[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Curbing SPAM - any ideas!
On Sun, Dec 01, 2002 at 02:26:31PM +0000, Fisayo Adeleke wrote:
> In recent I have been receiving many complaints of my customers network
> originating SPAM mails. These customers will also claim they run Internet
> cafes and as such do not know what people send and stuffs .... and since
> they mainly use web based emails, it's knda hard to curb. Anyone got an
> idea of how this can be curbed or stopped - apart from terminating my
> customers access to the internet which most of these complainants demand
> you do?
Well, it's an option you should consider seriously. If these "customers" are
costing you money in dealing with complaints, your reputation, and possibly
your connectivity to the Internet if you get included on lists of 'spam
havens', then you might be better of without them. Let your competitors deal
with the pain. Your 95% of well-behaved customers will get a better service
as a result, which means you will attract the good customers away.
Now, that means making your direct customers (internet cafes) responsible in
turn for the behaviour of their users - i.e. having a clear code of conduct,
monitoring usage, and enforcing it on their users.
It's difficult sending spam from a web browser (where by 'spam' I presume
you're not talking tens of messages, you're talking thousands). Presumably
these people are bringing in their own laptops, plugging them in, and
running spam-sending software? Monitoring this behaviour should be easy
enough. Simply counting the SYN packets to TCP port 25 will tell you how
many SMTP connections they are making per minute.
There are some technological methods which may be helpful as a second line
of defence, but they don't eliminate the need for policies, and the
monitoring and enforcement of those policies.
Examples:
- If you block TCP port 25 outbound except to your own mail relays (or use a
layer 7 switch to transparently redirect all port 25 traffic to your own
mail relays), you will force people to use your relays and therefore get
better logging and monitoring of their usage. Spotting spammers 'in the act'
is a matter of a script to count mails delivered per IP per minute.
- Once you have done that, exim has a mechanism for rate limiting SMTP
traffic. You can put (say) a 1 second delay per RCPT line, with this
increasing by 5% per message. Anyone sending a reasonable amount of mail
will see little degradation, but spammers get caught in treacle.
- Something we do in the company where I work is that if a spammer is caught
"in the act" we block all dial-ups from that person's phone number, using
the Calling-Station-Id attribute in RADIUS (you will need to be
interconnected digitally to get this). It is possible for a person to
withhold their CLI when dialling in - however in that case we use a RADIUS
attribute to install a filter on the NAS blocking all TCP port 25 traffic.
Hence they can browse but not send E-mail.
This idea is important in the UK where people can sign up for "disposable"
free accounts. If you have a billing relationship with all your users,
and/or don't have on-line signup with immediate access, then this is less
likely to be an issue for you. Is also not relevant for dedicated-line
access.
But remember that there are many ways to skin a cat. Some spammers hijack
web servers running old versions of the "formmail.pl" CGI script to relay
their spam - they only need access to TCP port 80 for that. There is in
general no technical solution which can block all spamming activity.
The most important thing from a technical point of view is to keep your
RADIUS accounting logs for a reasonable period of time, and keep your RADIUS
server and mail server clocks accurate using ntpd or ntpdate - this ensures
you can tie a dynamic IP address at a point in time to a particular user.
But most important of all, you need to make it absolutely crystal clear to
all your users that spamming will not be tolerated - include your Acceptable
Usage Policy by reference into the *contract* for service that they have
with you. And yes, if they abuse your service and your trust and the trust
of people elsewhere on the Internet, terminate their access.
Cheers,
Brian.
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org