North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: BGP blackholing spam [was Spammer Bust]
I enjoyed reading Randy's comments, as always. Here's the fine print. Blackholing spammers is tricky. For instance, recently the professional spammers got so good at locating third party relay sites that they no longer have to overload other folks' relays in order to get the spam out. So now rather than finding one relay and handing it 50 envelopes each with 10,000 recipients, they find 500 relays and hand each one 1,000 envelopes each with 1 recipient. They add random gibberish to each message body so that tight checksums like MD5 won't be able to detect the duplicates. (Yes, loose checksums are available and they are being employed.) What this means, though, is that third party relays are no longer being given so much mail to deliver (by any given spammer, that is) that they come to us (the anti-spam crowd) screaming for anti-relay solutions such as Eric Allman's excellent http://www.sendmail.org/antispam.html logic. Oh sure, the next day or the next week the relay will be abused again, but now that it no longer brings the relay (and its upstream link) to its knees, the operators of these relays are feeling considerably less natural pressure to turn off third party relaying. Microsoft's Exchange 5.0 adds relay support and the default is ON. So blackholing the spammers led them to relay their spam via third parties, but like all naive parasites they failed to use any kind of quotas and they irritated (in some cases killing) their host bodies. Now they're smarter. So now whenever I am spammed I blackholed the relay's /32 for ten days. This is twice the 5-day queue limit that Host Requirements recommends for mail, and it is the Sendmail-8 default. (Sendmail-5's default was 3 days -- ouch!) I often find that during the ten day blackhole period, a mail relay's operator discovers that their connectivity isn't very good for some reason, and finds out that I am the reason, and threatens to sue me. At the moment there are 92 hosts in this ten day "holddown period" and while three of them have asked how they can prevent third party relay in their mailers, two others have sent official-looking letters with words like "cease" and "desist" in them. The spammers are going to make it as hard as possible to block them. For a while they used to abuse "popular" relays and shell machines and so on, in the mistaken belief that nobody would block a popular and necessary host resource just to get stop spam. I think I've told the story of the firebombing of Dresden to at least a half dozen popular host resource owners in the last two years. Blocking relays stops spams in progress. I've seen this happen often enough that I know it's what I have to do. But I've had two blackhole mirror sites drop off the list because they could not afford to block somebody that I had to block. (There is of course a way to block my blocks, and several mirror sites do that routinely.) But blocking relays doesn't stop the phenomena of spam, in fact it doesn't even slow it down. Consider the fact that I only blackhole when I am myself spammed. Don't you think that if it were in a spammer's power they would try to avoid spamming me? Consider the fact that all Sendmails ever installed (including the one you'd get right now from ftp.sendmail.org) allow full relay between arbitrary sources and destinations, and that changing it is HARD. Spammers do still send a lot of spam directly. When I screwed the pooch in a system upgrade to my anti-spam blackhole route server and had to spend two hours "wide open" I was spammed *once* *a* *minute* by various nets which I normally block. So I know that the blackhole list does some good. But it is not a fix to the underlying problem, and while I have no direct economic incentive to block spam, spammers perceive a very real and direct economic incentive to send it to all of us. So, yes, do sign up for the blackhole. If half the ISP's in the country would just refuse to exchange packets with most of AGIS's customers, maybe the other half would feel so much pain that they would come along for the ride. (Right now AGIS picks up a huge amount of business since disconnected spammers always end up buying connectivity from AGIS when noone else will sell it to them.) Who knows, perhaps we can isolate the spammers so they can only spam eachother. But be aware that blackholing people, especially on my say so, will lead you to get complaints from your users about unreachability, and complaints from other ISP's users about unreachability, and that while these are probably fewer complaints than you're getting right now about spam, the war won't be over until the last spammer's head is stuck onto a spear at the city limits. If you want to blackhole spammers, I can help. But it's NOT a magic bullet. Now as to money. I've hired somebody to do the paperwork of signing up new eBGP4 anti-spam routing feed recipients. I will shortly start charging some kind of quarterly fee to said recipients to cover some of my costs. If you decide to start feeding each other, just make sure that the route origin is always my server since I need to be able to revoke a black hole route in real time whenever (a) I make a mistake or (b) somebody calls me asking for help with their spam problem and they are on my blackhole list. If you cache this data or disconnect it from its source, I'm still liable for the business losses of blackholed network owners even though I won't have any control over continued propagation. Don't put me in that position, please. I am also getting ready to start work on my company's next commercial product, and it looks like a spam filtering SMTP gateway is going to be it even though I've got this drop-dead idea for optimal HTTP redirects that I've been wanting to implement for about the last 14 months. Oh well, "follow the money."