[oclug] Neutron bomb for spam
David F. Skoll
dfs at roaringpenguin.com
Tue Mar 5 14:20:23 EST 2002
On Tue, 5 Mar 2002, Dan Cardamore wrote:
> I'll have to check out spamassasin sometime, but I'd like to add one
> other really effective tool called "Razor".
SpamAssassin optionally uses Razor.
I am working on a neutron bomb against spammers. The basic idea is this:
- Message arrives, scan it with SpamAssassin.
- If it looks like spam, take the SHA1 hash of the first 8kB of the message
body. Use this as a key to an incidents database.
- Look up the key in the database.
- If not found, send a "452 Message looks like spam, awaiting verification"
to the SMTP mail relay.
- If status is 'pending', send the same SMTP temporary-failure code.
- If the status is 'reject', send a 552 SMTP rejection code.
- If the status is 'allow', allow the message through.
There will be a web-based interface to let spam administrators browse through
the trap once a day or so, and block or release messages. There will also
be an option to block hosts entirely.
Here's why it's a neutron bomb: The mail server sends SMTP
temporary-failure codes after the entire message has been transmitted.
That means the sending relay keeps retrying to send the message.
North American bandwidth is cheap; Asian bandwidth (where most of my
spam comes from) is expensive. Tempfailing the message has the
potential to increase the bandwidth consumption of open relays 10-100
times. It also clogs their mail spools. This gives open-relay owners
a little motivation, shall we say, to clean up their act.
If a large enough number of people adopt this method, it will become very
expensive to relay spam.
More information about the OCLUG