RE: CRIME Spammers beware

From: Dorning, Kevin E - DI-3 (kedorning@private)
Date: Thu Aug 29 2002 - 12:51:50 PDT

  • Next message: Seth Arnold: "Re: CRIME IDS technologies"

    We have been laboring over the SPAM issue for as long as anyone I suppose,
    and have trined multiple methods for relieve.
    I would agree that one of the most effective ways of dealing with SPAMmers
    is to cut them off at the source when possible.  I have found that most ISP,
    and domain registrations authorities are very cooperative in dealing with
    the problem.
    
    The question we have really been working on though is how to stop the stuff
    before it hits the clients desktop.
    
    There are all kinds of services available to assist you, but all that we
    have looked at until recently required a lot of work on our part to keep
    them up to date, and have had marginal success.
    
    Recently, on of our Tech's advised me of Disributed Check Sum Server (DCC).
    We ran some off line tests, then some limited production tests to be sure
    that it wouldn't cause us problems, and are now running full production.  We
    have seen a significant reduction in the amount of SPAM that actually gets
    past DCC into our network.  Tollerances can be tuned to the level you
    desire.  The participation in the work wide DDC Server community allows
    automatic updates without a lot of effort.  Frankly, most of our effort
    these days is in making sure that we get our legitimate news letters etc
    that exceed count thresholds.
    
    Here is Andy's write up on it:
    
    The Distributed Checksum Clearinghouse (DCC) is a method of finding spam by
    making a checksum out of the email and storing the number of times it's been
    received.  It's free (open-source), and plugs right into your current
    Sendmail configuration.  When we get an email, the DCC client in Sendmail
    makes a checksum (number based on the message's size and content) out of the
    message and sends it to a server.  The server keeps a count of each checksum
    received and returns the current number of times it's received that
    checksum.  If it's a bulk message, the count will be high and the client can
    then delete it, archive it, or whatever.  The matching is "fuzzy" to protect
    against so-called "personalized" spam, random characters in the message or
    subject line, and slightly different wording.  According to the
    documentation, the additional traffic generated is lower than a nameserver
    query, and we can ensure maximum security for it in the same way we do for
    nameservers.
    
    By linking servers, a single DCC server can become vastly more powerful.
    Alone, our server could still knock out "routine" spam such as the stuff
    from "L.U.C.I.D" and certain porn sites, since it repeats itself and would
    quickly exceed whatever count we set.  But if we link our server with other
    DCC servers on the Internet, we can catch all kinds of spam; as soon as a
    site with DCC gets spammed, all the other servers linked to it quickly know
    about the spam and get a high count.
    
    They have a testing script on one of their servers, which I'll give the link
    to at the bottom of all this.  I've tested all the mail in my test account
    on it (since I can save the headers there), both personal and spam.  So far
    I've got a 100% accuracy rate.  I noticed that it returns three different
    checksum checks, so even if some things are different, one of them has
    always caught the spam.  I notice that MAPS (the spam blackhole) is also
    using it, which makes for some impressive credentials.
    
    The nature of DCC is such that it can be tested on a production machine
    without client impact (by having it passively log the headers of emails that
    it classifies as bulk).
    
    Links
    Home Page: http://www.rhyolite.com/anti-spam/dcc/
    Their Test Script: http://www.rhyolite.com/cgi-bin/dccproc-demo 
    
    
    Kevin E. Dorning
    Cyber Security Program Manager
    Office of the CIO  DI-2
    Bonneville Power Administration - USDOE
    
    
    
    -----Original Message-----
    From: T. Kenji Sugahara [mailto:sugahara@private]
    Sent: Thursday, August 29, 2002 10:22 AM
    To: 'crime@private'
    Subject: CRIME Spammers beware
    
    
    "New" method to fight Spam
    
    "After realizing that all registrars are required to keep accurate 
    information, Mr. Murdock said he did a whois search on the domain of a 
    particularly offensive spammer. He sent e-mail to the registered owners 
    of the domain and when they bounced back, forwarded the information to 
    their registrar. Generally, domain holders are required to notify their 
    registrar of any address or information changes within 48 hours or risk 
    having their accounts frozen. The result? The account was frozen and the 
    domain is now inaccessible."
    
    Source:  http://www.eweek.com/article2/0,3959,491395,00.asp
    
    If you have time... great way to stop spammers.  It's a heck of a lot 
    better than having to constantly update your filters.
    
    T. Kenji Sugahara
    Chief Operating Officer
    counterclaim
    Phone:  541-484-9235
    Fax:  541-484-9193
    



    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 13:15:52 PDT