tlug: Spam mail

To: tlug@example.com
Subject: tlug: Spam mail
From: "Stephen J. Turnbull" <turnbull@example.com>
Date: Fri, 13 Nov 1998 12:20:58 +0900 (JST)
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <m3emr88ko4.fsf@example.com>
References: <m3emr88ko4.fsf@example.com>
Reply-To: tlug@example.com
Sender: owner-tlug@example.com

>>>>> "Frank" == Frank Bennett <bennett@example.com> writes:

    Frank> Some members of the list will undoubtedly have received a
    Frank> porno posting recently, which shows a bogus Nagoya
    Frank> University address in the "From:" field.  This may have
    Frank> been a spite attack on our site, and I'm writing to see
    Frank> whether anyone has any bright ideas that I could pass on to
    Frank> the mail administrators here.

Unfortunately, as far as I know there's nothing that can be done.  To
_stop_ it you need to stop the spam.  What really needs to be done is
for large ISPs (concentrate on the large ones because of the anonymity 
they accept and therefore provide) to start installing internal
firewalls which process the outgoing headers of SMTP traffic for
number of addresses and charge on that basis.  I have suggested to
UU.Net, ATT, MCI, IBM, AOL, and EArthLink that they use an exponential 
function.  No reply, of course.

It's obvious why they don't do this.

    Frank> Within a day after the attack, the server had received at
    Frank> least 20,000 complaint messages (or, who knows, requests
    Frank> for further details?), all of which were rejected because
    Frank> the "user" identified in the From: field was bogus.

If the user is a constant, alias the user to the vacation program or
the like, set up with a message that

  We suspect that your message is a response to a spam which did not
  originate at nor pass through our site.  It was apparently from
  "..." and its subject was "...".  We are sorry for the intrusion,
  but unfortunately, there is nothing we can do to prevent others from
  forging return addresses at our site.

  In the future, please remember that From headers are easy to forge
  (anyone with a PC can do so with the appropriate software).  If you
  wish to send a complaint that may have some effect, do so to the
  originating site, which can be identified by tracing back the
  Received: headers (note that these headers can also be forged, and
  often are, to confuse you further).

This could be done automatically (with a less specific message
acknowledging that it was triggered by a robot and noting that you've
been DOS-attacked, you don't like 'bots either but must defend
yourself) by a script, but is also very easy to do by hand once the
boilerplate is set up, you just copy in the Subject and From.

    Frank> AT&T, the Feds and CERT have all been notified.

This is a "do" obviously.

    Frank> (Perl scripts to strip extraneous rubbish from syslog as it
    Frank> builds up,

If you have space you should keep these logs ...

    Frank> quickie fixes to route mail into /dev/null, that sort of
    Frank> thing).

... and at least count the mail, preferably keep the addresses so that
the complainers can be deposed.  It may be used in court against the
spammers someday.  I will be testifying in such a case (defamation of
character via spam) by phone on the 18th (at about 4am JST :-P).  I
suppose you could have them subpoenaed (that will teach them to
analyze mail headers correctly ;-) but with >20,000 you should be able
to find volunteers.

There are generic spam-fighting web sites; I don't know if any deal
with your problem.  Most are more oriented to user filters than
dealing with DOS-via-backlash attacks.  There used to be a newsgroup
news.admin.net-abuse that dealt with Usenet spam.  Those people were
concerned with high level control, use of cancel-bots and the like.
You might look into comp.mail.*, look for "admin" and "abuse"
subgroups.

Back to grading the last batch of exams and writing the next :-(

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
__________________________________________________________________________
__________________________________________________________________________
What are those two straight lines for?  "Free software rules."
----------------------------------------------------------------
Next Nomikai: 20 November, 19:30   Tengu TokyoEkiMae 03-3275-3691
Next Technical Meeting: 12 December, 12:30 HSBC Securities Office
----------------------------------------------------------------
more info: http://tlug.linux.or.jp Sponsors: PHT, HSBC Securities

Follow-Ups:
- Re: tlug: Spam mail
  - From: Hernando TANAKA <ktanaka@example.com>

References:
- tlug: Spam mail
  - From: Frank Bennett <bennett@example.com>

Prev by Date: tlug: PPP for real dummies
Next by Date: tlug: ESS 1879 sound chip not recognized under TL kernel 2.0.35
Prev by thread: tlug: Spam mail
Next by thread: Re: tlug: Spam mail
Index(es):
- Date
- Thread

Home | Main Index | Thread Index