Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: One irked sysadmin's tale of struggling against the spam tide

From: Declan McCullagh <declan () well com>
Date: Sat, 25 Jan 2003 12:35:51 -0500

---

Date: Tue, 21 Jan 2003 11:08:37 -0500
From: Rich Kulawiec <rsk () firemountain net>
To: Declan McCullagh <declan () well com>
Cc: Doug Isenberg <disenberg () gigalaw com>, bzs () world std com
Subject: Re: FC: Can we stop Sen. Joseph Lieberman from spamming?

Oh, I'm gonna wade into this one with both feet. ;-)

On Mon, Jan 20, 2003 at 09:45:12PM -0500, Declan McCullagh wrote:
>         You and your Politech readers may be interested in this analysis
> from the Duke Law & Technology Review: "Political E-mail: Protected Speech
> or Unwelcome Spam?,"

Posit: No such analysis is necessary: spam is NOT speech and therefore
all of the debate we could have over what kind of speech it is, what
protections it might or might not enjoy, etc. is irrelevant.

Spam is conduct: specifically, spam is conduct consisting of a
denial-of-service attack which may or may not be targeted at users,
systems, networks, mailing lists, or some combination of these,
sometimes in small but often in very large quantities.

One of the first people to clearly articulate this was Barry Shein (who
I've CC'd on this so that he might correct me if he feels I'm taking
his comments out-of-context or otherwise mis-reading their intent):

        Denial of Service Attacks disguised as Spam
        http://www.cctec.com/maillists/nanog/historical/9801/msg00014.html

What he said several years ago is even more true today, as examples
show up on a daily basis.

"Vanilla" spam (i.e. spam which does not have forged headers, does
not hijack open relay or proxies, etc.) is similar to other forms
of abuse which take resources that are made available for use in
moderation and abuses them by excessive use.  In that sense, it's
closely related to abuses such as ping flood attacks, article
"floods" posted to Usenet; exhaustive downloads of large FTP archives;
and other activities.  It doesn't make illegitimate use of resources:
it makes excessive use of resources -- which it is a denial-of-service
attack and should be treated as such.

"Sophisticated" spam (i.e. spam which uses forged headers, asymmetric
routing, hijacked relays, hijacked proxies, and so on) compounds this
by making illegitimate/unauthorized use of resources that belong neither
to the sender nor the putative recipients.  The legitimate owners and
users of those intermediate systems are secondary victims of this
attack, as they are also deprived of service, often to a large degree.

Three examples:

1. One of my mail servers endured a sustained attack from a spammer's
system last week.  That remote box, which I traced back to an IP address
in Japan, made more than 11,000 unsuccessful attempts to stuff unwanted
traffic into mine.  (It did this overnight; when I woke up in the morning,
I firewalled off the originating address.)

But I still have to pay for the bandwidth that was used: that system
is on a burstable circuit whose pricing structure is a flat fee plus a
surcharge for additional traffic.  And -- in case you're wondering --
there's not the slightest question that it was spam: the only user
account on that machine is mine, and it has never emitted a single
mail message, so it couldn't possibly have signed up for anything.
(The server exclusively handles mailing list traffic for a number of
volunteer/non-profit organizations.)

2. I blocked all traffic from the well-known spammers at azoogle.com
nearly a year ago.  My mail servers return the correct response codes to
every SMTP connection from them, indicating that access has been permanently
denied; the text message which accompanies it indicates why.  However,
they're still pounding away multiple times per day, every day, on every
mail server I have.  A small sample of abridged log entries from the
last 24 hours:
Jan 19 16:49:03 sendmail: arg1=transport23b.azoogle.com, arg2=66.197.140.226, reject=550 5.0.0 Jan 19 17:23:41 sendmail: arg1=transport23e.azoogle.com, arg2=66.197.140.229, reject=550 5.0.0 Jan 20 09:06:19 sendmail: arg1=transport12c.azoogle.com, arg2=66.197.140.72, reject=550 5.0.0 

I have 12,814 more log entries just like that in my archives.

3. A few months ago, a spammer conducted a "dictionary" attack against
a domain that I host.  This means that they attempted delivery of their
messages to:

        abc () example com
        abcd () example com
        abcde () example com
        [...]
        a.smith () example com
        b.smith () example com
        c.smith () example com
        [...]
        asmith () example com
        bsmith () example com
        csmith () example com
        [...]
        joe () example com
        mary () example com
        jim () example com

for a very large number of probable usernames.  I let this one go --
because it was on a circuit with extra bandwidth and was directed against
a mail server that was otherwise idle, and because I was curious to see
how long it would go on.  When it was done, several million individual
delivery attempts had been made -- from a couple thousand different IP
addresses, meaning that the spammer(s) had also abused thousands of other
systems while abusing mine,-- and probably others: I doubt my system was
the sole target.

[ end examples ]

This happens every day, all day.  Spam-monitoring/tracking forums like
the spam-l mailing list and Usenet newsgroup news.admin.net-abuse.email
have a constant stream of reports like this.   (And would have more if (a)
more admins were aware of them (b) more admins were aware of what's being
done to their systems/networks and (c) more admins could spare the time.)

My mail servers now reject more spam than they deliver mail.  This,
sadly, appears to be the trend.  I am compelled to spend my time and my
money attempting to stave off the abuse: I will probably need to pay
additional charges for more rack space in the 1-3 months in order to
install a proxy SMTP host/firewall and, of course, I have to purchase
the machine, configure it, pay for the bandwidth it uses, etc.

And this is because -- unfortunately -- spam is NOT correctly treated as
a denial-of-service attack, with all the ramifications that this implies,
but is instead confused with the normal use of email for personal
correspondence, ordinary mailing list traffic, order confirmations,
and the thousand other legitimate uses of the SMTP protocol.

So while I find free speech debates interesting (a) because I took
a couple of Constitutional law courses and now occasionally make the
mistake of thinking I understand something and (b) because I value
free speech highly and once put my job on the line to defend it, I don't
think they're in the least bit relevant here: to go back to my
opening statement, spam is conduct, not speech.

---Rsk




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: