Marc Perkel wrote: > Testing it out and so far I like it. > > http://tanaya.net/DynaStop/ > > > Spam often doesn't retry
I keep hearing that, and perhaps it was true at one time. But *all* my server logs, heavily verbose, yes, for the better part of a year show not only the reverse to now be true, but *massively* so. The 'retry' may not be queue-driven as we would do it for an 'honest' balked delivery, so perhaps it is technically accurate to not call it a 'retry' in smtp-terms. But the pattern - and the 'hole' they are seeking - is the same. Attacks come in successive waves, often predictable by time-of-day, spaced just far enough apart to overcome typical greylisting, and have all the earmarks of zombie farms under psuedo-dynamic update: - They present the same, harvested-but-long-since invalid and/or lame to the point of silliness dictionary-attack usernames. 'keilholz@', 'anastasio@', <domain.tld>@, <domain_oldusername>@', <alphameric_string>@', '<presumed_common_name>@', '<reversed_harvested_name>@' - Their forged HELO's repeat, again and again, ELSE they HELO by IP, or as the very host they are targeting, or with their adsl ID as a HELO. - The originating networks & IP blocks are cycled and re-used at regular intervals. Some for *years*. - They auto-abandon on a short delay (most just over 30 seconds), and on second such 'jail' term if not the first. The only thing that does not repeat for long are the 'Subject: and 'From:' headers and (apparently) the payload. You may not class these as smtp-compliant 'retry'. But if you think these seldom *repeat* you are either experiencing pure-dumb-BS-luck, are just not analysing your logs deeply enough, OR have cut yourself out of the data-collection and 'scouting' side of the war too soon. I don't care what would be 'attracted' to a secondary MX, nor to a 'honeytrap' or 'tarpit'. That's like buying your ladyfriend a bra with three cups. Amusing. Once. Maybe. All I care about are the ones that target the 'real' server. The good news is that a blocklist of 400-600 partially-wildcarded 'HELO' names nails about 70-80%, and twice that gets nearly all of them - both figures now solidly verified against two or more RBL's. About 1/4 of these persist year-on-year for the 5+ years we have been watching. Within a month or so, the perps will have 'harvested' a new batch of compliant Winboxen. Same HELO's, new IP, new payload. SS,DD ==> DS,DD. So - yes - DynaStop will nail a very high percentage of these - but I still think rDNS and DYN-RBL caches will be faster, leaner, and much more up-to-date. YMMV, as everyone's servers see at least *some* difference. Bill -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
