Lawrence Baldwin noted: #Personally, I think the better approach to fighting proxy spam is to #identify the spammers that are *upstream* from the proxies and then get one #or more of them thrown in jail, not for spamming, but for violating federal #or state computer intrusion laws. Spammers are currently using open proxies #because they are free and anonomous, until you make them non-anonomous AND #costly (jail) there's nothing will stop them. I believe this analysis is precisely correct. #This is not as hard as it sounds...if you are an ISP you have hijacked #proxies on your network. The RBLs can tell you which IPs are hijacked #proxies, all you need do is capture Netflow data and examine the upstream #IPs pummeling the hijacked proxy on it's SOCKS and/or HTTP proxy port. ... or the non-standard proxy zombie port de jour. (Depending on how long the box has been spewing, you may also notice scans/probes from good guys attempting to determine what's up with the behavior being observed from that host, but that's easy enough to spot and ignore when you do the traffic analysis). #The #results of such analysis is extremely enlightening...these spammers have NOT #moved off-shore, they are NOT using multiple levels of proxy chaining and #obfuscation, they are spamming DIRECTLY from their web hosting and corporate #offices in North America, and as is often the case, South Florida. ... and from Texas and California and New York, among others. And if you start looking at end-to-end performance and operational issues, it is easy to understand why spammers have NOT moved overseas when shovelling traffic through proxy spam zombies: -- If connecting from overseas, they have trans-pacific latencies and potential packet loss issues (with the reduced throughput that implies), and they can get that comparatively crumby throughput via expensive connections which are potentially subject to governmental interference, with any required systems work being a "remote hands" operation (with inconvenient time zone-related and potential language-related issues). Besides, some people may even block all traffic at their border from those overseas providers... or -- they can get very low latencies from multiple redundantly-connected geographically diverse colo providers here in the US at comparative rock bottom prices and with easy physical access to their systems... that is, they can do this as long as people DON'T bother doing as Lawrence suggests. If you DO start looking at inbound netflow data associated with compromised hosts, things become pretty clear, pretty darn quickly. And if you tie in AOL scomps or other abuse reports, it becomes pretty trivial to even tell *which* spammer is abusing your compromised hosts from domestic colo providers -- you then know WHO, WHAT, WHEN, WHERE, WHY and HOW people are abusing that host. Frost, apply candles, present to law enforcement for processing and attention (or blackhole/filter the colo block at your border, if you're the impatient type or are skeptical about getting law enforcement involved). To tell you the truth, I've been quite surprised that major broadband providers with tens of thousands of compromised customer hosts haven't done that already. Regards, Joe St Sauver (joe@oregon.uoregon.edu) University of Oregon Computing Center