Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Foiling Spammers: Fake SMTP relays

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207

    Foiling Spammers: Fake SMTP relays

    I was thinking about ways to stop spammers, and I thought : what if we set up fake SMTP relays?

    A fake SMTP relay could be set up such that it looks exactly like the real thing, but rather than relaying the messages just throws them away.

    If enough people set up servers which are indistinguishable from SMTP relays, the spammers will have a much tougher time finding real ones.

    There aren't *that* many open relays anyway, and they don't generally stay open for very long (I hope). So if you managed to outnumber the real relays say, at least 2:1, then it would become much more difficult for spammers to find the real ones.

    This would in turn, reflect the market price of spamming services increasing dramatically, thus discouraging companies from using this decreasingly effective method of marketing, and decrease the spam for everyone.

    Good idea?

    Are there existing fake SMTP relays out there?

    Comments please

    Slarty

  2. #2
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    I think this is an excellent idea - It would need a sacrificial IP since it's likely to get listen in blacklists since it will look like a relay - but otherwise I think this Idea should be investigated further.

    I have no idea if any there are any fake smtp relays are there.

    I can't imagine this would be too difficult to set up either.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I did a search and found a discussion of the same topic here

    http://www.ornl.gov/cts/archives/mai.../msg00075.html

    Although I had the idea independently, I seem to have come to the same conclusions.

    Your IPs should never end up on blacklists, because blacklists only harvest IPs from actual spam sent. As your fake relay should not be doing any actual relaying, it shouldn't end up there.

    If worried about bandwidth usage, put some delays in to "tarpit" it, causing the spammer to trickle spam in.

    Slarty

  4. #4
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Originally posted here by slarty
    Your IPs should never end up on blacklists, because blacklists only harvest IPs from actual spam sent. As your fake relay should not be doing any actual relaying, it shouldn't end up there.
    To some extent that's true, but some bots search deliberately for what appear to be open relays.

    I don't know if they try and relay a mail to a known address and use that as an indication, or if they just rely on what the smtp messages tell them.

    Probably the former if I think about it.

    If I had more than 1 IP addy I would set this up in an instant.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  5. #5
    I’ve been fighting spam for a long time and I know for sure that the solution to stop spam is much easier than most solutions I have come a cross.

    My solution to this epidemic is as follow;

    Every spam contains a valid domain name, ip address, telephone number or something to allow the victim to either visit the spammer’s website or to phone them.

    What if all ISP in the world would remove well known spammer’s domain name from their DNS servers?

    What if all ISP in the world would not sell domain name or allocate ip addresses to people and company which are blacklisted because their address details and bank details were use previously to buy a domain that were used for spam.

    What if all Telcom companies in the world would disconnect phone number found to be used for spam?

    What if all the domain names, telephone numbers, ip addresses and etc found in the body of emails where used as RBL?

    Below is a list of spammers’ domain names I’ve been harvesting for blacklisting in the last six months. My guess is that MOST of those domains were bought by no more than 5 or 8 expert spammers. I think those domains’ owners can be traced and prosecuted - through the bank account used to purchase those domains name. I just need someone from the FBI to go after them. Does anyone know anyone with this power? Thanks
    ==========================Begin=====================


    medsawait.biz;babbleon.net;2bdjuv.com;Mickey@ezfreequotes.com;fYNanCE3.bIz;10-club.com;boussantcapsules.com;
    98207.biz;fastfreequotes.com;soskam.net;seductionissimple.com;members.tripod.com.br;amateurs.tripod.com.br;
    pro2security.biz;ant3w.com;post.cz;acte1c.com;ewxw1323.com;acte1c.com;in-box-offer.org;netshockstudio.com;
    eros.rin.ru;postcards.rin.ru;grantsavailable.com;ant3w.com;market998.com;healthforyou@post.cz;sulebello@post.cz;
    yourmeds.biz;eb-helper.com;physiochemical@http://********sx.com;fastbreakusa.co...r@firemail.de;
    wleonardo@brokerproapps.com.br;mq385zm8r09p4@images.healthproductsnow.net;mratat.com.br;images.rsvp0.net;
    responsys.com;cdn.ruk1.net;PennyPerLead@9trv.com;oizaiah86@brokerproapps.com.br;lnorman@brokerproapps.com.br;
    sell22s.com;813x0798ml43v@81.180.95.15;l43v6776gm9e22@gresataa.com;d5izy4402c3489@mort888.com;gresataa.com;
    r%78med%69ca%6C.tk;RANDOM_TEXT@r%78med%69ca%6C.tk;zhangnian.com;viagr1adomainsmarketg.biz;random.liljoesmith.com;
    re.redribbonfirst.com;25larger25.biz;opt<tradesmen>out55@saveus<recappable>today.com;amaTEUrxXX.cOM;amaTEUrxXX.cOM;
    awayoutofdebtfast.com;4.47.129.21;ezcheating.com;intercheap.com;tt64s.com;shopwo11.com;undergroundhandbook.com;
    viagr1adomainsmarketg.biz;pimpstars.com;32547.biz;lifeteens.net;121ads.biz;bulkbombltd@hotmail.com;mortgageew.com;
    365pharm1.com;8867v.com;lucidhealth.tc;123awayout.com;mikbiku@rediffmail.com;download-1.download4free.com.ar;
    iliKeMaIl.nEt;IbAMY.coM;qrstuv.org;1smartworld.com;123awayout.com;biggerlover.com;onestopmeds.biz;us.adserver.yahoo.com;
    rd.yahoo.com;europe.magix.com;4djfui.com;xcellentresults.biz;appdev.com;best0fallmedz.biz;aaa9875548.com;kevin888.w19.bizcn.com;
    wertek.biz;1-310-943-3250;greater-deals.biz;nEVerbADHEalTh.NeT;ImAGES.NeVErBadheALTH.NEt;loving-touches.org;members.tripod.cl;
    saleoo1.com;investor-resource.org;meilung.com.tw;nudrivescience.tc;medpills.biz;pics.download4free.com.ar;
    nudrivescience.tc;nudrivescience.tc;thebestpr1ntbarga1n.com;buy-right-today.com;unl1m1tedvalue-unl1m1tedreturn.com;
    incredi-offers.com;superdated2.com;opportunityforgrants.com;81.180.94.29;mil_ton1966@hotmail.com;miltoncraig001@yahoo.com;
    itseasyas123out.net;theBestProducTsonliNE.cOm;health.cccardz2003.biz;501s.biz;8083.alertquotes.com;365med1.com;
    med21sx.com;med12z.com;7x24pharm1.com;med12z.com;sizepills.biz;evesham.com;secure-software.biz;herbalpillsonline.info;
    med21sx.com;sea2ws.com;81.180.94.30;smartclixshopping.com;zbestoutthere.biz;e83FT081Np.e5B17cE8F.zB2h26.krZ30Fm.bredom.net;
    maxviewtech.com;hijkl.com;vprx-online.biz;registradominio.biz;new.alphacard.biz;clickforsales.net;clickforsales.net;
    getit4less.biz;saless1d.com;outoutforyouandme.com;v1s1tourstoreandsave.com;onlinepharm1.com;bearch11.com;onlinepharm1.com;
    horizonstream.net;outoutforyouandme.com;81.173.119.1;platinumgainpro.tc;onliness22.com;obonsaler332w.com;fitandhealthy22.com;
    edificagrowth.tc;bizmedsrrev.com;health.alphacard.biz;thepowerofoneonline.com;greatxzq.com;BUYherE1.Com;ezregister2a.com;
    onliness22.com;heALtHyLIBido.neT;2389.biz;edificagrowth.tc;fri-rew.biz;ezseecom.com;onlinebiz21.com;ofgypjqfxh.com@www.emptyfs.biz;
    1-212-330-8202;a_ogugua@juno.com;mindazzehorg.biz;odominick@http://www.mun-di-ho.com.br;34boloho...thYLibIdO.nEt;
    dygnqwynid.net@<a rel="nofollow" hre...ternet.com</a>;
    xXXdAtE.com;internet-generic-pharmacy.com;kinkfarm.com;reducebillsandgetoutofdebt.com;shylo.pro.br;thebestl1ttle1nkontheweb.com;
    greatdf45.com;webdealz2003.biz;dealsbytheminute.biz;freenet.am;magicgirl.tripod.cl;meds4yourlife.biz;playbar.co.uk;livingbar.co.uk;
    reducebillsandgetoutofdebt.com;domianss2.com;cheaperoffer.com;reducebillsandgetoutofdebt.com;spydetector.net;libido-health.net;
    leadsboulevard.net;mail15.com;01642 247776;81.180.84.30;thatwillchangelife.biz;endev.by.ru;convenientnow.com;dealsbyhour.biz;
    pharmacene.com;herbal-inc.biz;wholesale22.com;vPMeds.biZ;VpMEDS.BIZ;teflondoninc.biz;freec.63dns.com;1-212-330-8202;
    ink-saving-spot.com;D%65%77arflas%6b.l%69b%69d%6f%2d%68ealth.n%65t;safely365.com;online-herbal.us;nts.com;nationalauctionlist.com;
    realblackblue.biz;saveonclickeq.com;otisaudiomedia.com;1-646-304-8096;payment33dd.com;preparegreat.com;
    buyingsmart-printingsmart.com;account7x24.com;coolfee1.com;CoinCharger.com;generic4less.biz;pure-herbal.biz;buy-herbal.us;
    j38o9fsaf.flippindeals.com;1-212-214-0422;1-201-584-0293;applicationhere.com;flippindeals.com;vprxonline.biz;hoo.com;
    wsntv7511.com;thirsty-printer.com;naturalherbal.biz;behindclick.com;grasp7x24.com;ebookgeek.com;avnzk.org;confident4.com;
    avnzk.org;allartistaccess.com;overlookedstocks.com;61.232.226.6;getthis4less.biz;noticeyouhere.com;investco1.com;
    compatabilitytester.com;easy-herbal.us;61.97.137.231;pharmacydepot.biz;endenet.snn.gr;
    thirdw.com;gokgle.us;clearancec3.com;allroadname2.com;81.180.84.31;aussieoffers.com;superlowrates.net;checkclicknow.com;
    top-online-pharmacy.com;freeandgetsave.com;watchthemessages.com;goohle.us;gootle.us;caregreat.com;gordontower.com;
    free.gordontower.com;www%2E1stopoptout%2Ecom;123telecom.co.uk;vameriko.biz;the-dot-com-ink.com;thebestinkshop.com;
    a4ta4tawe.com;herbal-kings.biz;PiLlsdoC.Us;213.4.130.210;herbalplus.us;skylinelogo.com;vameriko.biz;cleansweeper.net;
    luckyhere2.com;presenthere.com;camarasalamanca.biz;stickherenow.com;seven12q.com;tipgreathr.com;dubplate.net;puremeds.biz;
    d3kn.org;iiimm00l.com;winhr5.com;bangbes.com;followhere2.com;spylover1.biz;1-212-330-8202;ezdonethe.com;andbarter.com;
    200.206.183.186;questmed2.com;smiley.mail333.com;onlinelovetodate.com;spylover1.biz;humarasamadhan.biz;herbal99.us;
    betsy19.tripod.cl;alwaysfeelgreat1.com;btwsc.com;81.180.33.31;improvehr4.com;snseurope.com;refigroup.net;
    vpachka.biz;safeimpro.com;datemakermania.com;1stfriendfinder.com;freeclicks.biz;vpachka.biz;seks.go.ro;mb00.net;
    exclusivecelebporn.com;a1hostingdirect.com;annmarie17.tripod.cl;place55fg.com;inotheothea.com;meds369.net;rxpalace.biz;
    886-2-2886-4629;tripod.cl;courtney19.tripod.cl;informatix.us;best-great-savings.com;privatemeda.com;opendoor4s.com;
    unihere4d.com;trend455fd.com;redstarbar.co.uk;supersavingsonline.biz;entrye3dd.com;trend455fd.com;1-212-330-8202;
    medscheap.biz;watersafts.com;vigilar.com;yu67fx23.com;rxstation.biz;ezcallmaker.com;abcyougo.biz;60percentbillreduction.com;
    rxsuperstore.biz;rapidsite.co.jp;flex44d3.com;gostats.com;adminsystem.net;gnome05.route.antipuff.nom.br;angelhere5.com;
    CheappIlLS.bIz;kimnd56f.com;trump70.com;easiestwayj.com;notices9.com;wonderherbs.biz;tolast55.com;loanhunters.biz;
    27meg.com;wonderherbs.biz;click.net-click.net.ph;in-boxes-offer.biz;

    ==========================END========================
    smilies are ON

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Mickey: I see the potential there for a _huge_ DoS not only on the net but in the phone systems and commerce.

    If I'm a spammer I start fighting back by placing multiple email addresses, web sites and phone numbers in the mail. All but one are spoofed to point at say Amazon.com with the test clearly pointing to the one to click to get to me. Then the extraction of the addresses etc. cannot simply be automated.

    Nice thoughts.... But impractical in the real world.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Dec 2002
    Posts
    134
    Thats quite an intresting idea slarty. If enough people did it i`m sure it would be very effective. The spammers will never give up but at least it`ll slow them down.
    The main concern that i and i`m sure many others would have though is the extra bandwidth that would be consumed with this. You mention using a "tarpit" to save bandwidth. I`ve heard lot about "tarpits" and "honeypots" recently but i havn`t really had the chance to look into them further. How effective would these be in this situation?
    Mark

  8. #8
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I have part of a fake smtp server written in java. When I tried to run it under linux it couldn't use port 25. I stopped the sendmail service and disabled it at startup, and it still won't let me run it on port 25. It worked fine on windows. What can I do to fix this?

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    H3r3tic, are you loading it as root? You have to be root to bind to well known ports (< 1024).

    Hmmm...slarty...could be an interesting thing to play around with...maybe I will post a perl script shortly, assuming work doesn't grab my attention first.

    /nebulus

    EDIT: While looking around through some DOCS, saw this web site, thought it was kind of interesting:

    http://assp.sourceforge.net/
    The Anti-Spam SMTP Proxy (ASSP) Server project aims to create an open source platform-independent SMTP Proxy server which implements whitelists and Bayesian filtering to rid the planet of the blight of unsolicited email (UCE). UCE must be stopped at the SMTP server. Anti-spam tools must be adaptive to new spam and customized for each site's mail patterns. This free, easy-to-use tool works with any mail transport and achieves these goals requiring no operator intervention after the initial setup phase.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Thanks neb, I'll try that when I get home.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •