Home page logo
/

nanog logo nanog mailing list archives

Re: Stealth Blocking
From: dlr () bungi com (Dave Rand)
Date: Thu, 24 May 2001 11:08:28 PDT


[In the message entitled "Re: Stealth Blocking" on May 24, 10:23, "Eric A. Hall" writes:]

Dave Rand wrote:

I'm not sure how effective rate limiting will be.  Many spammers send
one copy of the spam to an open relay, but use many (2 to 50)
recipients.

Rate-shapers would also work on the relays. The idea is that if ISPs would
implement a default rate-limit (let's say 4kb/s) that it wouldn't
interfere with normal use. It would interfere with spam distribution
because it would slow down the big runs dramatically.

The negative side effect is that it cripples people who use email as a
file transfer protocol.


Ok, let's have a look.

Last week, I got one spam ("get a free motorola pager") which came through
168 different open relays, bound for 4428 different recipients at
bungi.com.  There were 791 different connections to deliver all the spam,
which meant that each time the spammer used an open relay, they delivered 5
copies of the message to my system (more or less).  As was typical, they
used 16 different grid.net dialups (all from ipls).

Here's the dialup ports they used.

Injection point IPs involved (potential source):
IP Address      Count Status     In-addr
63.52.247.163      75 On DUL     pool-63.52.247.163.ipls.grid.net
63.52.247.230      16 On DUL     pool-63.52.247.230.ipls.grid.net
63.52.247.249      51 On DUL     pool-63.52.247.249.ipls.grid.net
63.52.247.255     173 On DUL     pool-63.52.247.255.ipls.grid.net
63.52.248.26        1 On DUL     pool-63.52.248.26.ipls.grid.net
63.52.248.100      14 On DUL     pool-63.52.248.100.ipls.grid.net
63.52.248.153       3 On DUL     pool-63.52.248.153.ipls.grid.net
63.52.248.167     156 On DUL     pool-63.52.248.167.ipls.grid.net
63.52.248.182      44 On DUL     pool-63.52.248.182.ipls.grid.net
63.52.248.186      45 On DUL     pool-63.52.248.186.ipls.grid.net
63.52.248.214     123 On DUL     pool-63.52.248.214.ipls.grid.net
63.52.248.239       3 On DUL     pool-63.52.248.239.ipls.grid.net
63.52.248.251      24 On DUL     pool-63.52.248.251.ipls.grid.net
63.52.249.16        3 On DUL     pool-63.52.249.16.ipls.grid.net
63.52.249.59      435 On DUL     pool-63.52.249.59.ipls.grid.net
63.52.249.67       14 On DUL     pool-63.52.249.67.ipls.grid.net

The spam was 4K bytes, including header.  That's 32K bits.  Assuming that
the open relays were really, really fast, that means that it would take
about 2 hours to send all 4428 spams.  If he had used 10 recipients per
relay, it would have been 1 hour.  20 recipients would be 30 minutes.

Without the rate limiting, assuming a 20 Kbps connection speed, it would
have taken about 21 minutes to send the 4428 spams.

Either way, rate limiting isn't very effective.  Even rate limiting at 1Kbps
only makes it 8 hours to send 4428 spams, or just over an hour a day (since
these spams were delivered over a week time period).  And they were using 4
to 8 dialups at a time.  Even at 1Kbps, that's 50,000 to 100,000 spams per
day, at 5 recipients per mail.  If we go to 20, or 50, the numbers get very
large, very quickly, even at 1 Kbps.

That's why I think that port 25 blocking is the only way.  That, and
closing open relays, of course.

-- 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]