Yesterday while looking at my mail log file from sendmail I happened to notice that there were quite a few entries similar to this:
Jan 30 14:30:51 Beaker sendmail[14594]: o0UMUbtH014594: ip-67-205-102-148.static.privatedns.com [67.205.102.148] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jan 30 14:30:53 Beaker sendmail[14596]: o0UMUcb2014596: ip-67-205-102-148.static.privatedns.com [67.205.102.148] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jan 30 14:30:54 Beaker sendmail[14597]: o0UMUdqb014597: ip-67-205-102-148.static.privatedns.com [67.205.102.148] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA So I decided to generate a sorted list with duplicates removed of all of them for yesterday. To my dismay, there were 1853 unique ip's that produced the above example messages. Counting them: # grep -c $ /tmp/ips 1853 The file starts and ends so you can verify visually that I've actually got a sorted list with no dups: 12.27.246.230 12.31.165.234 12.173.58.18 24.42.47.156 24.75.75.18 24.138.217.69 24.138.231.150 24.138.242.23 24.145.81.70 clip clip -- get the whole file here: <http://eucleides.com/~paul/iplist.txt> 222.170.127.111 222.239.200.139 222.251.149.160 222.252.118.206 222.252.157.56 222.252.201.98 222.253.205.159 222.254.11.50 222.254.240.73 222.254.241.142 I use rbl's as part of my anti-spam measures. I can do this since it is my system and I don't have to answer to anyone who thinks this might produce a lot of false positives. The fact is, they don't at all. Specifically I use these 6 rbl's: bl.spamcop.net dnsbl.sorbs.net no-more-funn.moensted.dk zen.spamhaus.org dnsbl.njabl.org dnsbl-3.uceprotect.net More later on their individual effectiveness. I then process that the 1853 ip's with a script that checks if they are listed in those 6 rbl's and do reverse DNS lookups. I summarize the results: Begin Time Stamp: Sun Jan 31 19:59:18 PST 2010 __ not listed __ bl.spamcop.net / __ listed / __ dnsbl.sorbs.net | / | / __ no-more-funn.moensted.dk | | | | / __ zen.spamhaus.org 0 1 | | | / __ dnsbl.njabl.org | | | | / __ dnsbl-3.uceprotect.net | | | | | / Check IP | | | | | | Total Reverse Lookup 12.27.246.230 0 1 0 0 0 0 -- 1 -- 12.31.165.234 0 0 0 0 0 0 -- 0 -- 12.173.58.18 0 1 0 1 0 0 -- 2 -- 24.42.47.156 1 1 1 1 0 1 -- 5 -- 24.75.75.18 0 0 0 1 0 0 -- 1 -- 24.138.217.69 0 0 0 1 0 1 -- 2 -- 24.138.231.150 0 0 0 1 0 1 -- 2 -- 24.138.242.23 0 0 0 1 0 1 -- 2 -- 24.145.81.70 0 1 0 1 0 0 -- 2 -- 24.180.122.2 0 1 0 0 0 0 -- 1 -- 24-180-122-2.static.aldl.mi.charter.com. 24.223.199.116 0 1 0 1 0 0 -- 2 -- user-0cdvhrk.cable.mindspring.com. 24.242.105.202 1 1 1 1 0 0 -- 4 -- cpe-24-242-105-202.gt.res.rr.com. 41.19.255.181 0 0 0 1 0 0 -- 1 -- 41.92.36.143 0 0 0 1 0 1 -- 2 -- 41.130.178.37 0 1 0 1 0 1 -- 3 -- 41.136.101.19 0 1 0 1 0 1 -- 3 -- 41.136.128.48 0 0 0 1 0 1 -- 2 -- 41.136.175.120 0 0 0 1 0 1 -- 2 -- 41.138.224.17 0 0 0 1 0 1 -- 2 -- 41.138.226.232 1 0 0 1 0 1 -- 3 -- 41.177.23.98 0 0 0 1 0 1 -- 2 -- 98.23.177.41-discover.co.za. 41.191.104.4 0 1 0 1 0 0 -- 2 -- 41.196.124.181 0 1 0 1 0 1 -- 3 -- host-41-196-124-181.static.link.com.eg. 41.196.199.234 1 0 0 1 0 1 -- 3 -- host-41-196-199-234.static.link.com.eg. 41.204.84.33 0 0 1 1 0 1 -- 3 -- 41.207.124.46 0 1 1 0 0 0 -- 2 -- 41.207.179.202 0 0 1 1 0 0 -- 2 -- 41.210.9.34 0 1 0 1 0 1 -- 3 -- adsl934.4u.com.gh. 41.211.124.246 0 1 0 0 0 1 -- 2 -- 41.221.161.130 0 1 0 1 0 1 -- 3 -- clip clip-- get the whole file here: <http://eucleides.com/~paul/rblcheck.txt> 220.139.127.112 0 1 1 1 0 1 -- 4 -- 220-139-127-112.dynamic.hinet.net. 220.139.127.154 0 1 1 1 0 1 -- 4 -- 220-139-127-154.dynamic.hinet.net. 220.139.127.181 0 1 1 1 0 1 -- 4 -- 220-139-127-181.dynamic.hinet.net. 220.243.107.172 0 0 0 0 0 0 -- 0 -- 221.123.134.228 0 0 0 1 0 0 -- 1 -- 221.128.160.203 0 1 0 1 0 0 -- 2 -- 221.147.18.111 0 1 1 1 0 0 -- 3 -- 221.163.166.55 0 1 1 0 0 0 -- 2 -- 221.169.167.11 0 0 0 0 0 0 -- 0 -- 221-169-167-11.static.seed.net.tw. 222.118.23.141 0 1 1 1 0 0 -- 3 -- 222.120.182.46 0 0 1 0 0 0 -- 1 -- 222.162.211.17 0 0 1 1 0 0 -- 2 -- 222.170.127.111 0 0 1 1 0 0 -- 2 -- 222.239.200.139 0 1 1 1 0 0 -- 3 -- 222.251.149.160 0 1 0 1 0 1 -- 3 -- 222.252.118.206 0 1 1 1 0 1 -- 4 -- localhost. 222.252.157.56 0 1 1 1 0 1 -- 4 -- localhost. 222.252.201.98 0 1 1 1 0 1 -- 4 -- localhost. 222.253.205.159 0 1 1 1 0 1 -- 4 -- localhost. 222.254.11.50 0 0 0 1 0 1 -- 2 -- localhost. 222.254.240.73 0 1 0 1 0 1 -- 3 -- localhost. 222.254.241.142 0 1 0 1 0 1 -- 3 -- localhost. Column totals for each RBL, in order tested. 117 bl.spamcop.net 1000 dnsbl.sorbs.net 353 no-more-funn.moensted.dk 1456 zen.spamhaus.org 15 dnsbl.njabl.org 1215 dnsbl-3.uceprotect.net The elapsed time was 0 hrs : 5 mins : 55 secs Observations Checking 1853 IP's against 6 RBL's and a reverse DNS lookup, 60 requests at time took nearly 6 minutes of clock time. The most effective RBL's are spamhaus, uceprotect and sorbs. Spammers did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA often prior to sending spam which is subsequently blocked on my system. Most of the IP's that did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA are listed in one or more RBL's already. Adding all of the IP's that did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA to my local blacklist is a valid strategy. Even those IP's that are not listed in any of the 6 RBL's I use above. In the above report, when there is no name corresponding to the IP, there is no valid reverse lookup. That too, is a valid condition for blocking mail. That one does however occasionally produce false positives. I monitor that and whitelist addresses (not IP's). There are so few this remains a manual administrative task. At this point I do not know why spammers often do not issue MAIL/EXPN/VRFY/ETRN during connection to MTA prior to actual spamming attempts. I see this a lot from 41.nnn.nnn.nnn IP's - the source of mostly Nigerian 419's. As a final comment, I am able to block many tld's since neither myself nor any of my users expect email from them. This allows me to build a very lengthy list of spammers to block that can be used by others with large mail systems that don't have the option to block tld's. I block most countries except .us, .ca, .uk and a few others. Normally a mail system cannot do that. So a record of those blocks is certainly mostly spammers - useful to others. -- Paul Franz 425.440.9505 (O) 425.241.1618 (C) One of the lessons of history is that nothing is often a good thing to do and always a clever thing to say. -- Will Durant
