> I sometimes see a flurry of attempted connections such as these from > the mail log: > > Jul-11-07 06:38:54 Connected: 58.224.155.140:1176 -> 192.168.0.5:25 -> > 192.168.0.1:25 > Jul-11-07 06:38:55 c1775 58.224.155.140 <[EMAIL PROTECTED]> invalid > address rejected: [EMAIL PROTECTED] > address rejected: [EMAIL PROTECTED] > address rejected: [EMAIL PROTECTED] [...] > > The messages come from different IP addresses and different senders, but are > the invalid addresses are repeated. Does anyone know of a way to detect a > spam flurry like this in ASSP and add an additional PB score to the > offending sender IP addresses? And just out of curiosity, does anyone know > how the spammers manage to send from such geographically diverse IP > addresses, all to the same invalid address, all within a few minutes? > > Regards, > > Dave
Yes, you can do a fantastic job of detecting and blocking that king of attacks usin ASSP spamtrap (and spamcollect) addresses. [(...cut and paste from a post I did last year...)] i'm using a lot of spamtraps (on a particular installation almost 50% of processed messages go to spamtraps) easy to generate, just look at the logs of your real mailserver and collect data about non existing mailboxes (you'll be surprised of how many non existent addresses are in spammers lists) + add mailboxes on your domains that are closed (and return 55x) for more than 1 year + create and use on newsgroups, fake websites etc a few more addresses + use some unused domains just to collect spam. et voila', you have plenty of spamtraps. i run a simple script every other week on my mail server that gives me a list of top spammed not-existant mailboxes. I just add them to my spamtraps. Really useful. [especially traps starting for aa and ab, many spam runs are in alphabetic order] my pb score is (ymmv): - Invalid recipient : 2 - Spam Collect : 5 - Spamtrap : 10 in spam collect i put old email addressed that are no longer in use and returned a 5xx for more than 1 year in spam trap i put real spamtraps. Very often not existant addresses are on spammer lists. this is the script i use to grep all invalid recipients from my logs, and sort them. Windows users need to download some GNU utils from http://unxutils.sourceforge.net/ (unixutils + unxupdates) mac users ? no idea, sorry... but at least win+linux are covered. I had a few problems with multiple piping and gawk under win32, so i had to use prog.awk to script it and use a few intermediare steps, maybe someone can optimize it. ----- windows version, with assp installed in c:\assp ( -f8 dipends on your log setting) ------ -) invalid.cmd - debug version dir /o-d /b \assp\logs\*aillog.txt|sed "s/\ /\\\ /g"|gawk -f prog.awk| grep -F "rejected:" > _aa cut -d" " -f8 _aa | sort | uniq -c | sort -r > _bb head -n 35 _bb > invalid.txt -) prog.awk BEGIN{ } NR < 15 { system("type \\assp\\logs\\" $0) } END{ } under windows you can use blat (http://www.blat.net/) to have the list mailed to you. Of course you have to manually decide what addresses are for spamcollect, and what for spamtrap. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
