Please try to keep this discussion technical and not diverge to opinions. I am not looking for opinions or religion. I am trying to find automated tools/systems/boxes that will stop spam from going *out* from an ISP. The ISP has no servers and allocates IP address space to downstream customers who spam. Yes, I know all about ACLs to block offending IPs. The ISP is willing to buy any box or system to stop outgoing spams and thereby stop constantly playing with ACLs.
The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a "spammer CD" and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely.
Technical solutions welcome.
Thanks,
Hank
You could traffic shape or rate limit the traffic towards port 80 to a few
kbps for each IP address that might be used for spamming. If you allow
small bursts (10 - 50k) this should be just fine for regular web access,
since for that outgoing traffic is minimal: just the HTTP requests and
ACKs. However, it will slow down spamming to at most a couple dozen spams
per minute after the first few that fill up the configured burst size. I
imagine this will make the spammers move on to greener pastures.
How do you determin what is spam ?
Not trying to be difficult or start another bloody thread.
It would seem to me that in order to create an "off the shelf"
non NOC-updating solution, you would have to beable to define
"what is spam" and then you could "detect it".
The only thing that comes to this feeble mind is something ala
Snort, with a rule set that will catch most common "finger prints"
of spam. The IDS would then have to trigger something to drop
packets and alert the NOC.
I guess if you treat it as an "Intruder" you might be closer at
achieving your goals.
just an idea.
john brown
Kinda breaks broadband streaming audio/video in a Java/other web applet
though...among other things.
Best regards,
Looking for automatic off-the-shelf solution. Not something that requires
a NOC to constantly update a Cisco ACL.
-Hank
Correct me if I'm wrong, but the web (ok, most of it) has been running on
TCP port 80 for quite a while now. So if you limit outgoing TCP packets to
port 80 (and probably some variations, such as HTTP+SSL) to a few kbps,
regardless of their destination, you don't hurt legitimate users except
some very rare cases such as HTTP uploads but you make life less fun for
spammers.
PLEASE don't take this as an opportunity to start another spam thread
(lest you find members of nanog testing out their theories from the
"blowing up the internet" thread on your connection), but:
Redirect all outgoing port 25 connections to your mail servers, and pipe
all the messages through spamassassin (note: scalability not included).
Final comment on this subject (I promise) 
How many (more) protocols are we willing to cripple in the name of
fighting spam?
Best regards,
Obviously the crippled protocol here is SMTP, because it allows pretty
much everything. As a rule, I'm against solving application problems at
the network layer, but in this specific case (internet cafe) this specific
solution (rate limiting/traffic shaping for traffic to HTTP servers) seems
reasonable.
How many (more) protocols are we willing to cripple in the name of
fighting spam?
Crippling protocols won't help, in the long run. What will help is
the use of a baseball bat, properly applied. Unfortunately, although
it would probably be *cheaper* to hire <insert ethnic organized crime
to simply whack the cluelessmailers.org list of top 100
offenders, network providers fall into two distinct classes:
1) Companies with *some* sense of morals/conscience - they won't do
that sort of thing.
2) Companies that *would* stoop so low - they won't do it either
because that would be attacking their own revenue stream.
The spamming is usually done (but not only) from an Internet cafe where the
spammer inserts a "spammer CD" and blasts away at open mail relays. When
SMTP is blocked for that IP
outbound SMTP should be blocked for any dynamic or dialup source within
a network. a rule of thumb might be that if nat or dhcp is involved, then
you should be firewalling outbound smtp. likewise for an internet cafe:
these are untrusted edges and the only things they should be able to reach
are either (a) other parts of the untrusted edge, or (b) a place where they
can authenticate themselves in order to reach further.
..., they switch to HTTP and send the spam via MSN, Yahoo, Hotmail,
Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80
is harder since it requires maintaining an ever larger list of free
public web based mail systems or just block port 80 entirely.
per-destination host AND port egress rate shaping. if someone tries to send
more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single
IP address, then you can safely RED their overage. this violates the whole
peer-to-peer model but there's no help for that in the short term. if some
internet cafe has a CuCme camera setup then you can find a way to let that
traffic off-net without rate shaping. this will be the exception.
You could transparently proxy port 25 for all outgoing traffic, and then run spamassassin on that machine (collection of machines). You could do a slightly modified version to look at the traffic on port 80. Not only would you be looking for standard spam keywords, but you would also be looking at spam reports from other people (e.g., Vipul's Razor), so this should continue to adapt as the spam attacks change.
However, I also like the idea of doing a bandwidth budget on a per machine basis, with short term bursts allowing for most "normal" activity.
No, the traffic budget is on upstream traffic, not downstream. Stream content all you want, but don't try to generate too much upstream traffic or you get your bandwidth severely curtailed.
"Brad" == Brad Knowles <brad.knowles@skynet.be> writes:
> No, the traffic budget is on upstream traffic, not
> downstream. Stream content all you want, but don't try to
> generate too much upstream traffic or you get your bandwidth
> severely curtailed.
good consumer... don't try to talk. just watch the propaganda...
Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption.
> > No, the traffic budget is on upstream traffic, not
> > downstream. Stream content all you want, but don't try to
> > generate too much upstream traffic or you get your bandwidth
> > severely curtailed.
[The whole thing about port 80 upstream bandwidth limitations getting in
the way of streaming audio/video sounds like nonsense to me, since this
usually doesn't go _to_ TCP port 80, even flowing _from_ TCP port 80 is
something I haven't seen this century.]
> good consumer... don't try to talk. just watch the propaganda...
Yeah, well. For Internet cafe's, this is probably a fairly
reasonable assumption.
Ok, suppose someone can touch type. The world record is something like 600
key presses per minute, which is 10 41-byte TCP packets per second ~= 4
kbps.
When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book
to the local ethernet if at all possible (that's why I like Global Gossip) and
use high bit rates (i.e., file transfers) in both direction.
If I was limited to 4 kbps outbound, I would want my money back.
Just one customer viewpoint
Regards
Marshall Eubanks
You're forgetting keyboard macros. That might take you to 8Kbps, or perhaps a little more. 
> Ok, suppose someone can touch type. The world record is something like 600
> key presses per minute, which is 10 41-byte TCP packets per second ~= 4
> kbps.
When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book
to the local ethernet if at all possible (that's why I like Global Gossip) and
use high bit rates (i.e., file transfers) in both direction.
Would the uploads be HTTP? That's the only thing I'd want to limit to a
few kbps. (Well, and outgoing SMTP to 0 kbps.)
If I was limited to 4 kbps outbound, I would want my money back.
Just one customer viewpoint 
Understandable. On the other hand, spammers using internet cafes isn't
good either.
## On 2002-09-09 17:53 -0400 Marshall Eubanks typed:
>
When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book
to the local ethernet if at all possible (that's why I like Global Gossip) and
use high bit rates (i.e., file transfers) in both direction.
If I was limited to 4 kbps outbound, I would want my money back.
Are you doing your file transfers via HTTP or SMTP ?
What about rate limiting TCP SYN packets ?
I assume you're not doing more than say 1 file per second ?
Just one customer viewpoint
Regards
Marshall Eubanks
P.S. funny thing is I learnt the SYN rate limiting "trick" from Hank ...