December 10th, 2003


Spam holes,

Last night I ended up having a discussion with a friend of elmyra who's staying on our floor at the moment. The discussion went over all sorts of topics, but the interesting one centered on "spamholes". The system they've got set up isn't quite what we ended up coming up with, since at the time I hadn't read the site, the topic came up and we started bouncing ideas.

As we could see, spammers tend to use open relays, how do they find such things? Port scanning, and trawling MX records. So what could be done about this.... You'd need to find a way to "contaminate" the MX records, which would be a large problem in and of it's self. BUT, you'd also need to find a way to do something about the random portscanning.

Who LEGITIMATLY attempts to connect to port 25, if they're not your ISP checking for open relays? Assuming that your MX records are set up properly, and don't point to your "spamhole", NO-ONE. And you'd hope that any portscanning by your ISP would be from a machine OTHER than their MailServers, so if they got blacklisted by mistake, oh well.

So you'd end up with a list of IPs from which spam originates, hmm RBL time. (Probably time limited so that people can become un-listed) This list would include trojaned machines and actual spammers.

You'd also end up with a PERFECT source for training things like Vipul's Razor, Pyzor, DCC`, etc.

This wouldn't eliminate spam, BUT it would increase the effectiveness of other tools like spamassassin, and you could possibly just the RBL as a method for 550-ing on your real email servers.

This solution just seems to elegant, we must've missed something, but can anyone think what?

(BTW you wouldn't let ANY mail actually past the "spamhole")