[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Backdoor not recognized by Kaspersky

One thing that I have not seen discussed in this thread is tarpitting spammers. 
This has been discussed before on BugTraq: 
http://www.securityfocus.com/archive/119/292053/2004-03-01/2004-03-07/1

In addition, there is a neat tool for doing this in conjunction with an MTA, 
called Spam Cannibal:
http://www.spamcannibal.org

I run a spam tarpit using an e-mail address that should never receive 
legitimate communications. The MX record for that e-mail address points to a 
tarpited IP with 25/TCP open. When remote mail servers (or zombied DSL/Cable 
users) connect to that tarpit their connection is held and their IP is logged. 
I have a Perl script that parses the logs and e-mails me a diff of the top 50 
offenders. Those folks end up being blocked by my firewall from accessing SMTP 
on my mail server. If they are a home user, they can still access my web pages, 
etc. This goes a long way to decreasing the spam I receive, and in addition, my 
tarpit holds or slows their connection - making it less likely they will move 
on to the next spam recipient.

Test have been done verifying that, in most cases, spam software freezes, 
hangs, or crashes when tarpitted - forcing manual intervention. There are 
potential ways around this without breaking TCP (if you ignore window size 
changes you are breaking TCP), but all of the work-arounds require manual 
intervention or slow down the rate of spam and consume bandwidth. All of these, 
even if the software doesn't crash or hang, increase the cost of spamming. 
Making spam unprofitable is the only way to combat it, IMHO.

Thanks.

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html