response 26 of 149:

Jan 4 15:20 UTC 2006

Re#20 Right now, they don't need multiple accounts but from the
debris left behind in their acccounts, it appears they are splitting
their target lists into smaller sets and setting each account to
work on a different subset.

I don't recall offhand if each account was pumping out the same
message so it is possible, they were using a different account to
send different messages.

Re#22 Perhaps the simplest way is to have exim maintain a hash
table.  Each time a mail is sent, you hash on the senders login,
retrieve a record containing a message count and a date stamp.  If
the time stamp is <= 24 hours old, just increment the message count
for the sender and refuse to accept the message for processing.  If
the time stamp is more than 24 hours old, the message count is reset
to 1 and the date stamp is set to the current time.

Today is the first day I've had a real chance to dig into how exim
works and may be extended so I lack the vocabulary to describe this
using proper exim terms.  However, it appears there are a few
different mechanisms one could use.

response 28 of 149:

Jan 4 16:45 UTC 2006

Do the spammers use mail lists (available with Pine, don't know about other
mail programs)?  Is there anything specific they do which can be restricted
to paying members without seriously interfering with mail use by other normal
users?

response 30 of 149:

Jan 5 18:32 UTC 2006

let's say I wanted to use grex to send spam.  

I'd create an account.

I'd upload a list of addresses... say 50,000 email addresses, one per line.
I'd create a text file with my spam message.
Then i'd run the following perl script:

##################################################
#!/usr/local/bin/perl

open(FH,"~/addresses.txt") or die;
while(<FH>) {
        chomp;
        system("cat ~/spam.txt | mail -s Spam $_");
}
close(<FH>);
##################################################

And poof.  50,000 spam messages go out.

That being said.. the only way I can think of to stop spam from happening 
on grex is to unplug grex or disable outgoing mail.

you could reduce spam by creating a waiting period for access to email.  
But I'd make it longer than 48 hours... a week, at least.

You could reduce it even more by allowing access to email ONLY to members.  
Then a spammer would have to give money to grex and (theoretically) be 
"verified" before they could send their spam.

A limitation of 50 outbound emails per day or even 100 outbound emails per 
day per account would also be useful, combined with an ASCII CAPTCHA on
newuser *AND* the delay for access to outbound mail.

If a spammer wants to manually create 100 accounts, wait a week for each, 
then send out 100 emails per day - each.... that'd be an awful lot of 
work to send 10,000 messages per day.  Easier to hack into someone's 
unsecure version of Wordpress.

If, on top of the last step, you do some mail logging that reports how 
many emails each user sends - per day - over a certain threshhold.. you 
could eliminate those user accounts pretty easily.

response 32 of 149:

Jan 6 00:14 UTC 2006

   That doesn't solve the problem.  Spammers typically send out N emails
with one person in each email.  Some don't of course, but the recent 
barrage of emails from AOL and .ro idiots does this, so that isn't a
solution.

response 34 of 149:

Jan 6 01:38 UTC 2006

First, correcting an editing error by rewording slightly what I
said in #25:

Each time a mail is sent, you hash on the senders login, retrieve
a record containing a message count and a date stamp. If the time
stamp in the record is <= 24 hours old, just increment the message
count for the sender and refuse to accept the message for processing
if the message count is over the 24 message limit.  If the time
stamp in the record is more than 24 hours old, the message count
is reset to 1 and the date stamp is set to the current time.

Re#29 No, because the message count is a max of how many messages
they are allowed to send in a 24 hour period.  If the next message
sent pushes them over the max message count, that is only a problem
if it has been less than 24 hours since the timestamp of the first
message.

The idea is that the first message starts a 24 hour count down.
That count should be reset once 24 hours has past but we don't
actually need to check until the next time they send a message.

response 36 of 149:

Jan 6 06:23 UTC 2006

Typed-in twice, and still dropping words.  
    "...if the message count is over the 24 message limit" 

should have read:
    "...if the message count is over the 24 hour message limit"

response 38 of 149:

Jan 8 02:33 UTC 2006

(somehow it seems like there ought to be a sudden snap
of castanets when he says that...)

response 40 of 149:

Jan 8 04:11 UTC 2006

Ole!

response 42 of 149:

Jan 8 18:57 UTC 2006

Comcast is now blocking mail from Grex, which means I can't remind certain
members to renew their memberships.

response 44 of 149:

Jan 9 07:09 UTC 2006

We could declare a emergency moratorium on mail privileges for new
users but allow existing users to keep their mail privileges until
outbound mail limits can be implemented.  Any spammers with existing
accounts would either lie low or quickly be identified and locked.

This might allow us a respite to get off the blacklists and focus
on fixing mail.

response 46 of 149:

Jan 9 17:21 UTC 2006

You'd be surprised at how many spam messages you could fit into 100k.

response 48 of 149:

Jan 10 02:41 UTC 2006

How could you execute a spam script from the web?