CamFraser
11-22-2006, 07:14 PM
There seems to be some needless worrying going on all over the net about recent reports of the surge in botnets.
Don't Panic! (in large Friendly letters) :P
Relax please. All those reports focus on problems restricted to large scale providers.
From a technical point of view, the problem was identified, analyzed, and solved in principle a year ago. The botnet spam volume has been insufficient for most to bother implementing those solutions.
The caveat is that many of those solutions work best if you have your own small scale domain.
Hmmmm... anybody here to whom that description applies? :wink: ( :cough: everybody? :cough: )
As I mentioned in this anti-spam thread (http://www.aota.net/forums/showthread.php?t=22121) one solution is being called the "Jayne Cobb commemorative Grenades test" (a tribute to the superb science fiction TV series Firefly (http://www.news-journalonline.com/column/247/03SceneTWEN072005.htm)). :yeah:
It uses the fact that small domain owners know which accounts are in use, and the botnet spammers are demonstrably stupider than average in that they have huge quantities of invalid addresses in their DBs. Basically, all you need to do is turn your catchall on, and use a filter that tracks stuff that is near simultaneously sent to at least one invalid account (or whatever cutoff number you're comfortable with).
If an IP only sends to valid accounts, the pin stays in the grenade, otherwise, kaboom! :P
I regularly run a "grenade simulation tool", so I know this will work. Every other solution my anti-spam provider has come up with has also worked wonderfully, so I have a rational basis to trust that track record.
If you're like me and often generate unique one-off account names for site regs, not a problem. Set your "grenade dispersal" to require at least two account hits. A legit sender is almost never going to send two or more simultaneous messages from the same IP to two separate non existent accounts (or one real and one unreal). Main legit case would be if you forgot about a rarely used legit account name, or two people on the same domain gave out ad hoc account names to the same (legit) site. Even in those rare cases, that sort of email is low priority, and in my view not a loss. Besides, the anti-spam suite (http://Puffin.net/software/spam/index.htm) I use (as mentioned in that other thread), maintains a "corpse" pile, and has tools designed to easily spot and salvage FPs.
That's just the simplest level of detection complexity. Next level up is an RBL powered by catchalls! Think about how trivial it would be to redirect your catchall to one server, and how easy it would be to chomp thru that data in real-time, statistically ranking each sending IP. In other words, turn the tables on the spammers! That's kiddie level to do. It just needs enough people who are serious enough to kick in their time and expertise, and a larger group to kick in the money to fund a dedicated server and bandwidth. I've already made a modest pledge of time (1 hour/month) and money ($20/year), and I'm optimistic there's enough others interested to make that possible.
Why haven't those approaches been used so far?
Because anyone using a sophisticated anti-spam tool has barely noticed the spam events of the past month.
Bottom line: relax!
The moment the botnets really become a serious problem, there's well tested solutions waiting for deployment.
Most technical problems can be solved. It just takes enough serious people to get the job done. In the words of Tolkien: "If we all got angry together something might be done." (Of course, he meant "productively" angry - decent people don't waste energy getting angry if that anger isn't matched with action.)
Don't Panic! (in large Friendly letters) :P
Relax please. All those reports focus on problems restricted to large scale providers.
From a technical point of view, the problem was identified, analyzed, and solved in principle a year ago. The botnet spam volume has been insufficient for most to bother implementing those solutions.
The caveat is that many of those solutions work best if you have your own small scale domain.
Hmmmm... anybody here to whom that description applies? :wink: ( :cough: everybody? :cough: )
As I mentioned in this anti-spam thread (http://www.aota.net/forums/showthread.php?t=22121) one solution is being called the "Jayne Cobb commemorative Grenades test" (a tribute to the superb science fiction TV series Firefly (http://www.news-journalonline.com/column/247/03SceneTWEN072005.htm)). :yeah:
It uses the fact that small domain owners know which accounts are in use, and the botnet spammers are demonstrably stupider than average in that they have huge quantities of invalid addresses in their DBs. Basically, all you need to do is turn your catchall on, and use a filter that tracks stuff that is near simultaneously sent to at least one invalid account (or whatever cutoff number you're comfortable with).
If an IP only sends to valid accounts, the pin stays in the grenade, otherwise, kaboom! :P
I regularly run a "grenade simulation tool", so I know this will work. Every other solution my anti-spam provider has come up with has also worked wonderfully, so I have a rational basis to trust that track record.
If you're like me and often generate unique one-off account names for site regs, not a problem. Set your "grenade dispersal" to require at least two account hits. A legit sender is almost never going to send two or more simultaneous messages from the same IP to two separate non existent accounts (or one real and one unreal). Main legit case would be if you forgot about a rarely used legit account name, or two people on the same domain gave out ad hoc account names to the same (legit) site. Even in those rare cases, that sort of email is low priority, and in my view not a loss. Besides, the anti-spam suite (http://Puffin.net/software/spam/index.htm) I use (as mentioned in that other thread), maintains a "corpse" pile, and has tools designed to easily spot and salvage FPs.
That's just the simplest level of detection complexity. Next level up is an RBL powered by catchalls! Think about how trivial it would be to redirect your catchall to one server, and how easy it would be to chomp thru that data in real-time, statistically ranking each sending IP. In other words, turn the tables on the spammers! That's kiddie level to do. It just needs enough people who are serious enough to kick in their time and expertise, and a larger group to kick in the money to fund a dedicated server and bandwidth. I've already made a modest pledge of time (1 hour/month) and money ($20/year), and I'm optimistic there's enough others interested to make that possible.
Why haven't those approaches been used so far?
Because anyone using a sophisticated anti-spam tool has barely noticed the spam events of the past month.
Bottom line: relax!
The moment the botnets really become a serious problem, there's well tested solutions waiting for deployment.
Most technical problems can be solved. It just takes enough serious people to get the job done. In the words of Tolkien: "If we all got angry together something might be done." (Of course, he meant "productively" angry - decent people don't waste energy getting angry if that anger isn't matched with action.)