Somehow the data 
needs to be collected and action taken.  It helps tremendously to have open 
proxy honeypot data - with that you know with certainty the nature of an IP 
that is doing scans.  I'd love to be able to see a report of the major 
sources of port 3128 (for example) scan attempts.  Many of those IPs would 
be spammer IPs - and about all of them are IPs controlled by someone up to 
no good.  If the ISPs for each of the major sources of vulnerability scans 
could be persuaded to take action against the major port scanners the spam 
problem would be reduced.

If I've been simplistic feel absolutely free to say so.  Feel free to say 
anything.  I've spent three years (on and off) in 
news.admin.net-abuse.email - I have a very thick skin.

Again, I apologize for being negative toward something that has been 
advocated.  I hope it's clear why I am.

At 01:31 AM 1/15/2004 +0100, you wrote:

>Furthermore, many netizens don't use spamfilters. Most of them will
>think users of my site, or any other site that's being Joe-jobbed, are
>a bunch of spammers. What do I tell them if they complain? (only a few
>do by the way, and I *do* read all mail sent to postmaster, abuse and
>mailer-daemon). If I reply they probably won't believe me anyway.
>Final note: spammers involved in this will do allmost anything for
>money. They don't care about laws (they'll hack *your* PC if you've not
>patched it). They may someday use their zombie network for other
>purposes than spam (quite a scary idea). It's really time we (and
>ISP's) do a better job educating people and help them to prevent their
>PC's getting compromised (there's a task for software makers too).
>I hope that readers of this list change their minds. Spam is not just
>irritating stuff that can be taken care of by spamfilters. I agree that
>spamfilter Q-factor discussions do not belong on this list. However,
>when compromised PC's are involved, spam has *everything* to do with
>security (which, IIRC, this list is all about), and those PC's *should*
>be blacklisted because often that's the only way to convince the ISP,
>and eventually the owner, that the PC must be taken care of.

More information about the list mailing list