[Dshield] DDoS by spam-bounces & DSL blacklists
brad.madison at mail.tds.net
Thu Jan 15 03:24:26 GMT 2004
I'm sorry to be negative here. I agree it is important to get insecure
computers secure and I have no problem with blocklisting an IP that is a
source of spam. I'd hope such an IP would be blocklisted.
That said, I don't think the focus should be on securing the
systems. That's not the right approach, and not the right approach in a
security mailing list. Spam is very much a security issue and security
actions can help end spam. If spammers abuse open proxies to send spam or
seize control of PCs to send spam those are both, at heart, security issues.
I am not a security person so my perspective is from the outside looking
in. There is massive abuse going on and it appears that most of the effort
toward dealing with that abuse centers on securing vulnerable
systems. I've watched that approach taken for open relay systems that are
abused to send spam. Securing those was long a goal - and still is a goal
- but it has not happened, has not ended relay spam. If the intent is to
end the abuse (I think that's a very fine intent) then securing the systems
is _off the table_ as a means of fulfilling that intent. It will not
work. I don't mean to offend those who want the systems to be secured but
that is not going to accomplish the goal. Keep it in mind as something it
is worthwhile to do - but look elsewhere for a way to end the problem.
At the same time there are very fine network monitoring tools that could be
used to find the sources of the abuse. There are millions of insecure
systems and at most thousands of actual sources of major abuse. Deal with
those thousands of sources of abuse properly and the abuse largely ends.
Right now you all know the net is awash in attempts to find
vulnerabilities. Deal with the major offenders properly and the abuse
level will go way down. Deal with the remaining minor offenders properly
and the abuse level will go lower still. In an ideal internet there would
be both almost no vulnerability scans and prompt action against anyone
making a vulnerability scan. That is an attainable goal. While that makes
the net safer for vulnerable systems that isn't my goal: I want the net
safer. Even with almost no scans the need is still there for systems to be
It always will be a good policy to secure systems - I don't argue against
that. But the way to make rapid progress is to go after the abusers.
Many spammers still send their spam by abusing open proxies. Last year Ron
Guilmette got over 100 spammer accounts terminated in under 3 months,
using data he collected with a small network of open proxy
honeypots. Right now the DShield database has to have data that identifies
many centers of open proxy scanning. Probably every major spammer's open
proxy scan IP is in the database (for those spammers who scan from their
own IP rather than through an already-found open proxy.) Somehow the data
needs to be collected and action taken. It helps tremendously to have open
proxy honeypot data - with that you know with certainty the nature of an IP
that is doing scans. I'd love to be able to see a report of the major
sources of port 3128 (for example) scan attempts. Many of those IPs would
be spammer IPs - and about all of them are IPs controlled by someone up to
no good. If the ISPs for each of the major sources of vulnerability scans
could be persuaded to take action against the major port scanners the spam
problem would be reduced.
If I've been simplistic feel absolutely free to say so. Feel free to say
anything. I've spent three years (on and off) in
news.admin.net-abuse.email - I have a very thick skin.
Again, I apologize for being negative toward something that has been
advocated. I hope it's clear why I am.
At 01:31 AM 1/15/2004 +0100, you wrote:
>Furthermore, many netizens don't use spamfilters. Most of them will
>think users of my site, or any other site that's being Joe-jobbed, are
>a bunch of spammers. What do I tell them if they complain? (only a few
>do by the way, and I *do* read all mail sent to postmaster, abuse and
>mailer-daemon). If I reply they probably won't believe me anyway.
>Final note: spammers involved in this will do allmost anything for
>money. They don't care about laws (they'll hack *your* PC if you've not
>patched it). They may someday use their zombie network for other
>purposes than spam (quite a scary idea). It's really time we (and
>ISP's) do a better job educating people and help them to prevent their
>PC's getting compromised (there's a task for software makers too).
>I hope that readers of this list change their minds. Spam is not just
>irritating stuff that can be taken care of by spamfilters. I agree that
>spamfilter Q-factor discussions do not belong on this list. However,
>when compromised PC's are involved, spam has *everything* to do with
>security (which, IIRC, this list is all about), and those PC's *should*
>be blacklisted because often that's the only way to convince the ISP,
>and eventually the owner, that the PC must be taken care of.
More information about the list