[Dshield] An Abuse-Free internet organzation

Brad Spencer brad.madison at mail.tds.net
Wed Jan 21 04:03:17 GMT 2004


At 12:48 AM 1/21/2004 +0100, you wrote:

>As always, good ideas are welcome, and you could win a line in my thank word
>:-)


If you're thesis is going to be submitted this spring it may be too late - 
but if you have a little more time maybe you might be interested in 
proxypots as a security tool.  These are fake open proxy systems and 
spammers still seem to trust them enough that they don't hide their IPs 
when they contact them.

Here's a link to some very nice reports of proxypot success:

<http://groups.google.com/groups?safe=images&ie=UTF-8&oe=UTF-8&as_ugroup=*.email&as_usubject=who%27s%20spamming&as_uauthors=guilmette&lr=lang_en&hl=en>

It's a Google Groups search in group *.email, author Guilmette, subject 
"Who's spamming," in case the link doesn't work.

In general, one of the biggest reasons spam is the problem it is arises 
from the old security theory of "block and you're safe, block and you're 
done."  That works when the abuse is aimed at you and is what you are 
blocking.  when the abuse is spam aimed at everyone and the method of 
sending it is abuse aimed wherever it will succeed then "block and you're 
safe" fails.  As long as the abuse can succeed anywhere you will get spam.

A very good focus for a Master's thesis would be an analysis of how spam is 
sent. There are a variety of ways, that have risen and fallen over time 
(although perhaps no spam distribution method has totally 
disappeared.)  There's direct form the spammer's  IP, direct form the 
spammer's IP where the IP is a throwaway, through open relays, through open 
proxies, and through spam servers installed on vulnerable systems.  All 
except direct spam are methods that require two or more passes through the 
internet.  If you look at spam defenses you'll find that most are either at 
or beyond the recipient's email server.  that means the that only the last 
pass through the internet is subject to any opposition.  Well of course 
when you let the spammers have their way until the last pass they have a 
rather easy time.

There was a time when many software people were called 
programmer/analysts.  That meant the figured out what to do and then 
programmed it.  Now many software people are just programmers.  That means 
they come up with something and then program it.  Fighting spam has been 
characterized by what appear to be quick looks at the problem, quick 
notions about a solution, and then first a rapid deployment of the first 
attempt at a program, followed by something that sort of spirals 
down.   That may be a little unfair but it is absolutely fair to say that 
the spammers move more intelligently and more adroitly than the 
anti-spammers.  They program to an end, with the end being "get spam 
sent."  Anti-spammers seem too often to have as their end "make my method 
be the one that works."

You can go over these ideas, examine them, strengthen some, reject some - 
do what leads to a better understanding for you and a better grasp of what 
to do.

You can also look at how well blocking works.  I've seen (recently) some 
data that indicates at least one spammer  is using an open proxy for a 
while and then moving to another.  I only have open relay honeypot data 
from one site so the sample is sparse.  What I see is consistent with the 
spammer using an open proxy until it gets listed and then going to 
another.  If that is what the spammer is doing then it should be obvious 
that listing the open proxies the spammer uses has almost no effect on him: 
as soon as an IP is listed he stops using it.  I can't swear or show that 
is what is happening - but it seems to be semi-consistent with what I 
see.  I say "semi" because it is data from an open relay honeypot.  Why 
would the spammer care about the open proxy if he's using open 
relays?  This is where the sparsity of the data really hurts - with more 
data it might be possible to be sure of what the spammer is doing.

There's a subtle message here, too: if you run a fake relay or fake proxy 
you get data that shows raw spammer behavior.  That's superb data to use 
for a master's thesis.  At least I think so.




More information about the list mailing list