Anti-spam System Idea

Joe St Sauver JOE at OREGON.UOREGON.EDU
Mon Feb 16 16:02:14 UTC 2004


Lawrence Baldwin noted:

#Personally, I think the better approach to fighting proxy spam is to
#identify the spammers that are *upstream* from the proxies and then get one
#or more of them thrown in jail, not for spamming, but for violating federal
#or state computer intrusion laws.  Spammers are currently using open proxies
#because they are free and anonomous, until you make them non-anonomous AND
#costly (jail) there's nothing will stop them.

I believe this analysis is precisely correct.

#This is not as hard as it sounds...if you are an ISP you have hijacked
#proxies on your network.  The RBLs can tell you which IPs are hijacked
#proxies,  all you need do is capture Netflow data and examine the upstream
#IPs pummeling the hijacked proxy on it's SOCKS and/or HTTP proxy port.  

... or the non-standard proxy zombie port de jour. (Depending on how long
the box has been spewing, you may also notice scans/probes from good guys
attempting to determine what's up with the behavior being observed from that
host, but that's easy enough to spot and ignore when you do the traffic
analysis). 

#The
#results of such analysis is extremely enlightening...these spammers have NOT
#moved off-shore, they are NOT using multiple levels of proxy chaining and
#obfuscation, they are spamming DIRECTLY from their web hosting and corporate
#offices in North America, and as is often the case, South Florida.

... and from Texas and California and New York, among others. 

And if you start looking at end-to-end performance and operational issues, it 
is easy to understand why spammers have NOT moved overseas when shovelling 
traffic through proxy spam zombies:

-- If connecting from overseas, they have trans-pacific latencies and 
   potential packet loss issues (with the reduced throughput that implies), 
   and they can get that comparatively crumby throughput via expensive 
   connections which are potentially subject to governmental interference,
   with any required systems work being a "remote hands" operation (with
   inconvenient time zone-related and potential language-related issues).
   Besides, some people may even block all traffic at their border from 
   those overseas providers... or

-- they can get very low latencies from multiple redundantly-connected 
   geographically diverse colo providers here in the US at comparative rock
   bottom prices and with easy physical access to their systems... that is,
   they can do this as long as people DON'T bother doing as Lawrence 
   suggests. If you DO start looking at inbound netflow data associated 
   with compromised hosts, things become pretty clear, pretty darn quickly. 

And if you tie in AOL scomps or other abuse reports, it becomes pretty 
trivial to even tell *which* spammer is abusing your compromised hosts from 
domestic colo providers -- you then know WHO, WHAT, WHEN, WHERE, WHY and HOW
people are abusing that host. 

Frost, apply candles, present to law enforcement for processing and 
attention (or blackhole/filter the colo block at your border, if you're 
the impatient type or are skeptical about getting law enforcement 
involved). 

To tell you the truth, I've been quite surprised that major broadband 
providers with tens of thousands of compromised customer hosts haven't
done that already. 

Regards,

Joe St Sauver (joe at oregon.uoregon.edu)
University of Oregon Computing Center



More information about the NANOG mailing list