• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

A DC anti-spam idea

narzy

narzy

Elite Member
I have been thinking recently about the ever increasing amount of spam that is flooding the internet, clogging mail servers, and in general pissing us all off.

I think it time to do somthing about it. very few systems are effective at blocking spam at the server level, and the ones that exist have a less then steller reputation and are not very effective on top of that.

95% of spam comes through relays and its headers are forged traceing an E-mail back that you've recived is becomming next to impossible, its also very time consuming and why waste your time on scumbags?

my idea;
a DC network that activly scans for active relays and tests them, it compiles a list on a daily basis of compromised IP addresses (or even addresses that are willingly allowing the relay) making this list freely availible to ISPs via a secure and tracked site.

to test a relay you actually have to send mail through it, I have a solution for this aswell, the clients are set to e-mail a certain address that changes daily the E-mails are signed with a cryptokey to verify authenticity (that way spammers can't abuse the address if it doesn't have the key, it get canned)

work with ISP's to correct issues on their network help completely black list IP's from their network that are operating as an open relay and redirect to a page that alerts them of the comprimise and solutions to fix the problem. the only way people are going to become aware of security issues such as this is if somthing happens that wakes them up, if they can't access a % of the web it would hopefully clue them in.

because these scans only need to take place once per IP per day and over a large distribution of computers preforming the tests, I don't see network load becomming a big issue, no bigger then it currently is.

the only way to fight spammers is to squeeze them out of hiding, and thats what I hope this system would be designed to do.

I do not have the coding knowlage to do this I will need coders, I do have the PR skills to work with ISPs. I am also working with my congresswoman to pave the way for legal clearence for this program.

I would greatly appreciate your input on this and anything I may have overlooked. I would also like to know if this would be a DC program you would run.

alot of people argue the pratical application of DC. although we know differently this project would show them what DC can do for them and wake them up to perhaps other DC projects.
 
Originally posted by: n0cmonkey
There are plenty of blacklists out there already.
Click to expand...

not any as fast and accurate as this plan IMO. if the current black lists worked, we'd use them more.
 
I could see a lot of ISPs and server ops bitching up a storm about being scanned.
Now the ones that would do the bitching would be the ones that already have a secure system.
Multiple scans on some systems get that IP blocked. So that a DC app would, I think, cause more problems than it solve. Not very many of us have own IP address. So there would have to be cross checking on the IP doing the scanning so that that ISPs IP doesn?t get blocked for relay scanning. I know after a dozen or so scans on my system I just block the IP. Some block the /8 /16 /24. And that can cause major problems.
Something of this magnitude needs to be run through the community to get all the particulars worked out.
If you belong to NANOG you could post your idea there and see what they think.
There is already a new mail system being worked on that will cut down on SPAM a lot.
One thing that needs to be addressed is Versigns plan to redeployment of Sitefinder.
This caused a lot of problems with SPAM filters that rely on A and MX record lookups.


 
There exist on the internet systems that look like relays, and act like relays, but don't actually relay anything! They're a variety of honeypot, designed to catch as much spam as possible and not let it through. While you do want to stop normal relays, you'd want to avoid sending a message every day to the owner of a honeypot, who's just trying to accomplish the same goal you are.

Thus you would also have to own the e-mail address you send to. And I don't think you could get enough e-mails that you can scan automatically (e.g. Hotmail wouldn't work) that the spam relays couldn't simply blacklist you and look like honeypots to you.

It's probably better if everyone who can sets up a honeypot instead, so the spammers can't find any good relays.
 
A small slice of my server anti spam log shows the blacklists do work somewhat.
These represent refused connections from other machines to my server.
This goes on 24/7 on mail servers all the time. Mine is not very busy compared to most.
Even with this protection I personally receive 50 - 100 spams a day to addresses I have had for 9 years. I refuse to give up adresses just because they get abused. (I use SpamBayes with Outlook, sends 99.9% of it to a junk folder)


SPAM 12 Feb 2004 08:06:58 H 3340 744 RBL - bl.spamcop.net rejected [24.100.214.222] with [127.0.0.2]
SPAM 12 Feb 2004 08:06:59 H 3340 745 RBL - bl.spamcop.net rejected [209.216.97.59] with [127.0.0.2]
SPAM 12 Feb 2004 08:07:03 H 3340 746 RBL - bl.spamcop.net rejected [80.108.115.52] with [127.0.0.2]
SPAM 12 Feb 2004 08:07:06 H 3340 747 RBL - bl.spamcop.net rejected [203.127.83.226] with [127.0.0.2]
SPAM 12 Feb 2004 08:07:10 H 3340 748 RBL - bl.spamcop.net rejected [212.143.118.154] with [127.0.0.2]
SPAM 12 Feb 2004 08:07:11 H 3340 749 RBL - bl.spamcop.net rejected [211.53.127.139] with [127.0.0.2]
SPAM 12 Feb 2004 08:08:35 H 3340 752 RBL - bl.spamcop.net rejected [204.71.191.30] with [127.0.0.2]
SPAM 12 Feb 2004 08:09:01 H 3340 754 RBL - bl.spamcop.net rejected [24.93.231.133] with [127.0.0.2]
SPAM 12 Feb 2004 08:09:03 H 3340 755 RBL - bl.spamcop.net rejected [24.60.185.3] with [127.0.0.2]
SPAM 12 Feb 2004 08:09:04 H 3340 756 RBL - bl.spamcop.net rejected [24.128.45.116] with [127.0.0.2]
SPAM 12 Feb 2004 08:09:07 H 3340 757 RBL - bl.spamcop.net rejected [24.5.199.46] with [127.0.0.2]
SPAM 12 Feb 2004 08:09:08 H 3340 758 RBL - bl.spamcop.net rejected [24.11.21.0] with [127.0.0.2]
SPAM 12 Feb 2004 08:10:06 H 3340 760 RBL - sbl.spamhaus.org rejected [69.59.179.94] with [127.0.0.2]
SPAM 12 Feb 2004 08:10:24 H 3340 762 RBL - bl.spamcop.net rejected [64.124.100.185] with [127.0.0.2]
SPAM 12 Feb 2004 08:11:49 H 3340 764 RBL - bl.spamcop.net rejected [69.60.142.3] with [127.0.0.2]
SPAM 12 Feb 2004 08:12:15 H 3340 765 RBL - bl.spamcop.net rejected [80.109.4.86] with [127.0.0.2]
SPAM 12 Feb 2004 08:12:17 H 3340 766 RBL - bl.spamcop.net rejected [218.80.95.30] with [127.0.0.2]
SPAM 12 Feb 2004 08:12:20 H 3340 767 RBL - bl.spamcop.net rejected [213.37.10.130] with [127.0.0.2]
SPAM 12 Feb 2004 08:12:22 H 3340 768 RBL - bl.spamcop.net rejected [212.186.99.93] with [127.0.0.2]
SPAM 12 Feb 2004 08:12:24 H 3340 769 RBL - bl.spamcop.net rejected [82.224.70.163] with [127.0.0.2]
SPAM 12 Feb 2004 08:12:24 H 3340 770 RBL - bl.spamcop.net rejected [64.124.100.185] with [127.0.0.2]
 
Narzy,

The problem that I see with your solution is that IP's are in many cases Dynamic, this presents the problem that if one user has secure e-mail and logs off then that address is not black listed for a day, and then if a spammer go on that old node, you have a free spam for a day. This problem presents itself with dyndns, and the such. Where the server IP us reassigned whenever the user gets a new ip. I may be mis understanding what your implying.

Then take the IP ranges, you have a 32 bit address 4G of possible addresses you would have to send 4G of email through to test each node 0.0.0.0-255.255.255.255. Now you take into consideration that the evil of dumb people wanting IPv6 (a whole discussion onto itself) which is 128 bits wich is a hell of alot more, 40 bit is a Tera of address or 1,000,000,000,000 but 128 is 256,000,000,000,000,000,000,000,000,000,000,000,000 nodes that would have to put mail through. I have no clue what this numbers prefix would be I know up to tera and I think exta is after that, but imagine the load this would put across the internet. Then you have you getting blacklisted on some servers, os you have bounce back which makes lets say 10% of that load. Not including standard traffic.

Then on the other side you don't send an e-mail you port scan. This means that every ISP has to have a hole to allow you to send inbound and outbound communications. Which would allow a hacker to use your program get data from it and know where sites have holes.

Then what about the DC client, if users porcess slower than other clients what happens to those who don't actually get their test done every day or, a user who turns off their computer in the middle of a test, or a dilaup account. This is where your problems with DC come about, you need DC to be able to run on the "Seldom Connected" not the always connected.

I'm not trying to just throw your ideas out the window, im just trying to play the devils advocate, and show you the problems. There are many other issues to go along with this as well, I think its an interesting idea, but as for how fesiable is it, that is what I am wondering. Ponder these issues, I hope you could come up with solutions. Hope the constructive critism helps you. :gift:

Sorry narzy,
~Ryan
 
its gettin beetin the relays aparently arn't the issue, its the zombies

raises the question how far is to far to go wile dealing w/ those types of machines? is it too far to issue commands to the zombie to turn itself off? to exploit the system through the same hole and clean it off? ect.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top