Hi, We've recently seen a large increase in SPAM volume, and although SA is taking care of the classification, a simple analysis of the messages shows that most have a pattern, in that everything which has a particular user's e-mail address in the subject is SPAM.
Looking at the relay IP addresses, almost all are immediately suspected to be SPAM sender domains, rather than botnets or abused relays/proxies: 52.189.55.66.in-addr.arpa name = mx20.ejackpotclubdeals.com. 53.189.55.66.in-addr.arpa name = mx20.ejackpotclubbenefit.com. 54.189.55.66.in-addr.arpa name = mx20.ebigprizesclubdeals.com. 57.189.55.66.in-addr.arpa name = mx21.myvendaresecurities.com. 58.189.55.66.in-addr.arpa name = mx21.myphillipsdirect.net. 59.189.55.66.in-addr.arpa name = mx21.mymembersexclusive.com. 61.189.55.66.in-addr.arpa name = mx21.myjackpotclubgiveaway.com. 63.189.55.66.in-addr.arpa name = mx21.myusawellnet.com. 16.142.108.67.in-addr.arpa name = mx101.bargaincities.info. 17.142.108.67.in-addr.arpa name = mx101.bargain-city.info. 18.142.108.67.in-addr.arpa name = mx101.bargainsite.info. 19.142.108.67.in-addr.arpa name = mx101.bargainsites.info. 20.142.108.67.in-addr.arpa name = mx101.cuttingedgeinfoage.info. 21.142.108.67.in-addr.arpa name = mx101.cuttingedgeinfotech.info. 22.142.108.67.in-addr.arpa name = mx101.cuttingedge-infotech.info. 23.142.108.67.in-addr.arpa name = mx101.cuttingedgeintech.info. 32.142.108.67.in-addr.arpa name = mx102.cuttingedge-tech.info. 34.142.108.67.in-addr.arpa name = mx102.cuttingedgetechs.info. 35.142.108.67.in-addr.arpa name = mx102.cuttingedgetimes.info. 37.142.108.67.in-addr.arpa name = mx102.evirtualgoldmine.info. 38.142.108.67.in-addr.arpa name = mx102.evirtualgoldminez.com. 39.142.108.67.in-addr.arpa name = mx102.evirtualgoldpalace.info. Given that real mail from these sites is unlikely, I'm tempted to implement a system of blocking all traffic from these IP addresses using the following scheme: A. Add a date/time stamped record to a database with that IP address as the key, and a spam count of 1 B. If the number of records matching that IP is now 3 or more, modify the IPTables system to drop all traffic from that IP with an ICMP Host-Prohibited message C. Run a daily expiry process which removes all records which are more than X days old (with X starting at 10 days) and which removes the IPTables entry if the new count is less than 3. They appear to be using a bank of outgoing mail servers which are all on different IP addresses, and although I see multiple messages from some addresses, my current volume is low enough that it is normal to see addresses only two or three times in a couple of days - 493 messages from 223 unique IP addresses. I'd also be interested in implementing a block based on address range check, so perhaps if more than 10 SPAM messages which scored over 10 were received from an address block, then the known or estimated range of SPAM senders in that block would be blacklisted using IPTables, with a daily review. To illustrate this, supposed I received 3 SPAM messages from 1.2.3.4, 2 messages from 1.2.3.8, 2 messages from 1.2.3.9, and four from 1.2.3.12, then working firstly with a nominal class C assumption I would calculate that the average value for the fourth octet is 8.25, the standard deviation is 3.3, and so the normal range would be 5 to 11 - as a result, I would block all of the known IP values, plus the values in the range between 5 and 11, nicely filling in the gaps in the known range. This would go into the database with a timestamped value of 3. Given that I am happy that the false positive rate is zero based on the last week of logs, can anyone see any issues with this approach? Any suggestions on how to improve it? Best Wishes, Paul. __________________________________________________ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 _______________________________________________________________________ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 _______________________________________________________________________
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
