Stealth Blocking

dlr · May 24, 2001, 6:08pm

[In the message entitled "Re: Stealth Blocking" on May 24, 10:23, "Eric A. Hall" writes:]

Dave Rand wrote:

> I'm not sure how effective rate limiting will be. Many spammers send
> one copy of the spam to an open relay, but use many (2 to 50)
> recipients.

Rate-shapers would also work on the relays. The idea is that if ISPs would
implement a default rate-limit (let's say 4kb/s) that it wouldn't
interfere with normal use. It would interfere with spam distribution
because it would slow down the big runs dramatically.

The negative side effect is that it cripples people who use email as a
file transfer protocol.

Ok, let's have a look.

Last week, I got one spam ("get a free motorola pager") which came through
168 different open relays, bound for 4428 different recipients at
bungi.com. There were 791 different connections to deliver all the spam,
which meant that each time the spammer used an open relay, they delivered 5
copies of the message to my system (more or less). As was typical, they
used 16 different grid.net dialups (all from ipls).

Here's the dialup ports they used.

Injection point IPs involved (potential source):
IP Address Count Status In-addr
63.52.247.163 75 On DUL pool-63.52.247.163.ipls.grid.net
63.52.247.230 16 On DUL pool-63.52.247.230.ipls.grid.net
63.52.247.249 51 On DUL pool-63.52.247.249.ipls.grid.net
63.52.247.255 173 On DUL pool-63.52.247.255.ipls.grid.net
63.52.248.26 1 On DUL pool-63.52.248.26.ipls.grid.net
63.52.248.100 14 On DUL pool-63.52.248.100.ipls.grid.net
63.52.248.153 3 On DUL pool-63.52.248.153.ipls.grid.net
63.52.248.167 156 On DUL pool-63.52.248.167.ipls.grid.net
63.52.248.182 44 On DUL pool-63.52.248.182.ipls.grid.net
63.52.248.186 45 On DUL pool-63.52.248.186.ipls.grid.net
63.52.248.214 123 On DUL pool-63.52.248.214.ipls.grid.net
63.52.248.239 3 On DUL pool-63.52.248.239.ipls.grid.net
63.52.248.251 24 On DUL pool-63.52.248.251.ipls.grid.net
63.52.249.16 3 On DUL pool-63.52.249.16.ipls.grid.net
63.52.249.59 435 On DUL pool-63.52.249.59.ipls.grid.net
63.52.249.67 14 On DUL pool-63.52.249.67.ipls.grid.net

The spam was 4K bytes, including header. That's 32K bits. Assuming that
the open relays were really, really fast, that means that it would take
about 2 hours to send all 4428 spams. If he had used 10 recipients per
relay, it would have been 1 hour. 20 recipients would be 30 minutes.

Without the rate limiting, assuming a 20 Kbps connection speed, it would
have taken about 21 minutes to send the 4428 spams.

Either way, rate limiting isn't very effective. Even rate limiting at 1Kbps
only makes it 8 hours to send 4428 spams, or just over an hour a day (since
these spams were delivered over a week time period). And they were using 4
to 8 dialups at a time. Even at 1Kbps, that's 50,000 to 100,000 spams per
day, at 5 recipients per mail. If we go to 20, or 50, the numbers get very
large, very quickly, even at 1 Kbps.

That's why I think that port 25 blocking is the only way. That, and
closing open relays, of course.

Eric_A_Hall · May 24, 2001, 6:33pm

Last week, I got one spam ("get a free motorola pager") which came
through 168 different open relays, bound for 4428 different recipients

I just peeked in my trash folder, and 6 out of the last 10 spams that I
received were sent directly from dial-up spam blowers.

Certainly we can agree that there are many paths spammers will take. If
rate-limiting eliminates/curbs the throwaway dial-up abusers, then surely
it is an effective tool in the fight. I'm not calling a cure-all.

That's why I think that port 25 blocking is the only way. That, and
closing open relays, of course.

I would say that default blocking of port 25 is a good position to take,
but you can't deny that has its own problems. For one thing, the
exceptions become the rule. I've noticed a trend in spam from small
businesses, cable users, etc., many of whom are behind non-throwaway
lines. Going to a model where "legitimate" users are unfiltered doesn't
stop all spam, it only delays it at best.

In this regard, rate-limiting and port-blocks are just tools in the belt,
neither of them is perfect.

Mitch_Halmu · May 24, 2001, 7:12pm

No, that is NOT the only way. We presume that the spammer had 8 dial-up
accounts. Who is this professional spammer, and how come he/she/it can
still find a provider? That is the question. Perhaps also who is the
merchant that ordered the promotion?

The identity of such individual or company belongs on a black list.
Yet the spammer is able to subscribe again tomorrow, next week, next
year... and nothing happens to them. That is the point where control
should be exercised.

--Mitch
NetSide

J.D_Falk4 · May 25, 2001, 5:46am

You're certainly not the first person to suggest this; I've
  heard it many times over the past years, from people way kookier
  and/or way more clueful than you'll ever be. But, nobody's
  actually done it yet. What's stopping you?