On Fri, 2015-05-22 at 09:31 -0700, Gordon Messmer wrote: > On 05/22/2015 04:01 AM, Sam Varshavchik wrote: > > HELO is a good canary in the coalmine. Legitimate mail senders will pay > > attention and configure their mail servers properly, so that their HELO > > matches their DNS address. > > Sure, but in the context of this filter, I think that's not relevant. > > The baddns filter that Lindsay wrote would originally load the HELO > string from the control file, look up the NS associated with the domain, > and then apply rate limiting if that NS is one known to be associated > with domain tasting. > > I imagine that works when spammers feed campaigns through malware, as > HELO and MAIL FROM domains probably often match. However, in the case > where legitimate mail servers are subverted, HELO probably won't lead > back to such an NS record, but the domain in MAIL FROM still will. That > seems like a better key, to me.
Here's what I've observed. Spam falls into several categories. The overwhelming lion's share of it is "commercial" spam. The people who send this out get big blocks of IP addresses on servers in India, China, Romania, Russia, Brazil, etc. and set up spamming engines to send this stuff out by the terabyte. I assume, with regard to these sources, we're not dealing with malware but with hosting providers who don't give a rat's ass whether their customers are sending out spam or not. I've also noticed that these people keep regular hours. This kind of spam diminishes in the evenings and at night and increases during the day, so the people who do this are probably nine-to-fivers who are paid by the hour. They take weekends off and the volume of this stuff goes down on Saturdays and Sundays. Judging by all this, my guess is that most of the operations pulling the strings on this are in the US. These are all "someone's checking your credit", "refi your home loan", "four signs you're having a heart attack", "miracle pill to cure xxx", etc. - quasi legit businesses who have engaged a spam operation to get their message out. These account for perhaps 98% of the spam I'm intercepting, and I'd guess that probably 95% of these have a NS for their HELO host that's covered by the a python list of about 5 server names, and these are the folks that baddns is keeping out. The malware or system intrusion/exploit kind of spam varies from stuff like "Get an online PhD" - out-and-out scams - to phishing emails, and these are a much smaller percentage of spam. Looking at the mail logs, a lot of these are one-off spams to no more than two or three users on my server. These are difficult to block since they generally come from hacked or compromised boxes on legit servers. Some spam does come from systems where the NS for the HELO name has the same SLD.TLD as the HELO hostname itself. baddns doesn't touch these, since the NS for the names never occurs the prohibited list. Outside of SpamAssassin-style heuristics I can't think of any way to detect these from an analysis of IP addresses or DNS. The baddns module that I put together only deals with one type of spam, but what I'm seeing is that this is by far the bulk of what's going over the wire. I've hacked together some utilities using shell and python scripts which do log scans of stuff that gets rate limited and gives me some very nice summaries. Typical output: Date: First: Last: IP: rl: sp: score: helo: dns: May 22: 12:51:19 - 12:51:19: 66.55.151.180: 1 0 - grrkgiftcrd.us registrar-servers.com May 22: 12:54:24 - 12:54:58: 66.55.151.181: 2 0 - srvereprtnews.us registrar-servers.com May 22: 12:59:06 - 13:00:07: 66.55.151.182: 2 0 - bgreprorterdocs.us registrar-servers.com May 22: 13:03:20 - 13:03:56: 66.55.151.183: 2 0 - hlthreportdata.us registrar-servers.com May 22: 08:08:47 - 08:48:57: 74.63.250.133: 5 0 - mxvm2.punsslog.com name-services.com May 22: 08:45:13 - 09:58:55: 80.79.120.157: 3 0 - out.itselfgreen.com name-services.com ("registrar-servers.com" and "name-services.com" are in the "bad" name servers list) This give the date, the time of the first and last spam from the given IP, the IP, the number of ratelimit hits, the number of SpamAssassin hits (and the SA score, if any), the HELO hostname and the NS of record for the HELO host. I can further summarize these: IP block IP RL DNS SA Score Recommendation 23.254.198.0 1 1 * 0 10 BLOCK PROBABLY OK :) 66.55.151.0 4 7 * 0 280 RECOMMEND /24 BAN!! 74.63.250.0 1 5 * 0 50 RECOMMEND /24 BAN!! 80.79.120.0 2 5 * 0 100 RECOMMEND /24 BAN!! 80.82.79.0 2 8 * 0 160 RECOMMEND /24 BAN!! This gives the number of IP's seen in a /24 block, the total number of ratelimit hits for all IPs in this block, whether the NS for the block is in the "bad name server" python list, an arbitrarily assigned score and a recommendation based on this score. All of this has taught me a lot about the patterns on this stuff, and although I haven't managed to nuke all the spam coming on to my server, I'm probably getting about 2% of what I was before I started working on this in January. I hope this helps. If you can manage to put together a more incisive filter based on such things as the NS of the NS in a spam then I'll be delighted, and will happily share scripts and statistics which might help. It's important to be flexible in writing these things. Commercial spammers have some pretty smart people working for them and Brad Knowles observed, when he was working on the problem for AOL, that as soon as a pattern of behavior leads to to analysis that lets people effectively block their spam, they change the way they work. As soon as the cost/benefit ratio of any part of their operating paradigm goes negative, they change it, and we'll need to put the tinker-toys together on the filtering end in a different way. Gordon, I have some questions about your observations and critiques of my script but I'll get these next week. This is a holiday weekend in the US and I'm away from home at a music festival. -- Lindsay Haisley | "Never expect the people who caused a problem FMP Computer Services | to solve it." - Albert Einstein 512-259-1190 | http://www.fmp.com | ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users