Weblog entry #44 for simonw
See all weblog entries made by simonw.
#44
Death of Greylisting - spam bots retrying
Posted by simonw on Mon 10 Apr 2006 at 05:16
I've been using Postgrey with Postfix for over a year now, and practically got rid of the spam problem for my own email, and for work, for the year.
Alas a distressing development is that there is now a spam bot that retries.
Haven't got any technical low down, but the bot seems to retry every 303 seconds (approximately), and does this several times. I increased the greylist initial delay to 310 seconds on one server at work, since the database there is already well populated with most email servers this shouldn't hurt much, and increases the chances the bot will end up one the dynamic blacklist we use before it tries again. Been a little discussion on the Postgrey mailing list for those interested.
Only a trickle of such spam so far, and its distribution is very uneven, suggesting only one spammer is using this type of bot, and he is targetting big domains (or possibly a very old lists of email addresses, or domains).
Guess it was only a matter of time.
Been looking at further checks, trying to note ways in which these bots defer from genuine email servers. One idea I saw on BSD, was to use the passive fingerprinting to slow port 25 traffic from all Microsoft Windows clients, although I wonder how accurate the passive finger printing is, and the hotmail users might not be impressed, this seems a plausible approach.
Ideas on implementing later, or anyone who can get hold of one of these retrying bots so it can be analysed properly, let me know.
Alas a distressing development is that there is now a spam bot that retries.
Haven't got any technical low down, but the bot seems to retry every 303 seconds (approximately), and does this several times. I increased the greylist initial delay to 310 seconds on one server at work, since the database there is already well populated with most email servers this shouldn't hurt much, and increases the chances the bot will end up one the dynamic blacklist we use before it tries again. Been a little discussion on the Postgrey mailing list for those interested.
Only a trickle of such spam so far, and its distribution is very uneven, suggesting only one spammer is using this type of bot, and he is targetting big domains (or possibly a very old lists of email addresses, or domains).
Guess it was only a matter of time.
Been looking at further checks, trying to note ways in which these bots defer from genuine email servers. One idea I saw on BSD, was to use the passive fingerprinting to slow port 25 traffic from all Microsoft Windows clients, although I wonder how accurate the passive finger printing is, and the hotmail users might not be impressed, this seems a plausible approach.
Ideas on implementing later, or anyone who can get hold of one of these retrying bots so it can be analysed properly, let me know.
Comments on this Entry
Posted by Utumno (60.248.xx.xx) on Mon 10 Apr 2006 at 10:21
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
Are you talking about the same kind of fingerprinting that nmap uses to determine running OS ? That's quite slow and not very reliable...
[ Parent | Reply to this comment ]
Posted by Anonymous (213.164.xx.xx) on Mon 10 Apr 2006 at 13:03
That's a shame, but fair enough.
The delay it bought should have been used to set up a trust network or something, but for most people it delayed dealing with the problem.
It was nice while it lasted :)
The delay it bought should have been used to set up a trust network or something, but for most people it delayed dealing with the problem.
It was nice while it lasted :)
[ Parent | Reply to this comment ]
I'm told that the firewall in ths *BSD family is quite good at dynamic fingerprinting, and can drop the rate of all traffic to port 25 from a Windows system. I just wish I could find you a link...
--
"It's Not Magic, It's Work"
Adam
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
This may be the link you were thinking of, Adam:
http://use.perl.org/~merlyn/journal/17094
"Oh, how sweet... Mail coming from windows boxes (all flavors) compete for my virtual 56K line. All other mail can come in the fat pipe. Already a huge difference in my load. Bwa ha ha."
[ Parent | Reply to this comment ]
YES! I knew Merlyn has mentioned it on use.perl; but I couldn't find it, even with Google. Sometimes a minor change in your search terms makes a huge difference.
--
"It's Not Magic, It's Work"
Adam
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]