Thanks! I'll be working on some scripting to maintain a good spamtrap list using yours as a starting point. The list I use now was tediously created using Excel some time ago. I just caught a batch of them using that old list:
Jul-13-07 08:47:03 193.69.160.86 <[EMAIL PROTECTED]> PB: 193.69.160.0 score: 0+150 => 150 reason:penaltytrap:[EMAIL PROTECTED] Jul-13-07 08:47:30 124.84.115.122 <[EMAIL PROTECTED]> PB: 124.84.115.0 score: 0+150 => 150 reason:penaltytrap:[EMAIL PROTECTED] Jul-13-07 08:47:47 220.225.96.162 <[EMAIL PROTECTED]> PB: 220.225.96.0 score: 0+150 => 150 reason:penaltytrap:[EMAIL PROTECTED] Jul-13-07 08:48:30 218.98.7.249 <[EMAIL PROTECTED]> PB: 218.98.7.0 score: 0+150 => 150 reason:penaltytrap:[EMAIL PROTECTED] Jul-13-07 08:48:36 218.191.18.233 <[EMAIL PROTECTED]> PB: 218.191.18.0 score: 0+150 => 150 reason:penaltytrap:[EMAIL PROTECTED] Jul-13-07 08:53:32 216.117.149.132 <[EMAIL PROTECTED]> PB: 216.117.149.0 score: 0+150 => 150 reason:penaltytrap:[EMAIL PROTECTED] Jul-13-07 08:54:10 221.127.10.85 <[EMAIL PROTECTED]> PB: 221.127.10.0 score: 0+150 => 150 reason:penaltytrap:[EMAIL PROTECTED] Marrco wrote: >> I sometimes see a flurry of attempted connections such as these from >> the mail log: >> >> Jul-11-07 06:38:54 Connected: 58.224.155.140:1176 -> 192.168.0.5:25 >> -> 192.168.0.1:25 >> Jul-11-07 06:38:55 c1775 58.224.155.140 <[EMAIL PROTECTED]> >> invalid address rejected: [EMAIL PROTECTED] >> address rejected: [EMAIL PROTECTED] >> address rejected: [EMAIL PROTECTED] > [...] >> >> The messages come from different IP addresses and different senders, >> but are the invalid addresses are repeated. Does anyone know of a >> way to detect a spam flurry like this in ASSP and add an additional >> PB score to the offending sender IP addresses? And just out of >> curiosity, does anyone know how the spammers manage to send from >> such geographically diverse IP addresses, all to the same invalid >> address, all within a few minutes? >> >> Regards, >> >> Dave > > Yes, you can do a fantastic job of detecting and blocking that king of > attacks usin ASSP spamtrap (and spamcollect) addresses. > > [(...cut and paste from a post I did last year...)] > > i'm using a lot of spamtraps (on a particular installation almost > 50% of processed messages go to spamtraps) > > easy to generate, just look at the logs of your real mailserver and > collect data about non existing mailboxes (you'll be surprised of how > many non existent addresses are in spammers lists) + add mailboxes on > your domains that are closed (and return 55x) for more than 1 year + > create and use on newsgroups, fake websites etc a few more addresses > + use some unused domains > > just to collect spam. et voila', you have plenty of spamtraps. > > i run a simple script every other week on my mail server that gives me > a list of top spammed not-existant mailboxes. I just add them to my > spamtraps. Really useful. [especially traps starting for aa and ab, > many spam runs are in alphabetic order] > > my pb score is (ymmv): > > - Invalid recipient : 2 > - Spam Collect : 5 > - Spamtrap : 10 > > in spam collect i put old email addressed that are no longer in use > and returned a 5xx for more than 1 year > in spam trap i put real spamtraps. Very often not existant addresses > are on spammer lists. > > this is the script i use to grep all invalid recipients from my logs, > and sort them. > > Windows users need to download some GNU utils from > http://unxutils.sourceforge.net/ (unixutils + unxupdates) > > mac users ? no idea, sorry... but at least win+linux are covered. > > I had a few problems with multiple piping and gawk under win32, so i > had to use prog.awk to script it and use a few intermediare steps, > maybe someone can optimize it. > > ----- windows version, with assp installed in c:\assp ( -f8 dipends > on your log setting) ------ > > -) invalid.cmd - debug version > > dir /o-d /b \assp\logs\*aillog.txt|sed "s/\ /\\\ /g"|gawk -f prog.awk| > grep -F "rejected:" > _aa > cut -d" " -f8 _aa | sort | uniq -c | sort -r > _bb > head -n 35 _bb > invalid.txt > > > -) prog.awk > > BEGIN{ > } > NR < 15 { > system("type \\assp\\logs\\" $0) > } > END{ > } > > > under windows you can use blat (http://www.blat.net/) to have the list > mailed to you. Of course you have to manually decide what addresses > are for spamcollect, and what for spamtrap. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Assp-user mailing list > Assp-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user