Re: Tarpit SPAM trap

To: debian-isp@lists.debian.org
Cc: abuse@aol.com
Subject: Re: Tarpit SPAM trap
From: wagnerc@plebeian.com (Chris Wagner)
Date: Thu, 02 Mar 2000 16:46:35 -0500
Message-id: <200003022157.QAA02018@mail.goodnews.net>

At 11:08 AM 3/2/00 +0200, I. Forbes wrote:
>To give you an idea of the scope of the problem we have received 
>about eleven thousand bounces with the same forged address over 
>the last month.  All of the Spam was launced from AOL, and relayed 
>using a whole list of open relays - many in Eastern Europe and the 
>Far East.

That is egregious enough that I think you should file criminal charges.  I
think you need to get in touch with the FBI.  They have a computer crimes
task force now.  You don't have to be in the US to do this.  They are far
more attuned to the problem now after the recent spate of DOS attacks on US
websites.

The idea that there's nothing AOL can do to stop this doesn't hold water.  A
simple block of port 25 on the AOL network I think would wipe out 99% of the
SPAM coming through their network.  That would mean that all AOL customers
would be forced to send their mail through AOL's MX's where it could
effectively be monitored for SPAM.

>All of those bounce messages come from open relays, while they 
>are actively sending spam.  If I could run an effective DOS on them, 
>then the spammer who is sending the spam would find his 
>productivity gets hit quite hard.  Maybe he will notice and then 

It would be more effective to DOS the originating IP.  If the ip is still
up, it's easy to crash a dial up connection.  Some of my favorites are
netcat, Ping of Death, Octopus.  I'm sure you can find a ton more.

Another cute one is a reverse SPAM DOS attack.  Send out a few thousand bad
emails (using bulkmail or something) using the spammer's ip for the return
address.  Oh the irony... :)

>Has anybody tried this before.  What resources do I have to have 
>available on my end to sink the other server without sinking my own?

You can setup a new machine on your network to act as a "suicide attacker".
A kamikaze box.  It's sole purpose would be to max out the sockets on the
offending ip.  This will of course also max out the kamikaze box.  That's
why you don't want to do it with one of your production machines.  If one
box isn't enough set up more kamikazes.  Any hunk of junk 486 should do the
trick.  If the offender is a Win box, opening a ton of sockets should sink
it.  If a unix box, then recursively open connections on every port.  The
offender will soon have 150 Apache's running, a few thousand telnet's,
SMTP's ftp's, etc.  Depending on what it's running.

+-------------------------------------------------------------------+
|        -=I T ' S  P R I N C I P L E  T H A T  C O U N T S=-       |
|=-                  -=ALAN KEYES FOR PRESIDENT=-                 -=|
| Balanced Budgets     Personal Freedoms     Morality     Lower Tax |
|=--                  http://www.Keyes2000.com.                  --=|
+???????????????????????????????????????????????????????????????????+

Reply to:

Prev by Date: Re: Mudslicking to counter SPAM (was TARPIT)
Next by Date: Re: Mudslicking to counter SPAM (was TARPIT)
Previous by thread: Re: Mudslicking to counter SPAM (was TARPIT)
Next by thread: exim to sendmail
Index(es):
- Date
- Thread