Re: [spf-discuss] SPF, DKIM, and NIH

Ian Eiloart wrote:

--On 16 October 2009 21:37:20 -0400 Hector Santos<spf-discuss(_at_)winserver(_dot_)com> wrote:
       http://www.winserver.com/public/antispam

So I think its purely randomly cyclic.  They really don't care what you
have, they are going to do blitz attacks not carrying whether you stop
them or not.
Well, they have finite (if cheap) resources. If a compromised PC has alist of recipients to send mail to, then why continue to send mail to asite that is consistently rejecting the mail? Surely *some* spammersmust be smart enough to not keep hammering on a closed door.



You would think so, and I agree with you.

But based on the above web site 3-4 years of statistics for my ownsite and the same statistics gathering from selected customers, justwhen you think you got them, PUFF, here they come again.

I truly believe that the big spammers, the ones that are networked,work on a random basis or some "secret formula" scheduling.


I can see that clearly, and I think you would too with the setup:

1) Prepare the SMTP receivers

  Multi-threaded, Worker Queue SMTP Receiver machine. 5 threads
  of 5 processes you can concurrently spawn should be sufficient.

2) Prepare the trap

   2.1) Add a system policy at the 220 response that outputs a
        multiline response.

   2.2) or Add a EHLO ip literal compare with connection IP.
        drop if they don't match.

What you will see is a regular blast of 4-5 client IPs in a group.You might see this through the day. You might see it go away for aday or so or even a week. Then it comes back.


I even thought:

   "Maybe if I let them through (remove the system policy and
    EHLO IP trap), they will satisfy their goals and stop."

No, same thing. Go Away, Come back, Go away, come back in random fashion.

Let me see if I can get a few sets of this mornings log....

20091021 02:16:00 (01DD) Invalid EHLO [124.82.231.78] client address[219.95.72.186]20091021 02:16:02 (020B) Invalid EHLO [124.82.231.78] client address[219.95.72.186]20091021 02:16:02 (01C7) Invalid EHLO [124.82.231.78] client address[219.95.72.186]


These dropped due to the multiline response:

20091021 03:02:23 (00A1) EHLO: Incoming connection: [114.143.139.8][114.143.139.8]20091021 03:02:23 (011F) EHLO: Incoming connection: [114.143.139.8][114.143.139.8]20091021 03:02:23 (00D6) EHLO: Incoming connection: [114.143.139.8][114.143.139.8]20091021 03:02:23 (00B6) EHLO: Incoming connection: [114.143.139.8][114.143.139.8]


I see these come in with no other activity, are they related?

20091021 04:36:56 (01A5) Invalid HELO 59.15.251.213 client address[59.15.251.213]20091021 04:37:59 (01DC) Invalid HELO 78.26.161.33 client address[78.26.161.33]20091021 04:38:55 (0256) Invalid EHLO ???? client address[218.145.201.108]20091021 04:38:56 (0256) Invalid HELO ???? client address[218.145.201.108]

And so on. I have a colorized log statistics viewer making it easy tovisualize a color spectrum-like spread of attacks.

Of course, just now, looking at these morning logs I can say, "wow,pretty good, not as bad as you seen before. Maybe they got smarter."

Well, I would probably lean more towards they were put of out businesswith the FBI recent big spammer cases in the last year or so. Irecall maybe 4-5 months ago a group of our sysops in support listsaying they had a major reduction of system attacks after the some bigFBI case this year putting a large spammer out of business. I lookedat my logs too and saw a major slow down myself. But then thefollowing week - Puff, it seem to pick up again.


Of course, everyone mileage will differ, but that is my experience here.

---
HLS



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com