Re: [spf-discuss] SPF, DKIM, and NIH
2009-10-21 09:01:07
Ian Eiloart wrote:
--On 16 October 2009 21:37:20 -0400 Hector Santos
<spf-discuss(_at_)winserver(_dot_)com> wrote:
http://www.winserver.com/public/antispam
So I think its purely randomly cyclic. They really don't care what you
have, they are going to do blitz attacks not carrying whether you stop
them or not.
Well, they have finite (if cheap) resources. If a compromised PC has a
list of recipients to send mail to, then why continue to send mail to a
site that is consistently rejecting the mail? Surely *some* spammers
must be smart enough to not keep hammering on a closed door.
You would think so, and I agree with you.
But based on the above web site 3-4 years of statistics for my own
site and the same statistics gathering from selected customers, just
when you think you got them, PUFF, here they come again.
I truly believe that the big spammers, the ones that are networked,
work on a random basis or some "secret formula" scheduling.
I can see that clearly, and I think you would too with the setup:
1) Prepare the SMTP receivers
Multi-threaded, Worker Queue SMTP Receiver machine. 5 threads
of 5 processes you can concurrently spawn should be sufficient.
2) Prepare the trap
2.1) Add a system policy at the 220 response that outputs a
multiline response.
2.2) or Add a EHLO ip literal compare with connection IP.
drop if they don't match.
What you will see is a regular blast of 4-5 client IPs in a group.
You might see this through the day. You might see it go away for a
day or so or even a week. Then it comes back.
I even thought:
"Maybe if I let them through (remove the system policy and
EHLO IP trap), they will satisfy their goals and stop."
No, same thing. Go Away, Come back, Go away, come back in random fashion.
Let me see if I can get a few sets of this mornings log....
20091021 02:16:00 (01DD) Invalid EHLO [124.82.231.78] client address
[219.95.72.186]
20091021 02:16:02 (020B) Invalid EHLO [124.82.231.78] client address
[219.95.72.186]
20091021 02:16:02 (01C7) Invalid EHLO [124.82.231.78] client address
[219.95.72.186]
These dropped due to the multiline response:
20091021 03:02:23 (00A1) EHLO: Incoming connection: [114.143.139.8]
[114.143.139.8]
20091021 03:02:23 (011F) EHLO: Incoming connection: [114.143.139.8]
[114.143.139.8]
20091021 03:02:23 (00D6) EHLO: Incoming connection: [114.143.139.8]
[114.143.139.8]
20091021 03:02:23 (00B6) EHLO: Incoming connection: [114.143.139.8]
[114.143.139.8]
I see these come in with no other activity, are they related?
20091021 04:36:56 (01A5) Invalid HELO 59.15.251.213 client address
[59.15.251.213]
20091021 04:37:59 (01DC) Invalid HELO 78.26.161.33 client address
[78.26.161.33]
20091021 04:38:55 (0256) Invalid EHLO ???? client address
[218.145.201.108]
20091021 04:38:56 (0256) Invalid HELO ???? client address
[218.145.201.108]
And so on. I have a colorized log statistics viewer making it easy to
visualize a color spectrum-like spread of attacks.
Of course, just now, looking at these morning logs I can say, "wow,
pretty good, not as bad as you seen before. Maybe they got smarter."
Well, I would probably lean more towards they were put of out business
with the FBI recent big spammer cases in the last year or so. I
recall maybe 4-5 months ago a group of our sysops in support list
saying they had a major reduction of system attacks after the some big
FBI case this year putting a large spammer out of business. I looked
at my logs too and saw a major slow down myself. But then the
following week - Puff, it seem to pick up again.
Of course, everyone mileage will differ, but that is my experience here.
---
HLS
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [spf-discuss] SPF, DKIM, and NIH, (continued)
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] SPF, DKIM, and NIH, alan
- Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, Hector Santos
- Re: [spf-discuss] SPF, DKIM, and NIH, Hector Santos
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH,
Hector Santos <=
- Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] SPF, DKIM, and NIH, Sanford Whiteman
|
Previous by Date: |
Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart |
Next by Date: |
Spear Phishing (was: [spf-discuss] SPF, DKIM, and NIH), Steven Dorst |
Previous by Thread: |
Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart |
Next by Thread: |
Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg |
Indexes: |
[Date]
[Thread]
[Top]
[All Lists] |
|
|