[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anti-spamming (was Re: Huge amounts of resources)





from what I understand, using someone elses server to send out your 
mail without their permission is called Theft of Service and is quite 
illegal.  You are under no obligation to deliver such mail.  So 
dropping it on the floor is not illegal.

As a matter of fact, if you can get a snail mail address for the 
offending party, and you can have your lawyer send a cease and 
desist, and it continues to happen, the sheriffs dept will go in and 
take their machines.  We're attempting to get that to happen with one 
of CyberPromotions' clients, the sandkconsulting scamspam.  

I'm not a lawyer, but this is what my lawyer tells me.  Just some 
fyi.  We've not delivered lots of their mail, kept it for evidence.  
We'll continue to do so.  

Ryan Scott
NetCreations, Inc
http://www.netcreations.com/




> On Fri, 4 Apr 1997, Matti Aarnio wrote:
> > > Also some docs about new features (like filterings spam) would
> > > be nice.
> > 
> > 	Filtering of spams is not yet available (aside of Gabor Kiss'
> > 	solution).
> 
> I made the following changes to the 2.99.38 smtpserver for a WSP who
> has had increasing problems with spammers using their machines as
> spam exploders. Believe it or not, to add insult to injury, spammers
> were using them to send spam selling spam mail software for windoze
> PC's!  Argh!
> 
> That meta-spam did it for me and I started to work...
> 
> I (ahem) would, of course, never suggest that you run such a
> modified SMTP server in real production use. :-)
> 
> The changes do three things:
> 
>  - after 5 RCPT commands, sleep 5 minutes * numrecipients before
>   ACking RCPT commands
> 
>  - after MAIL command, if there were more than 19 recipients
>   specified, silently drop the spam on the floor - but only
>   after wasting hours accepting their huge long recipient list
> 
>  - after 5 RSET commands in a single session, use the same sleeping
>   strategy as above
> 
> I believe that the first and third change are actually "legal" since
> they simply make the SMTP server respond slowly.  The second is
> definitely not legal, but my client wasn't really concerned -
> they're a WSP, and they don't have to allow large volume mailings. 
> Or just pretend it's a broken M$-MAIL gateway and blame M$... :-)
> 
> The idea is to recognize behavior patterns of common spamming
> methodologies and to react, making it very unprofitable to use this
> SMTP server as an exploder.  It will take approximately 7.5 hrs to
> submit mail to 20 recipients.  At 100 recipients (quick calculation:
> about 8*10**146 hours later) each RCPT is resulting in an 8 hr wait.
>  Needless to say, this will not appeal to a spammer as a
> high-performance delivery method. :-) It also prevents that spammer
> from loading down your system by hammering it with their drivel.
> 
> These changes combat two types of spammers we were seeing - those
> that send a single message to N (20 to 1000) addresses, and those
> that send N (20 to 10000) identical and individually addressed
> messages in a single SMTP session/connection.
> 
> The second type of spamming appeared after we made the recipient
> counting change (which actually surprised me - they actually adapted
> their methods in two days - scary), necessitating the RSET counter. 
> I'm sure we'll soon have to add a simple database to track abusers
> and stop them.
> 
> I'm just providing this as an example of the horrid gruesome hacks
> you can use to combat spammers.  I reiterate that I do not recommend
> the use of this code on a production server.  No, certainly not...
> that would be irresponsible...
> 
> Context diff for 2.99.38 smtpserver/smtpserver.c below, though you
> might be able to apply it against more recent versions.
> 
> Attached below that is a simple shell script (we call it
> show_senders) that will perform a crude scan for the biggest senders
> (by msg count - not recipient count) on your router log.  Edit it to
> change the router log location to that for your system before
> test-driving it.  It's crude and dumb, but it will give you an idea
> what's going on.  Attached below it is sample output from one of our
> systems early in the day (before the numbers get too big).  Before I
> modified the smtpserver, we used to see numbers like 4160 for
> certain bogus spamming addresses in the output of this shell
> script... now they're not there at all.  Success!
> 
> -Andy
> 
> PS - These smtpserver changes also give you leisurely *hours* to
> track down the offending spammer's ISP and catch the offender
> red-handed if you're so inclined...
> 
> ====================================================================
> =========
> 
> *** smtpserver.c.orig	Tue Apr  1 00:12:51 1997
> --- smtpserver.c	Fri Apr  4 13:40:10 1997
> ***************
> *** 191,196 ****
> --- 191,197 ----
>   int	pid, routerpid;
>   FILE	*logfp = NULL;
>   int	D_alloc = 0;
> + int	ResetsSeen = 0;
> 
>   static char *m200 = "2.0.0";
>   static char *m400 = "4.0.0";
> ***************
> *** 702,707 ****
> --- 703,711 ----
>     if (msgfd > 1)
>       close(msgfd);
> 
> + 		/* anti-spamming measure - ASP/MSI */
> + 		ResetsSeen = 0;
> + 
>     smtpserver(1);
>     if (routerpid > 0)
>       killr(routerpid);
> ***************
> *** 1400,1413 ****
>    } else if (sizeoptsum > availspace) {
>      type(452, "4.3.1", "insufficient storage space, try again
>      later");
>    } else if (s) {
> ! 	  type(atoi(s), s+4, "Ok", "Ok");
> ! 	  ++rcpt_count;
>    } else {
> ! 	  if (sizeoptval)
> ! 	    type(250, "2.1.5", "Ok; can accomodate %d byte
> ! message",sizeoptval);
>      else
> ! 	    type(250, "2.1.5", (char *)NULL);
> ! 	  ++rcpt_count;
>    }
>    if (s)
>      free(s);
> --- 1404,1440 ----
>    } else if (sizeoptsum > availspace) {
>      type(452, "4.3.1", "insufficient storage space, try again
>      later");
>    } else if (s) {
> ! 	  /* anti-spamming measures - ASP/MSI */
> ! 	  if (rcpt_count >= 4)
> ! 	  {
> ! 		if (rcpt_count++ > 4)
> ! 			sleep(rcpt_count * 5 * 60);	/* sleep 5 minutes * numrecipients
> ! */ 		type(atoi(s), s+4, "Ok spammer... now go away", "Ok
> ! spammer... now go away"); 	  } 	  else 	  { 		type(atoi(s), s+4,
> ! "Ok", "Ok"); 		++rcpt_count; 	  }
>    } else {
> ! 	  /* anti-spamming measures - ASP/MSI */
> ! 	  if (rcpt_count >= 4)
> ! 	  {
> ! 		if (rcpt_count++ > 4)
> ! 			sleep(rcpt_count * 5 * 60);	/* sleep 5 minutes * numrecipients
> ! */ 		if (sizeoptval) 			type(250, "2.1.5", "Ok spammer... now go
> ! away; can accomodate %d byte message",sizeoptval); 		else
> ! 			type(250, "2.1.5", "Ok spammer... now go away"); 	  }
>      else
> ! 	  {
> ! 		if (sizeoptval)
> ! 			type(250, "2.1.5", "Ok; can accomodate %d byte
> ! message",sizeoptval); 		else 			type(250, "2.1.5", (char *)NULL);
> ! 		++rcpt_count; 	  }
>    }
>    if (s)
>      free(s);
> ***************
> *** 1522,1527 ****
> --- 1549,1565 ----
>      mfp = NULL;
>      type(552, "5.3.4", "Message size exceeded fixed maximum size
>      for acceptable email"); fflush(stdout);
> + 	} else if (rcpt_count >= 19) {
> + 		/* anti-spamming measure - ASP/MSI */
> + 		mail_abort(mfp);
> + 		mfp = NULL;
> + #ifdef LOG_INFO
> + 		syslog(LOG_INFO, 
> + 		       "pretended to accept (but silently dropped) spam
> + (%drecipients>19) from %s:%d", 		       rcpt_count, rhostname,
> + rport);
> + #endif
> + 		type(250, "2.6.0", "I thought I told you to go away...");
> + 		fflush(stdout);
>    } else if (mail_close(mfp) == EOF) {
>      type(452,m430,(char *)NULL);
>      fflush(stdout);
> ***************
> *** 1923,1928 ****
> --- 1961,1975 ----
>     if (mfp != NULL) {
>       mail_abort(mfp);
>       mfp = NULL;
> + 		}
> + 		/* anti-spamming measure - ASP/MSI */
> + 		if (++ResetsSeen > 4)
> + 		{
> + #ifdef LOG_INFO
> + 			syslog(LOG_INFO, "multiple (%d) RSET cmds in one session from
> + %s:%d", 			       ResetsSeen, rhostname, rport);
> + #endif
> + 			sleep(5 * 60 * ResetsSeen);
>     }
>     if (state != Hello)
>       state = MailOrHello;
> 
> 
> ====================================================================
> =========
> 
> #!/bin/sh
> 
> nawk '
> ($2 == "file:") {
>         x = 4;
>         while ( $x != "=>" && x < 20)
>         {
>                 printf ("%s ", $x);
>                 x++;
>         }
>         printf ("\n");
> }
> ' < /var/adm/mail/router \
> | sort | uniq -c | sort -rn | head -23
> 
> 
> ====================================================================
> =========
> 
>   68 owner-freebsd-questions@freefall.freebsd.org 
>   66 MailProcessor@lasergo.com 
>   49 <zvi@creditnet.com> 
>   48 <undcom@undcom.com> 
>   48 <70741.3507@CompuServe.COM> 
>   34 staff@quote.com 
>   34 <staff@quote.com> 
>   34 <owner-freebsd-questions@freefall.freebsd.org> 
>   33 <MailProcessor@lasergo.com> 
>   23 owner-year2000-discuss@year2000.com 
>   23 <owner-year2000-discuss@year2000.com> 
>   21 <admin@stack.com> 
>   20 scopus-users-owner@gateway.scopus.com 
>   19 rmoore@fourthtier.com 
>   19 Stephen Oskoui <websol> 
>   16 otle@chat.carleton.ca 
>   16 communicate@jit.com 
>   15 error 
>   15 London Virtual Mall <lvm> 
>   14 webmaster-l-owner@cybercorp.net 
>   14 philhbh@fourthtier.com 
>   14 cte@rammaps.com 
>   14 <webmaster-l-owner@cybercorp.net> 
______________________________________________________________________
      Ryan Scott - rscott@netcreations.com - 718 522 1531     
          - Reinventing Direct Marketing on the Net -
       NetCreations, Inc - http://www.netcreations.com/
                - Targeted 100% OPT IN Email -
PostMaster Direct Response - http://www.postmasterdirect.com/
             *be sure to quote me in your reply*