CRASH MEDIA : Crash Course - Spam contains no nutrition

CRASH MEDIA



[ x ] ............BACK
[ x ] ...F.A.Questions
GENERAL:
[ x ] Crash Media Home
[ x ] ............Mail
THREADS:
[ x ] ....Culture Club
[ x ] ....Medium Roast
[ x ] ...Extra Special
[ x ] ...Access Denied
[ x ] Under The Needle
[ x ] ...Balzac Nation
[ x ] .....Strangeways

-----====###====----- Crash Course - Spam contains no nutrition -----====###====----- from: Crash Media [crashmedia@yourserver.co.uk] date: 27 Nov 98 - 12h:31m message: One is a processed meat derogate, comes in tins and can be bought in supermarkets - your free choice. The digital form, UCE (Unsolicited Commercial E-mail), forces itself on you - free of choice. Spam looks like junk mail, but essentially follows different mechanisms. Spammers can send virtually free of charge, have little problems retrieving uncountable addresses, and the costs (read: money, time and stress) occur at the end of the receiver, in terms of processing time (server, filter and attention), traffic, noise and most importantly: counter measures demand close collaboration from sysadmin and clients. Hitting the source directly (see also Crash Course 1) through the network seems a suitable counter measure and the tactical value of targeting organisations and individuals directly have proven to be efficient. However, the way to deal with spamming is closer to Tai Chi than Kick Boxing for reasons you will find below. So stop searching for '+mail +bombing' right now... I. COMPLAIN Inform Postmaster (client) The softest and arguably only way of dealing with spam mail is to inform the postmaster by sending a copy with the headers intact - hoping the ISP will cut the originator off their supply. But there are ways for spammers to get around that problem. Setting up temporary accounts for mailouts and keeping them short-lived is one way. And if the spammers are in possession of their own domain the ISP might be willing to stretch their patience - after all, they pay more... NEVER send 'remove' messages - they only confirm your address. NEVER mail bomb or flame mail spammers. Chances are the site indicated has been relayed from somewhere else. II. FILTERS Filter What? There are mainly three information sources to filter: Header Information, Mailer Type, IP address (domain). Header information is useful to blank certain addresses or known information in filters. When filtering Mailers, you basically reject all mail delivered by suspect Mail Delivery Agents, whereas filtering IPs (domains) will reject all mail from suspect domains. The first option is the most surgical one, the last two are efficient, but likely to reject legitimate mail if send either with a filtered agent or from a filtered domain name. Filter where? Block SMTP port (server admin) You can blank domain names and IPs by turning off your mailers SMTP daemon mode. But defining PROCESS_OPTIONS and running smap from the TIS Firewall Toolkit might load down smaller mail servers, because it runs a separate process for each incoming mail. (for details: spam.abuse.net) Block Mail Transfer Agents (server admin) Mail Transfer Agents (MTA) are programmes running on the server to store and forward email messages, some providing filter mechanisms. Any measure on the mail server demands close collaboration between sysadmin and clients to avoid blanking legitimate mail. After all: spamming is in the eye of the beholder... (for details: spam.abuse.net) Block Mailing User Agents (client) Mailing User Agents (MUA) are programmes running on the server or 'at home', used by the client to send and receive email. Eudora, Pegasus and Pine are such programmes. This is the most decent way to filter spammers. Whereas any server admin decision will effect every client on that mail server, this is only dealing with your in-box. (for details: spam.abuse.net) Mailinglists and Usenet (server admin) Many packages dealing with traffic feature spamming filters. Listserv for example, can link with other Listserv sites around the globe. It determines if a posting has been dumped on many too many sites and will warn the other sites. If the spammer continues under a different name, Listserv will block the whole site (for details: www.lsoft.com). To protect newsgroups, NoCeM (pronounced No See 'Em) can assist in keeping spam away from the users. It mainly allows users to 'edit' Usenet (or have others 'edit' for you). By issuing NoCeM notices, the admin can perform pre-specified actions for those who agreed to receive such notices (for details: www.cm.org). III. CORRUPT DATABASES The Tai-Chi tactics of dealing with spammers. Accept the full force of their attack and redirect it to break their thumbs... Many spammers use crawlers, spiders, agents (countless terms available) to scan through the www and hoover all email addresses on the way which get stored in databases. You can install perl scripts on your server to generate HTML pages with many fake email addresses. The crawlers will eagerly corrupt a spammer's entire database with useless addresses which certainly will make their ISP unhappy. The generated pages don't take up server space. Those velvet killer apps come in different shades of grey. Some continually create 'new' links to 'new' sites with 'new' addresses, capturing the crawler on its night shift. Concerns have been voiced about the harm those generators might cause to modest and legitimate search engines. Debatable, but it should be said that some programmes generate META tags which tell 'legitimate' crawlers to keep their hands off... IV. SHUT GATEWAYS (server admin) To cover their tracks, many spammers use other people's SMTP ports to get their material forwarded (and effectively bypass filters). Simply don't let them. Many MTAs allow forwarding to be blocked. If your MTA doesn't have that skill, reroute through a host that does. This is important, so that clients searching for the unknown origin don't start knocking on your door... V. MAIL BOMBING: Sounds reasonable, feels great, but tastes shit... Spend your time on identifying the true origin of spam and inform the sysadmin to cancel their contract. You may find that some spammers have squatted other mail servers as gateways, forwarding spam without realising. Chances are you will bomb the wrong person... again: mail bombing is a powerful weapon, so take responsibility... Crash Media general info: http://spam.abuse.net/ http://spam.abuse.net/tools/mailblock.html newsgroup: news.admin.net-abuse.misc perl scripts: http://spam.abuse.net/tools/makebait.txt http://www.metareality.com/~nathan/visit.cgi/spam/html.Perl http://www.shavenferret.com/scripts/spam/ http://www2.all-yours.net/scripts/killspam.htm Crash Media [crashmedia@yourserver.co.uk]