thoughts on tracking spammers and griefers

The types of services that DroneBL caters to (online real-time communities) have common problems of spamming and griefing (abusive threats toward what are usually administrators or channel owners, likely due to being banned for violations of community rules). In fact, in some cases the spam activity itself is a form of internet griefing.

On this topic, I wrote the following on the irc-security list, which I want to expand on here, because we intend to experiment with ways to deal with these problems next:

What we need to stop this undesired behaviour is extensive solidarity,
in many forms:

1) Services like DroneBL. These services can be used to stop his
spambot, by listing his IP immediately upon reports of spam.
Approximately more than 90% of known networks are using DroneBL as a
reference for banning. By adding his source IPs, this reduces his attack
vector by at least 90%.

2) Making it very clear that the IRC community will not condone networks
that harbour or condone his behaviour, or even worse, encourage as is
the current situation. In the current situation, the owner of
irc.darkscience.ws has been seen as saying that ep0ch is a friend of
his, and that he fully supports the activity. By speaking loudly to
upstream providers of this network and pursuing suspensions, this
behaviour will likely be curbed.

3) Making it very clear that the IRC community will not condone service
providers which profit from networks/servers benefiting from spam. The
IRC community has a voice with DroneBL, and other services like it, to
ensure that there are harsh penalties for service providers which
harbour spam sources or beneficiaries. 

While I do not typically believe in community lynchings of net trash, if
we really want this behaviour to stop, we must become more aggressive in
ensuring that it is infact stopped. That said, we should be very careful
that networks being spammed by people like ep0ch are not victims
themselves before taking direct action.

But, the basic idea is, "if you spam on IRC, there will be a penalty."
Or, something like that. Thoughts? Maybe I am just rambling crackaddled
thoughts here?

A large part of the problem is that there is no system for tracking the people behind the abuse. Without such an effort, there is no way that the communities DroneBL provides services to can deal with stopping them in some sense of full solidarity.

So, we need a system to deal with griefers like the person I describe on irc-security in that post. Is DroneBL itself that system? No!

But, is such a system related to the mission of DroneBL? Yes, it is. However, such a system needs to be designed where the community can collaborate on collecting as much evidence of abuse as possible. Collection of large dossiers of abuse against IRC spammers and griefers will be helpful in taking action with abuse desks at ISPs.

But what about ISPs that do not care? Obviously, we cannot ban AT&T, but we can for instance, pressure service providers to do the right thing. For example, a shell provider hosting services belonging to the spammer, could be convinced to drop the spammer's account. In such a case, the abuser would have less resources to use for causing trouble.

Also by having a service which tracks the people behind the netabuse, we can put pressure on them to do the right thing and discontinue their abusive activities.

So, the question is, if I made a service which tracked people, making them no longer anonymous, and providing the IRC community with the ability to make it clear that there will be a consequence for these abusers, would people actually use it to make the consequence effective?

What would need to be done to make such a service, and it's consequence effective? Is the IRC community willing to cooperate to make such a service effective and trustworthy? We need to make sure we are truly banning dirt, such a system could be used as a tool for vengeance and revenge easily, if created with the wrong policies.

I would love to hear thoughts (in the form of lovely comments, especially). This is a tricky situation, and if we, as a community work on making it happen, we should make sure we get it right the first time.

nenolod / Nov-14-2008 06:01:34 GMT

Comments for thoughts on tracking spammers and griefers

These are the 9 (0 hidden) comments for the above post. You may add your own comment below!

Vadtec said on Nov-14-2008 18:29:22 GMT :

With respect to the point about vengeance, that is the single biggest issue with such a service. I agree, there has to be some form of verification of submitted information.

As an IRC administrator and tech support rep for various things, I have once to often seen altered or forged information submitted to prove a point. Even things like screen shots cannot be trusted 100%. Anyone with Photoshop or The Gimp can cut n paste a chat session together from other screen shots. Or if they are really keen, they can playback a simulated chat session in their chat program to make it look like a real session.

This leads to needing more than just chat logs from users, or even admins. Things like server server (ircd/etc) logs, or if possible, server (ircd/etc) logs + server (as in the box) connect/firewall logs, would be great.

In the grand scheme of things though, any reports about a given individual should be looked into. Demographics in this case would be excellent. And not just "Oh they were here once", but also reporting them each time it occurs. That way we can build a good pattern and maybe gleen other info from it as well.

One thing that will have to be considered heavily is the posting of a person's physical contact information. Some localities have laws governing such information. So gathering it will have to be done via public mediums. And even then, the poster of such information had better be damn sure their local laws allow it.

All in all, this is a very doable endeavor. And it could potentially stick a thorn in the foot of all the kiddies out there. So I don't see why we shouldn't look into this and make some sort of prototype.

William Pitcock said on Nov-14-2008 18:36:41 GMT :

@Vadtec: The main concern isn't forgery, it's trust. If we keep things to a relatively trusted community model that we already enjoy with DroneBL reporting, then the project should work fine.

My main concern is that DroneBL is for drones, not spam. But obviously, there is a demand for spam blocking lists in the communities that DroneBL provides services to. And if such a system is separate from DroneBL, would people use it? In my opinion, chat logs are fine if we have multiple reports from multiple people, who are known to be good sources.

Steve Church said on Nov-14-2008 23:09:52 GMT :

William Pitcock said:

My main concern is that DroneBL is for drones, not spam.

*shrug* DroneBL in my mind is for net abuse. The brute force class, although not really closely related to IRC drones, stays very active. The classes for compromised router / open proxies are likewise not solely a "drone" thing (even though they are often used by drones). A spam category in the DroneBL would be fine by me -- maybe even another category for griefing.

Regardless of whether the point of view is that of an end-user or a network admin, I would think what ep0ch and others like him do are just as undesirable as DDoS drones. I mean, it's a shame to risk having to give up the spectacular perl code he could otherwise be plagiarizing contributing when he's not spamming; but somehow life will go on I suspect.

But a separate service for tracking people? How's that different from tracking compromised / abusive hosts? Do you envision that service providers would check this list for known assholes prior to approving account creation? That'd be amazing, but I'm skeptical that such a service would influence a provider into turning down a setup fee. On the other hand, do you see this helping with law enforcement when the abuse@ route fails as it often does? IANAL, but I doubt the contents of a message board would hold much weight with a judge.

I promise my intention is not to flame. I'm just brainstorming.

I'm thinking the best way to make a service such as DroneBL or the proposed DickBL effective is to make Internet providers not want to be listed, and to deal with abuse appropriately to that end. How do we do that? It would certainly help if the DroneBL service were useful for more than just IRC, tcpwrappers, and the random oddball service that 5 people on the planet use. The more useful the DroneBL services are, the more they will be used. The more they're used, the more providers will have to deal with the repercussions of having hosts listed.

An anti-spam BL service is certainly one way of doing that. Another might be... a captcha service, more user-friendly than ReCaptcha + integrated blacklisting for known spammers. Another might be... listing SQL injection attackers. Who knows? My point is this. What can we offer to which AT&T, Comcast, Google, hell even Microsoft would subscribe? That would be a service on which listing would prompt immediate attention. As-is, though, IRC is not high on most providers' list of concerns.

Vadec said on Nov-15-2008 14:32:47 GMT :

@William

I realize my post came off as seeming like fruad/fake logs are the main issue. That wasn't my intention. I merely wanted to point out the biggest possible problem that could creep up.

As you said, trust is going to over come the issue of faked logs or reports. And that's how it should be. Unless we all want to become computer forensic experts, we can only rely on trust.

I will be posting some ideas I have later this weekend. Whether or not they turn out to be good ones remains to be seen. Just keep in mind, I tend to think in a "the worst/the best" frame of mind. I find it helps me weed out all the useless stuff and get down to what is important.

LeAnn McKee said on Dec-24-2008 20:43:28 GMT :

Yes, i'd like it heard that I have done nothing to provoke anything from being banned from IRC. What you all are doing is great, but I have been on IRC for many years now, but with this isp, only a few months and do not understand what is going on here.

tepid said on Jan-12-2009 01:00:16 GMT :

So, I'm sure none of you care, but your captchas: they suck. A simple challenge/response with some javascript munging? Well. I suppose you make up for that weakness with having nonsensical answers. What, pray tell, could "frozen water" be but "ice"?

I shouldn't have to spend 15 minutes getting my dynamic IP cleared, and certainly not for an incident last reported in OCTOBER of last year.

Katlyn said on Feb-05-2009 10:06:38 GMT :

What's wrong with their captchas? At least they're not using those horrible, ineffective image-based ones where you have to type in what you see.

Are you saying you had difficulty in working out what the answers should be? That's fairly.. worrying.

Sebastian Ramadan said on Dec-24-2009 03:10:23 GMT :

I'd like to point out that it appears irc.darkscience.ws is not affiliated with epoch. I've spoken to some on that network and they explicitely asked me to make this clear. ProwL is a reader of the irc-security group, so I'm sure he's said this all before...

(ProwL) I do /know epoch/ from IRC for the past 8 years, but he trolls and spams us just as much as you guys. He's an absolute pest.
(ProwL) We do not under any circumstances condone people spamming us, or our name, anywhere. We don't advertise as it is. :)

There are parts of the proposal, and parts of the comments below it that I agree with.

Firstly, I believe a system for netabuse would be most helpful, as the last thing an ISP system administrator wants to do is remove a list of IP addresses that were blacklisted due to abuse. I'd be happy to help out by development of implementations that would help to:
1. guarantee that logs submitted are in fact genuine.
2. identify individuals by cross-referencing and analysing logs from previous incidents.
3. collaboration and generation of reports in support of complaints destined for ISP abuse centres.

I believe the only way DroneBL is related is by principle of blacklists, and perhaps in the case that some netabuse may indeed overlap. In that case, the netabuse would probably be best on the DroneBL. Other than that, this blacklist may actually have a more sophisticated interface to identifying individuals (as well as the typical DNSBL). This blacklist may be structured entirely differently, due to the difference between drones and what we're dealing with here, human nature. It may not matter to you guys what I think, but the more separate these two agendas are, the less work we have to do in collaborating incidents before consulting ISP administrators.

nenolod, I'm all up for it. Let me know if you would like any assistance and/or ideas :)

Derp said on May-10-2010 01:28:38 GMT :

You know, he's quite easy to find.

This guy made no effort to hide his identity nor where he hangs out. You can even find an approximation of his location and who is hosting his content if you look a little.

I agree the bots are annoying.

Add your own comment

Your name
Captcha
Your comment
You can use markdown syntax here for formatting.