BGP blackholing spam [was Spammer Bust]

• To: nanog@merit.edu
• Subject: BGP blackholing spam [was Spammer Bust]
• From: Randy Bush <randy@psg.com>
• Date: Fri, 5 Sep 97 23:08 PDT
• References: <199709051943.OAA07071@charon.milepost.com> <Pine.SGI.3.96.970905161243.4170D-100000@helix.nih.gov> <jelson@helix.nih.gov> <19970905233157.04913@scfn.thpl.lib.fl.us>
• Reply-To: randy@psg.com
• Sender: owner-nanog@merit.edu

Please excuse me, but I would like to turn this traditional spam topic
(often in form as well as content) into something operational.

Paul Vixie is doing something about spam which is technical, operational,
and which can be put into your router, a BGP feed to blackhole spam sites.
It is moving from prototype deployment towards production.  I can not guess
the resources it will take to maintain this effort, not so much maintaining
the feeds, but maintaining the list of spam source IPs.

So, my suggestions, and realize I have not talked to Paul about this (*)
(and i am only talking to actual bgp-speaking net ops here):

  o check out http://spam.abuse.net/spam/.

  o get a blackhole feed, maybe from someone downstream to decentralize the
    load.  the agreement is transitive, but you do still have to indemnify
    Paul, which seems quite reasonable to me.

  o offer to pass the blackhole feed on to help decentralize the load.  but
    be sure to see the indemnification is maintained.

  o encourage the largest bgpish folk who will listen to you to do the same.

  o send a donation to vixie enterprises' voluntary funds to help defray
    the costs they will surely incur maintaining these data.

randy


(*) if i talked to paul, that could make him liable for these suggestions.
    i have stepped on his toes before, and he still seems ambulatory, so
    what the heck, maybe this time i'll get him.

Re: BGP blackholing spam [was Spammer Bust]

• To: nanog@merit.edu
• Subject: Re: BGP blackholing spam [was Spammer Bust]
• From: Paul A Vixie <paul@vix.com>
• Date: Fri, 05 Sep 1997 23:53:51 -0700
• In-reply-to: Your message of "Fri, 05 Sep 1997 23:08:00 PDT." <m0x7E2v-0007zWC@rip.psg.com>
• Sender: owner-nanog@merit.edu

I enjoyed reading Randy's comments, as always.  Here's the fine print.

Blackholing spammers is tricky.  For instance, recently the professional
spammers got so good at locating third party relay sites that they no longer
have to overload other folks' relays in order to get the spam out.  So now
rather than finding one relay and handing it 50 envelopes each with 10,000
recipients, they find 500 relays and hand each one 1,000 envelopes each with
1 recipient.  They add random gibberish to each message body so that tight
checksums like MD5 won't be able to detect the duplicates.  (Yes, loose
checksums are available and they are being employed.)

What this means, though, is that third party relays are no longer being given
so much mail to deliver (by any given spammer, that is) that they come to us
(the anti-spam crowd) screaming for anti-relay solutions such as Eric Allman's
excellent http://www.sendmail.org/antispam.html logic.  Oh sure, the next day
or the next week the relay will be abused again, but now that it no longer
brings the relay (and its upstream link) to its knees, the operators of these
relays are feeling considerably less natural pressure to turn off third party
relaying.  Microsoft's Exchange 5.0 adds relay support and the default is ON.

So blackholing the spammers led them to relay their spam via third parties,
but like all naive parasites they failed to use any kind of quotas and they
irritated (in some cases killing) their host bodies.  Now they're smarter.

So now whenever I am spammed I blackholed the relay's /32 for ten days.  This
is twice the 5-day queue limit that Host Requirements recommends for mail, and
it is the Sendmail-8 default.  (Sendmail-5's default was 3 days -- ouch!)  I
often find that during the ten day blackhole period, a mail relay's operator
discovers that their connectivity isn't very good for some reason, and finds
out that I am the reason, and threatens to sue me.  At the moment there are
92 hosts in this ten day "holddown period" and while three of them have asked
how they can prevent third party relay in their mailers, two others have sent
official-looking letters with words like "cease" and "desist" in them.

The spammers are going to make it as hard as possible to block them.  For a
while they used to abuse "popular" relays and shell machines and so on, in the
mistaken belief that nobody would block a popular and necessary host resource
just to get stop spam.  I think I've told the story of the firebombing of
Dresden to at least a half dozen popular host resource owners in the last two
years.

Blocking relays stops spams in progress.  I've seen this happen often enough
that I know it's what I have to do.  But I've had two blackhole mirror sites
drop off the list because they could not afford to block somebody that I had
to block.  (There is of course a way to block my blocks, and several mirror
sites do that routinely.)

But blocking relays doesn't stop the phenomena of spam, in fact it doesn't
even slow it down.  Consider the fact that I only blackhole when I am myself
spammed.  Don't you think that if it were in a spammer's power they would try
to avoid spamming me?  Consider the fact that all Sendmails ever installed
(including the one you'd get right now from ftp.sendmail.org) allow full relay
between arbitrary sources and destinations, and that changing it is HARD.

Spammers do still send a lot of spam directly.  When I screwed the pooch in
a system upgrade to my anti-spam blackhole route server and had to spend two
hours "wide open" I was spammed *once* *a* *minute* by various nets which I
normally block.  So I know that the blackhole list does some good.  But it is
not a fix to the underlying problem, and while I have no direct economic
incentive to block spam, spammers perceive a very real and direct economic
incentive to send it to all of us.

So, yes, do sign up for the blackhole.  If half the ISP's in the country would
just refuse to exchange packets with most of AGIS's customers, maybe the other
half would feel so much pain that they would come along for the ride.  (Right
now AGIS picks up a huge amount of business since disconnected spammers always
end up buying connectivity from AGIS when noone else will sell it to them.)
Who knows, perhaps we can isolate the spammers so they can only spam eachother.

But be aware that blackholing people, especially on my say so, will lead you
to get complaints from your users about unreachability, and complaints from
other ISP's users about unreachability, and that while these are probably
fewer complaints than you're getting right now about spam, the war won't be
over until the last spammer's head is stuck onto a spear at the city limits.
If you want to blackhole spammers, I can help.  But it's NOT a magic bullet.

Now as to money.  I've hired somebody to do the paperwork of signing up new
eBGP4 anti-spam routing feed recipients.  I will shortly start charging some
kind of quarterly fee to said recipients to cover some of my costs.  If you
decide to start feeding each other, just make sure that the route origin is
always my server since I need to be able to revoke a black hole route in real
time whenever (a) I make a mistake or (b) somebody calls me asking for help
with their spam problem and they are on my blackhole list.  If you cache this
data or disconnect it from its source, I'm still liable for the business
losses of blackholed network owners even though I won't have any control over
continued propagation.  Don't put me in that position, please.

I am also getting ready to start work on my company's next commercial product,
and it looks like a spam filtering SMTP gateway is going to be it even though
I've got this drop-dead idea for optimal HTTP redirects that I've been wanting
to implement for about the last 14 months.  Oh well, "follow the money."