[geeks] Anti-Spammer Tool

Jonathan C. Patschke jp at celestrion.net
Sat Apr 6 03:37:25 CST 2002 

On Sat, 6 Apr 2002, Greg A. Woods wrote:

> Please please PLEASE do not implement any such thing without putting in
> VERY carefully tested controls to limit the number of e-mails it can
> send to a given address over a given period of time.

It's a script.  It can be amended.  It's not like it's set-in-stone.  
It's also a "cobbled it together in a couple of hours as a
proof-of-concept" script.  Lighten -up-, eh?  Batching the complaints is a
very good idea, and I'd even considered implementing it, but I wanted some
(useful) opinions on the general idea of the script first.

I guess I'll mark you in the "no" column, then.

I wouldn't be -that- hard to collate responses by netblock and batch-send
the complaints at the end of the week.  I just haven't gotten to it yet.

> As it is it sounds like your script is a perfect D.o.S. tool, and if you
> were to convince a significant number of people to implement it then it
> would become a D.D.o.S. tool of increasingly drastic proportions as it
> spread about.

Given that WHOIS queries take several seconds (adding severe latency), and
that the mail is entered into the local queue, rather than sent
immediately (the script doesn't implement SMTP), it'd be a very
ineffective DoS tool.  Also, you'd have to be quite a bit of a moron to be
DoSing your -own- ISP with messages that essentially say "kick me off your
network as I am a very naughty boy."

And, if you're talking about a DoSer hosting it on a server with the
intent to mass-spam a lot of folks, that's already being done, and it's
not as if you need a script to /usr/bin/mail Abuse at aol.com < bigtext.txt.
There are plenty of SMTP servers capable of running under Windows, and,
failing that, you can always install $unixClone and run the SMTP daemon of
your choice.

> Those of us on the receiving end of such e-mails will quickly firewall
> any such incoming messages if we even suspect they'll run rampant.  I
> cannot afford to have noise about such innocuous activities clogging my

Spamming others via formmail.pl is not innocuous.  It made CERT.  It made
SecurityFocus, and people are -doing it- right bloody now in an attempt to
spam people.  There is even well-founded suspicion that a commercial
mass-mailing program uses it as a transport!

> mailboxes and taking my time away from real problems.

If your users abusing my network isn't a "real problem" for you, It's my
opinion that you need to hang up your keycard.  Either that or others'
users abusing your network shouldn't be a "real problem", either.  It's
not as if it takes -so- -long- to cut someone's access that it would take
you away from your valuable work.  Regardless of how brilliant you are or
what standards you helped push through, if you encourage (or fail to
discourage) unwanted misuse of someone's network, you are doing the 'net
far more harm than good.

If your job as a system manager isn't to prevent the abuse (and thus,
increasing the effective utility) of your network and others, and the
prevent your users from abusing others' networks, pray-tell, what -is- it?

> Most of us don't really have any ability to do anything about such
> activities either.

Yeah, those AUPs are such a bore (all that lawyerspeak, blech), and you
couldn't possibly remove the user from your network (sans refund) for
using your bandwidth to make someone else's life miserable.  That'd just
be silly.  That'd be like taking someone's driver's license away for being
a nuisance on the highway or driving on the median to circumvent traffic.

> Such scanning is not illegal and it's not even damaging (unless the
> little beggars find an exploitable script, but of course in that case

RTFA.  Then RTFS to see what it actually does and why it exists, and why
this particular wave of CGI-exploit is hitting my server more than Code
$color ever did.  This isn't about scanning.  People portscan me all the
time, and I couldn't care less.

I suppose it could -technically- be considered a scan since they don't
-know- whether my server is wide-open or not, but, unlike a portscan, the
attempted result isn't to get info for an attack later (which, like
surveying a store to shoplift, isn't illegal), it's to steal service via
spam (which, like stealing a coat from a store to see if you can get away
with it, is illegal).

> half the blame lies with the lame-o webmaster who left it
> exploitable).

Yeah, morons exist.  So do scumbag spammers.  One of those classes of
people is -trying- to be a pain in the ass.  The other just doesn't know
any better.  While both will probably be around until way past when the
64-bit time_t rolls over, one is a hell of a lot more gratifying to LART.  
The other will usually either buy/rent/steal a clue, or will get out of
the business "because it's too hard".

> Please limit those e-mails to at most one per week (or even longer), and
> keep them to as short a summary as humanly possible!

The source is there.  Feel free to implement it and submit a patch, and if
you can submit it without growling about it, I might even apply it.  I'll
do it if/when I get around to it.  Also, if you'd read the script, you'd
realize that the entire message may be shortened or lengthened as your
heart desires.  The default is fairly short, I think.

> On the other hand it might be best if you simply destroy your script and
> forget you ever wrote it.

Hmm.  I've already posted it on the 'net, and it's been downloaded about
50 times already.  I guess I have no recourse other than to track those
bastards down, take their computers away from them, and make them sit in a
corner and think about what they've done.  Trying to destroy the 'net; how
-dare- they!

> Such a thing is pretty much useless for achieving the desired result
> -- it'll more than likely cause the opposite reaction to what you
> desire.

I don't know.  If I were getting N abuse reports a day (where N > 2) about
the same user, I'd probably walk to their house and repossess their modem
personally.  But, I believe in "hands-on" network/user management.

> (Not that dozens of others haven't done very much the same already --
> why else would I be complaining about this?  Such scripts have been a

You know, you're -right-.  I've never known you to complain about
-anything- before.  Especially not in a way that's overly abrasive or
condescending in a "you don't know a damned thing, and I am your God, you
pathetic, sniveling maggot" tone.

I'd remove the script right now, but, since typing "rm" takes both hands,
and I'm clearly holding the crackpipe in one of them, I'm afraid I can't
oblige.

> very real problem for me and some of my clients!)

The problem couldn't very-well be that your users are asshole spammers,
could it?

> Well of course!  What do you expect?  There have been NUMEROUS warnings

Well, you know, I might be a fool, but I -expect- that, if people actually
had legitimate business on my website, they'd be downloading the resources
that already exist, rather than trying to probe for things that were
mentioned on the cracker lines as the newest "exploitz".  I'd also expect
that, since it's a -web- server, folks wouldn't be trying to send mail to
-AOL- customers through it.  And, you know, if they're doing things that
-clearly- are illegitimate on my server, and are doing it about 100 times
a day, I think someone at their ISP needs to know.

If my customers were poking your server in ways you didn't like, I'd want
to hear about it and put an end to it.  But, hey, you've already told me
that I don't know anything about administering DNS and mail servers,
so there's a good chance that I'm totally worthless at a keyboard.

> of late in many forums about how stupidly lame and poorly written the
> commly used formmail.pl CGI script is.  Spammers love such crap.

Yeah, and if gang-banging formmail.pl gets spammers kicked off their
networks, rather than helping them "Make $$$$ Fa$t!", maybe they'll not be
exploiting that crap as much.  This is "looking out for others", as
opposed to "laughing at the foolish twit who isn't as bright as I am."

There's a lot of egg on a -lot- of admins' faces because just about every
CGI/HTML book on the planet references formmail.pl[1], and customers
-demand- it, and if you don't give it to them, they -demand- it of your
boss, and then the shit's -really- in your lap.  And, you know what,
sometimes the boss cares more about "keeping the customer happy" than
whether some theoretical security hole exists.  Therefore, I think it's
more fruitful to discourage spammers' use of formmail.pl by putting a
little piss in their well than to try and fight an entire generation of
web weenies that won't learn CGI on their own[2].

That said, feel free to block my mailserver from yours, should you feel
that the presence of my 10k shell script might fill your spool discs to
capacity and that my T1 might bring your network to a halt the next time
the penis-enlargement spams come around.  I think you're just being a tad
paranoid.

--Jonathan
[1] And if "Learn to be a l337 Webmaster in 24 hours" says that it's okay,
    it's gotta be okay!
[2] Yes, moving the recipient data into the script instead of passing it
    as a variable fixes the problem in formmail.  No, I don't think most
    users are capable of doing that.  As a result, sysadmins who either
    don't know better, have bosses who -really- don't know better, or
    don't want to support a near-infinite number of customized formmail.pl
    scripts will continue to deploy it unaltered.

More information about the geeks mailing list