On Fri, 2015-05-22 at 09:31 -0700, Gordon Messmer wrote:
> On 05/22/2015 04:01 AM, Sam Varshavchik wrote:
> > HELO is a good canary in the coalmine. Legitimate mail senders will pay
> > attention and configure their mail servers properly, so that their HELO
> > matches their DNS address.
> 
> Sure, but in the context of this filter, I think that's not relevant.
> 
> The baddns filter that Lindsay wrote would originally load the HELO 
> string from the control file, look up the NS associated with the domain, 
> and then apply rate limiting if that NS is one known to be associated 
> with domain tasting.
> 
> I imagine that works when spammers feed campaigns through malware, as 
> HELO and MAIL FROM domains probably often match.  However, in the case 
> where legitimate mail servers are subverted, HELO probably won't lead 
> back to such an NS record, but the domain in MAIL FROM still will.  That 
> seems like a better key, to me.

Here's what I've observed.  Spam falls into several categories.  The
overwhelming lion's share of it is "commercial" spam.  The people who
send this out get big blocks of IP addresses on servers in India, China,
Romania, Russia, Brazil, etc. and set up spamming engines to send this
stuff out by the terabyte.  I assume, with regard to these sources,
we're not dealing with malware but with hosting providers who don't give
a rat's ass whether their customers are sending out spam or not.  I've
also noticed that these people keep regular hours.  This kind of spam
diminishes in the evenings and at night and increases during the day, so
the people who do this are probably nine-to-fivers who are paid by the
hour.  They take weekends off and the volume of this stuff goes down on
Saturdays and Sundays.  Judging by all this, my guess is that most of
the operations pulling the strings on this are in the US.  These are all
"someone's checking your credit", "refi your home loan", "four signs
you're having a heart attack", "miracle pill to cure xxx", etc. - quasi
legit businesses who have engaged a spam operation to get their message
out.  These account for perhaps 98% of the spam I'm intercepting, and
I'd guess that probably 95% of these have a NS for their HELO host
that's covered by the a python list of about 5 server names, and these
are the folks that baddns is keeping out.

The malware or system intrusion/exploit kind of spam varies from stuff
like "Get an online PhD" - out-and-out scams - to phishing emails, and
these are a much smaller percentage of spam.  Looking at the mail logs,
a lot of these are one-off spams to no more than two or three users on
my server.  These are difficult to block since they generally come from
hacked or compromised boxes on legit servers.

Some spam does come from systems where the NS for the HELO name has the
same SLD.TLD as the HELO hostname itself.  baddns doesn't touch these,
since the NS for the names never occurs the prohibited list.  Outside of
SpamAssassin-style heuristics I can't think of any way to detect these
from an analysis of IP addresses or DNS.

The baddns module that I put together only deals with one type of spam,
but what I'm seeing is that this is by far the bulk of what's going over
the wire.  I've hacked together some utilities using shell and python
scripts which do log scans of stuff that gets rate limited and gives me
some very nice summaries.  Typical output:

Date:    First:     Last:          IP:              rl:  sp:  score: helo:      
           dns:
May 22:  12:51:19 - 12:51:19:      66.55.151.180:   1    0    -      
grrkgiftcrd.us        registrar-servers.com
May 22:  12:54:24 - 12:54:58:      66.55.151.181:   2    0    -      
srvereprtnews.us      registrar-servers.com
May 22:  12:59:06 - 13:00:07:      66.55.151.182:   2    0    -      
bgreprorterdocs.us    registrar-servers.com
May 22:  13:03:20 - 13:03:56:      66.55.151.183:   2    0    -      
hlthreportdata.us     registrar-servers.com
May 22:  08:08:47 - 08:48:57:      74.63.250.133:   5    0    -      
mxvm2.punsslog.com    name-services.com
May 22:  08:45:13 - 09:58:55:      80.79.120.157:   3    0    -      
out.itselfgreen.com   name-services.com

("registrar-servers.com" and "name-services.com" are in the "bad" name
servers list)

This give the date, the time of the first and last spam from the given
IP, the IP, the number of ratelimit hits, the number of SpamAssassin
hits (and the SA score, if any), the HELO hostname and the NS of record
for the HELO host.

I can further summarize these:

IP block          IP    RL    DNS   SA    Score      Recommendation
23.254.198.0      1     1     *     0     10         BLOCK PROBABLY OK :)
66.55.151.0       4     7     *     0     280        RECOMMEND /24 BAN!!
74.63.250.0       1     5     *     0     50         RECOMMEND /24 BAN!!
80.79.120.0       2     5     *     0     100        RECOMMEND /24 BAN!!
80.82.79.0        2     8     *     0     160        RECOMMEND /24 BAN!!

This gives the number of IP's seen in a /24 block, the total number of
ratelimit hits for all IPs in this block, whether the NS for the block
is in the "bad name server" python list, an arbitrarily assigned score
and a recommendation based on this score.

All of this has taught me a lot about the patterns on this stuff, and
although I haven't managed to nuke all the spam coming on to my server,
I'm probably getting about 2% of what I was before I started working on
this in January.

I hope this helps.  If you can manage to put together a more incisive
filter based on such things as the NS of the NS in a spam then I'll be
delighted, and will happily share scripts and statistics which might
help.  It's important to be flexible in writing these things.
Commercial spammers have some pretty smart people working for them and
Brad Knowles observed, when he was working on the problem for AOL, that
as soon as a pattern of behavior leads to to analysis that lets people
effectively block their spam, they change the way they work.  As soon as
the cost/benefit ratio of any part of their operating paradigm goes
negative, they change it, and we'll need to put the tinker-toys together
on the filtering end in a different way.

Gordon, I have some questions about your observations and critiques of
my script but I'll get these next week.  This is a holiday weekend in
the US and I'm away from home at a music festival.

-- 
Lindsay Haisley       | "Never expect the people who caused a problem
FMP Computer Services |  to solve it."  - Albert Einstein
512-259-1190          |        
http://www.fmp.com    |


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to