[geeks] Anti-Spammer Tool

Greg A. Woods woods at weird.com
Sat Apr 6 15:46:21 CST 2002 

[ On Saturday, April 6, 2002 at 03:37:25 (-0600), Jonathan C. Patschke wrote: ]
> Subject: Re: [geeks] Anti-Spammer Tool
>
> It's a script.  It can be amended.  It's not like it's set-in-stone.  

Hmmmm... at least until other people start using copies outside your
control.

> It's also a "cobbled it together in a couple of hours as a
> proof-of-concept" script.  Lighten -up-, eh?  Batching the complaints is a
> very good idea, and I'd even considered implementing it, but I wanted some
> (useful) opinions on the general idea of the script first.

Batching of complaints is a _necessary_ feature.

> Given that WHOIS queries take several seconds (adding severe latency), and
> that the mail is entered into the local queue, rather than sent
> immediately (the script doesn't implement SMTP), it'd be a very
> ineffective DoS tool.

So you might think.  Your mailbox obviously hasn't been repeatedly
filled with the results of scripts like yours.

>  Also, you'd have to be quite a bit of a moron to be
> DoSing your -own- ISP with messages that essentially say "kick me off your
> network as I am a very naughty boy."

Maybe you'd be surprised at what happens out here in the trenches.....

> Spamming others via formmail.pl is not innocuous.  It made CERT.  It made
> SecurityFocus, and people are -doing it- right bloody now in an attempt to
> spam people.  There is even well-founded suspicion that a commercial
> mass-mailing program uses it as a transport!

If you're not running a formmail CGI script then attempts to find one on
your server certainly are innocuous!  Get a life!  If you've got nothing
better to do than wring your hands over a few silly log entries then
you're really in very sad shape.  Oh, what am I saying?  You're not only
wringing your hands over such silliness -- you've written a bloody
program to help you do it!  Jeezus -- what a waste of talent.....

> If your users abusing my network isn't a "real problem" for you, It's my
> opinion that you need to hang up your keycard.

Until/unless you've written an acceptable use policy that you've
convinced a large number of users to agree to in conjunction with their
paying you money for the privilege, let's just say your definition of
"abuse" is way out there in your own private region of hyperspace.

If one of my (client's) users happens to knock your server completely
off the Internet with a packet-based D.o.S., or has actually broken into
it _and_ done some damage (retrieved private files, deleted or changed
data, or otherwise adversely affected its operation), then I'll agree he
or she has "abused" your network.  Until then don't bug me about
innocuous events I literally cannot do anything about.

Otherwise it's your choice to run a web server -- if you don't like
people opening connections to it and sending requests to it, then I
would suggest you simply take it off line and save everyone a whole lot
of time.  This _is_ the Big Bad Internet.  You _will_ be scanned.  You
_will_ be probed.  You can either sit there with your head spinning
around spewing puke about such nonsense (which in this neibourhood will
only annoy anyone in range and cause them to fight back), or you can
ignore it with good natured understanding and get on with the real
reasons you've decided to take such risks and participate in this rather
wild and rambunctious playground we call The Internet.

> RTFA.  Then RTFS to see what it actually does and why it exists, and why
> this particular wave of CGI-exploit is hitting my server more than Code
> $color ever did.  This isn't about scanning.  People portscan me all the
> time, and I couldn't care less.

Yes, it is about scanning.  Entirely and only in this case.  Until you
install a formmail script and it is actually abused you have absolutely
no evidence of any kind about the intentions of such connection
attempts.  That's the way the real world works.

(and if you think I like spammers or spam then you haven't a single clue)

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the geeks mailing list