[Dshield] DDoS by spam-bounces & DSL blacklists

Brad Spencer brad.madison at mail.tds.net
Fri Jan 16 20:46:54 GMT 2004

At 09:44 AM 1/15/2004 -0800, you wrote:
>When I first read this, I disagreed entirely.
>On second thought, however, if you're arguing for a departure from the 
>"Hole's plugged, Miller time!" mentality more towards a proactive "Go out 
>and get 'em" approach, at least for some of us, then I agree.

I think maybe you're replying to me, and I thank you.

I need to think more.  This people who contribute to this list are closer 
to what I think should be done against spam than anyone else I know - but I 
write with a tone that indicates I think you're wrong.  Well, no, I'm the 
wrong one.

I'm right in one way, but I fell into that.  Instead of blocking relay spam 
(which I couldn't easily do) I chose to accept it and then just not deliver 
it (sendmail -bd instead of sendmail -q5m, in effect, but my system 
actually ran VMS and not sendmail.)  That led to my seeing spammer relay 
tests (well, of course they test to find open relays - that's the only way 
to finds them) and that led to a realization about them.  It also led to a 
few successes in getting spammers booted from ISPs and to preventing 
delivery of spam to millions of recipients.  Others have dwarfed my 
numbers, but stopping spam to millions isn't bad, I think.

Finally, now, I see that one strong thing to do can be generically 
described as "go after the abuse."  That is precisely what I advocate, and 
contrasting that with "Hole's plugged, Miller time!" very nicely expresses 
what I'm driving at.  Plugging the hole often is the right thing to do - 
but opening the hole a little let's you see things about the spammer you 
wouldn't ordinarily see, and once you see them you can act on them.

Here, for instance, are dropbox addresses I harvested from spam and 
reported to the ISP on Feb 26, 2002:

Reply-To: aldaferrone1885 at swirve.com
Reply-To: alexanderstill2305 at swirve.com
Reply-To: amberlyvertrees1201 at swirve.com
Reply-To: amylaracuente382 at swirve.com
Reply-To: ashleighkirklin2319 at swirve.com
Reply-To: blanchelab397 at swirve.com
Reply-To: candydarnley3731 at swirve.com
Reply-To: dallaskinsel3410 at swirve.com
Reply-To: dariorandleman4131 at swirve.com
Reply-To: dickmalanado1604 at swirve.com
Reply-To: dominiquebarrocas3647 at swirve.com
Reply-To: erlenezimmerli919 at swirve.com
Reply-To: estebanhaverly1726 at swirve.com
Reply-To: estebannester4867 at swirve.com
Reply-To: jinbrank3705 at swirve.com
Reply-To: jineaker415 at swirve.com
Reply-To: jovitachilcote3916 at swirve.com
Reply-To: kalialbero862 at swirve.com
Reply-To: kathyrambeau1862 at swirve.com
Reply-To: kurtisclerc3032 at swirve.com
Reply-To: leandrocano2452 at swirve.com
Reply-To: manuelcrews1199 at swirve.com
Reply-To: mikaelashireman3975 at swirve.com
Reply-To: nakishaprehoda4937 at swirve.com
Reply-To: ressiemcdowall436 at swirve.com
Reply-To: sharicechirdon3444 at swirve.com
Reply-To: sheilagautsch894 at swirve.com
Reply-To: sophiagamber3227 at swirve.com
Reply-To: sudiesteenken3594 at swirve.com
Reply-To: tobiastinklenberg3264 at swirve.com
Reply-To: venitaspecchio1421 at swirve.com

Reply-To: alethiaturso4266 at snowboarding.com
Reply-To: annemariekinloch4506 at snowboarding.com
Reply-To: aureliaesqueda4489 at snowboarding.com
Reply-To: aurorabernice773 at snowboarding.com
Reply-To: carmelhurtgen2439 at snowboarding.com
Reply-To: dionlavalley196 at snowboarding.com
Reply-To: doloriszaker1049 at snowboarding.com
Reply-To: earlefleckles957 at snowboarding.com
Reply-To: edisonprill180 at snowboarding.com
Reply-To: ehtellongmire180 at snowboarding.com
Reply-To: emiliabrannin3108 at snowboarding.com
Reply-To: evelynnlautman4261 at snowboarding.com
Reply-To: fabiankilker4650 at snowboarding.com
Reply-To: fabianzarkin4767 at snowboarding.com
Reply-To: fredlibertini314 at snowboarding.com
Reply-To: gennieshellhaas3478 at snowboarding.com
Reply-To: gilbertfoard4856 at snowboarding.com
Reply-To: graycegibboney314 at snowboarding.com
Reply-To: guillermozieler4670 at snowboarding.com
Reply-To: jannschrager4121 at snowboarding.com
Reply-To: jodynighbert3126 at snowboarding.com
Reply-To: josefinanoda2289 at snowboarding.com
Reply-To: kristalongsworth164 at snowboarding.com
Reply-To: kurtisbenwarc3209 at snowboarding.com
Reply-To: lesborbon4851 at snowboarding.com
Reply-To: maurinemilstead3635 at snowboarding.com
Reply-To: michealfuentas222 at snowboarding.com
Reply-To: nanceyroup1214 at snowboarding.com
Reply-To: nohemishoff3944 at snowboarding.com
Reply-To: renayideue543 at snowboarding.com
Reply-To: rendalapping3550 at snowboarding.com
Reply-To: santosbina4033 at snowboarding.com
Reply-To: treasabaldrige2962 at snowboarding.com
Reply-To: wallaceschange4395 at snowboarding.com

(Both these domains were on Outblaze.)   The spammer went to some degree of 
trouble (probably not a lot: I'm sure he automated the process of creating 
accounts) to get all these dropboxes.  It was next to no trouble at all to 
get the accounts closed.  As these were used by the spammer to collect 
replies to his spam the net effect was to invalidate an entire spam run, or 
much of it.  This is just one example: hundreds of dropboxes for this 
spammer got closed this way.  All from opening port 25 just a 
little.  Well, I also had to deliver the spammer's open relay test 
message.  But that's all.  Then I just let the spam roll in and extracted 
the information to send to Outblaze.

The Outblaze postmaster reported that the spammer was clever enough to not 
create all the accounts from the same IP (apparently the spammer used open 
proxies to set up the accounts) so Outblaze didn't (at that time, at least) 
have any easy way to find and nuke the dropboxes on their own.  My reports 
were useful.

Open up port 1080 just a little (on a safe system to do that, of course) 
and the same sort of thing can be done today (maybe you won't find 
dropboxes - that may be an old way of doing business.) Also note that in 
general the spammers aren't skilled hackers trying to find out everything 
they can about the IPs they attack, they're production hackers looking to 
easily exploit easily-discovered vulnerabilities.

Lastly, I don't know all your sensibilities but I find what I could do to 
be very funny-humorous.  There's this spammer thinking he's found another 
university fool who can't run his mail server securely - but the spammer is 
the fool.  I find it funny to see a spam run starting late on Friday (the 
spammer assumes I the fool will leave the system alone all weekend) and to 
just turn off the lights and go home: the spam will be absorbed 
harmlessly.  Some time near the middle of the next week it appears to have 
dawned on the spammer that he wasn't having the success he thought he was 
having: that's when the spam run ended.

My success stories are old - but others hare having success today.  I'm for 
"The spammers spew is flowing in and being archived.  It's Miller 
time!  Tomorrow we can tell his ISP all about what he's up to."  Or tell 
the ISP in real time, as Michael Tokarev did: 

More information about the list mailing list