Re: spammers getting less stupid?
I finally got to deploying greyscanner on my mailservers, and did something similar: trap every recipient address with two or more digits in the user part (one digit could be a typo, say a '2' before the '@'). This catches most of it. I forget, did you previously say whitelisting with greyscanner wasn't an option? -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: spammers getting less stupid?
I see it too. I also use greyscanner to catch spammers and I see a lot of spam to random numbers and letters@mydomains. So I trap all hosts sending to addresses with numbers in them (as I don't have any legit accounts with numbers). This catches almost all spam. I finally got to deploying greyscanner on my mailservers, and did something similar: trap every recipient address with two or more digits in the user part (one digit could be a typo, say a '2' before the '@'). This catches most of it. I make all the ficticious addresses into spam traps. Here's a bit of the output from my spamd database: SPAMTRAP|a3d2...@witworx.com SPAMTRAP|a7c85e...@witworx.com ... I do the same, but it seems less relevant now. In the past, when I published a trap address, the bots harvested it and tried to send to it, getting themselves trapped; but now they just shoot out to wh4t3v3rg4rb...@mydomain.org, apparently generating the user part themselves (as opposed to harvesting real/trap addresses somewhere). I clean out the traps every few days with a script and back they come with new tries. Yes. Recently, the 64.18.0.0 farm has been active on me. $ spamdb | grep TRAPPED TRAPPED|86.122.194.113|1356282022 TRAPPED|212.110.189.85|1356283885 TRAPPED|216.106.48.217|1356289572 TRAPPED|64.18.0.21|1356308593 TRAPPED|171.76.91.71|1356281598 TRAPPED|64.18.0.140|1356286482 TRAPPED|217.200.184.87|1356290678 TRAPPED|64.18.0.23|1356304740 TRAPPED|64.18.0.142|1356285089 TRAPPED|194.228.32.128|1356286433 TRAPPED|64.18.0.25|1356298962 TRAPPED|64.18.3.31|1356302574 TRAPPED|64.18.0.177|1356322196 TRAPPED|91.121.102.20|1356281598 TRAPPED|178.236.112.75|1356281598 TRAPPED|64.18.0.187|1356301851 TRAPPED|64.18.0.144|1356295832 TRAPPED|67.228.3.116|1356298119 TRAPPED|64.18.0.27|1356310158 TRAPPED|64.18.0.181|1356286964 TRAPPED|217.72.102.116|1356281598 TRAPPED|64.20.227.133|1356282002 TRAPPED|64.18.0.146|1356305342 TRAPPED|64.18.0.183|1356294508 TRAPPED|213.174.32.135|1356281598 TRAPPED|89.189.37.102|1356286482 TRAPPED|64.18.0.148|1356290415 TRAPPED|64.18.0.247|1356293785 TRAPPED|64.18.0.185|1356286052 TRAPPED|74.125.149.196|1356287445 _All_ of the 64.18.0.0 hosts are trying dd02...@stare.cz for two days now ... @GOOD = ( qr'^[A-Za-z\.\+]+@mydomain.(com|se)$'i, ); $COMPREHENSIVE = 1; I was trying this too, until a customer made a typo, blocking his company's smtp server. On Nov 05 22:36:30, s...@spacehopper.org wrote: On 2012-11-01, Jan Stary h...@stare.cz wrote: Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Not the whole premise... A good part of it is to just delay the mail, this increases the chance that spamtraps etc will have picked up the mail before you accept it, thus increasing the effectiveness of other checks (DNSBL, razor/pyzor, etc). True. Greyscanner has helped me very much! Jan
Re: spammers getting less stupid?
(It seems like some of my mail do not go through to misc@, perhaps some of my ISPs outgoing mailservers are blacklisted..?) * Peter N. M. Hansteen (pe...@bsdly.net) wrote: http://undeadly.org/cgi?action=articlesid=20120604050025 and references therein show a 'works for me' example config (although the first ruleset block should really be discarded in favor of the second one, a true brainfart if there ever was one), with some further field notes to be found over at my blag. Interesting, will check that. I automated my trapping using greyscanner to automatically catch all mail servers sending to addresses with numbers in them. Then I don't need to update spamdb manually. Sometimes I see mailservers attempting delivery to both legit and non legit addresses in one connection and this will then catch that mailserver. I.e. in greyscanner.conf (use with caution..): @GOOD = ( qr'^[A-Za-z\.\+]+@mydomain.(com|se)$'i, ); $COMPREHENSIVE = 1; The main risk I see (as I am paranoid) is that a malicious person could use a bouncing mail to make my mailserver trap a legit mail server that I do not yet have as whitelisted. BR /Joakim
Re: spammers getting less stupid?
On Mon, 5 Nov 2012 07:52:50 +0100, Joakim Aronius wrote: * Kurt Mosiejczuk (kurt-openbsd-m...@se.rit.edu) wrote: Jan Stary wrote: Strangely, the only occurence of 2.139.201.210 in the last month's maillog is just this; that's half an hour after it got WHITE. What happend at Mon Oct 29 14:49:24 CET 2012 that made it WHITE? Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Are people seeing something similar? I'm seeing it. I recently tweaked my greyscanner settings to pick up some spammers getting through who shouldn't (they were staying just under the threshold for further scrutiny). But I've still been getting a couple a day, and they only just got themselves whitelisted. So, you are not alone... --Kurt Hi, I see it too. I also use greyscanner to catch spammers and I see a lot of spam to random numbers and letters@mydomains. So I trap all hosts sending to addresses with numbers in them (as I don't have any legit accounts with numbers). This catches almost all spam. But I also see some backscatter from legit mail servers sending delivery failure notifications to mails where my domains was used as sender. This then resulting in me blocking these legit servers in case they were not already whitelisted (not good..). Strangely enough it seems like I also get delivery failure notifications from nodes on e.g. xDSL networks, not sure if its 'real' mail servers or bot nodes, some of these retries delivery according to RFC. Needs looking into.. /Joakim I have had a stack of both sides of the invalid address email stuff for some time. I make all the ficticious addresses into spam traps. That way I punish the fools whose servers return mail whence it came not. They just get tarpitted and I don't care as they should be refusing to accept incoming mail which they cannot deliver. Google generates a smaller number now than they were doing a month ago but they are whitelisted and just end up with a 550 NSN rejection. I suspect that the idea is to spread spam/malware by tempting whoever accepts the mail or the returned mail but I don't have time to play with that and they go on getting nowhere on my servers either way. If they really start bothering me in heaps I just may have to launch a few missiles Here's a bit of the output from my spamd database: SPAMTRAP|a3d2...@witworx.com SPAMTRAP|a7c85e...@witworx.com SPAMTRAP|abd3...@witworx.com SPAMTRAP|cc705...@witworx.com SPAMTRAP|cde50...@witworx.com SPAMTRAP|d00a6d...@witworx.com SPAMTRAP|d3a259...@witworx.com SPAMTRAP|dabee8...@witworx.com SPAMTRAP|e0c94...@witworx.com SPAMTRAP|f08b2b...@witworx.com SPAMTRAP|f3dc87...@witworx.com SPAMTRAP|f7ae30...@witworx.com SPAMTRAP|fc53...@witworx.com SPAMTRAP|ff70...@witworx.com I clean out the traps every few days with a script and back they come with new tries. I just wish that backscatter monkeys would get their act into gear because the other ones would simply get nowhere except the tarpit. Don't lose any sleep over it. /R/ *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: spammers getting less stupid?
Rod Whitworth glis...@witworx.com writes: I have had a stack of both sides of the invalid address email stuff for some time. I make all the ficticious addresses into spam traps. That way I punish the fools whose servers return mail whence it came not. They just get tarpitted and I don't care as they should be refusing to accept incoming mail which they cannot deliver. Just like Rod describes here, I get a fair amount of goodness out of some local greytrapping, where joejob-generated bounces serve as the source of the bogus addresses. I *do* see some of the increased spam volume delivered too, but then it's fairly easy to feed the offending IP addresses into the local spamd-greytrap and serve them as training to the bayesian beast. http://undeadly.org/cgi?action=articlesid=20120604050025 and references therein show a 'works for me' example config (although the first ruleset block should really be discarded in favor of the second one, a true brainfart if there ever was one), with some further field notes to be found over at my blag. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spammers getting less stupid?
On 2012-11-01, Jan Stary h...@stare.cz wrote: Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Not the whole premise... A good part of it is to just delay the mail, this increases the chance that spamtraps etc will have picked up the mail before you accept it, thus increasing the effectiveness of other checks (DNSBL, razor/pyzor, etc).
Re: spammers getting less stupid?
* Kurt Mosiejczuk (kurt-openbsd-m...@se.rit.edu) wrote: Jan Stary wrote: Strangely, the only occurence of 2.139.201.210 in the last month's maillog is just this; that's half an hour after it got WHITE. What happend at Mon Oct 29 14:49:24 CET 2012 that made it WHITE? Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Are people seeing something similar? I'm seeing it. I recently tweaked my greyscanner settings to pick up some spammers getting through who shouldn't (they were staying just under the threshold for further scrutiny). But I've still been getting a couple a day, and they only just got themselves whitelisted. So, you are not alone... --Kurt Hi, I see it too. I also use greyscanner to catch spammers and I see a lot of spam to random numbers and letters@mydomains. So I trap all hosts sending to addresses with numbers in them (as I don't have any legit accounts with numbers). This catches almost all spam. But I also see some backscatter from legit mail servers sending delivery failure notifications to mails where my domains was used as sender. This then resulting in me blocking these legit servers in case they were not already whitelisted (not good..). Strangely enough it seems like I also get delivery failure notifications from nodes on e.g. xDSL networks, not sure if its 'real' mail servers or bot nodes, some of these retries delivery according to RFC. Needs looking into.. /Joakim
Re: spammers getting less stupid?
/ Kurt Mosiejczuk wrote on Thu 1.Nov'12 at 16:02:06 -0400 / Jan Stary wrote: Strangely, the only occurence of 2.139.201.210 in the last month's maillog is just this; that's half an hour after it got WHITE. What happend at Mon Oct 29 14:49:24 CET 2012 that made it WHITE? Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Are people seeing something similar? I'm seeing it. I recently tweaked my greyscanner settings to pick up some spammers getting through who shouldn't (they were staying just under the threshold for further scrutiny). But I've still been getting a couple a day, and they only just got themselves whitelisted. So, you are not alone... --Kurt Yep, me too. It's constant battle. I spend quite a bit of time looking through logs for ip's to block.
Re: spammers getting less stupid?
For instance on one mailserver I took over, I noticed that after adding a Spamhaus sbl-xbl check, required rDNS, and other basic stuff like requiring a legitimate HELO/EHLO, spam attempts dropped by perhaps a factor of 100. It was shocking. When you required rDNS I bet false positives went up by a factor of 1000. Many DSL users who have an ounce of security understanding and unhelpful ISPs will be blocked by that. Check the forums for annoyed MTA users. Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Lots of spammers use snowshoe hosts now, which run normal MTA software. The first rule of spamkill club. A spammer should not know your address The second rule of spamkill club. A spammer should not know your address If an address gets too much spam, warn that you will kill that address and educate. At the very least be pro-active from now on with disposable addresses. Your users will be very happy in the end when they are surprised by who the spam instigating culprits are especially when they have violated their policies. Then use spamd to cost spammers money. Even on old highly spammed addresses I get very few spam through and only the occasional false positive which I catch, usually due to the quorum.to list but it does catch some that other lists don't and more than it false positives so I haven't deleted it, yet. Far better than UK2s top anti-spam level which had a lot of false positives. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: spammers getting less stupid?
For instance on one mailserver I took over, I noticed that after adding a Spamhaus sbl-xbl check, required rDNS, and other basic stuff like requiring a legitimate HELO/EHLO, spam attempts dropped by perhaps a factor of 100. It was shocking. Required rDNS, so false positives went up by a factor of 1000. Many DSL users who have an ounce of security understanding and unhelpful ISPs will be blocked by that. Check the forums for annoyed MTA users. Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Lots of spammers use snowshoe hosts now, which run normal MTA software. The first rule of spamkill club. A spammer should not know your address The second rule of spamkill club. A spammer should not know your address If a user gets too much spam warn you will kill that address and educate. At the very least be pro-active from now on with disposable addresses. Your users will be very happy in the end when they are surprised by who the spam instigating culprits are especially when they have violated their policies. Even on old highly spammed addresses I get very few spam through and only the occasional false positive which I catch, usually due to the quorum.to list but it does catch some that other lists don't and more than it false positives so I haven't deleted it, yet. Far better than UK2s top anti-spam level which had a lot of false positives. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: spammers getting less stupid?
On Fri, Nov 02, 2012 at 09:55:56AM +, Kevin Chadwick wrote: When you required rDNS I bet false positives went up by a factor of 1000. No, legitimate traffic remained steady and not a single complaint was registered. YMMV. Back on topic, in my personal experience, spamd is more effective than the Spamhaus zen or sbl-xbl lists by a good margin (remember not to use both, as the former contains the latter). Also it seems that the gulf is widening, making spamd even more valuable than before. But everyone's traffic is different. Nicolai
Re: spammers getting less stupid?
Jan Stary wrote: Strangely, the only occurence of 2.139.201.210 in the last month's maillog is just this; that's half an hour after it got WHITE. What happend at Mon Oct 29 14:49:24 CET 2012 that made it WHITE? Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Are people seeing something similar? I'm seeing it. I recently tweaked my greyscanner settings to pick up some spammers getting through who shouldn't (they were staying just under the threshold for further scrutiny). But I've still been getting a couple a day, and they only just got themselves whitelisted. So, you are not alone... --Kurt
Re: spammers getting less stupid?
On Thu, 1 Nov 2012 20:49:39 +0100 Jan Stary h...@stare.cz wrote: After cleaning my spamdb on the first of last month, I see that there are 572 WHITE hosts now. Only a handfull of those are legitimate (my mailserver is very low traffic, basically just mail for my family). Looking at the logs, I see that most of them got themselves whitelisted by actually resending within greyexp. The number of compromised customer hosts lately have been increasing. It's more likely that your spammers are using normal well configured MTAs (postfix/exim/etc) on compromised servers which are going to eventually get through the greylist. I do agree though -- there are too many getting whitelisted lately. If anyone has recommended greyscanner tweaks I'd love to hear them.
Re: spammers getting less stupid?
On 1 November 2012 12:49, Jan Stary h...@stare.cz wrote: Here is a typical host: WHITE|2.139.201.210|||1351517497|1351518564|1354630766|2|1 which is 210.red-2-139-201.staticip.rima-tde.net. It tried to connect at Mon Oct 29 14:31:37 CET 2012, and got WHITE at Mon Oct 29 14:49:24 CET 2012. It is obviously a spammer: Oct 29 15:19:26 biblio smtpd[26924]: b4f049e1: from=@, relay=210.red-2-139-201.staticip.rima-tde.net [2.139.201.210], stat=LocalError (530 5.0.0 Recipient rejected: 7e8a5...@stare.cz) Strangely, the only occurence of 2.139.201.210 in the last month's maillog is just this; that's half an hour after it got WHITE. What happend at Mon Oct 29 14:49:24 CET 2012 that made it WHITE? The spammer must have successfully passed the greylisting with spamd on Mon Oct 29 14:49:24 CET 2012. The spamd setup requires at least two connections to spamd, prior to the connections being permitted to the real smtp server. This is different from the MTA-based greylisting, where mail can be delivered as soon as the second attempt. With spamd, at least three attempts are required for the initial delivery of mail, since spamd cannot hand-over an existing connection to the real smtp server when the greylisting requirements are satisfied. C.
Re: spammers getting less stupid?
On Thu, Nov 01, 2012 at 08:49:39PM +0100, Jan Stary wrote: After cleaning my spamdb on the first of last month, I see that there are 572 WHITE hosts now. Only a handfull of those are legitimate (my mailserver is very low traffic, basically just mail for my family). You and I have similar usage but wildly different traffic: $ spamdb | awk -F '|' '/^WHITE/ {print $2}'|wc -l 19 I don't think this has anything to do with spamd. You might try creating an SPF -all record; maybe some spammers cull such domains from their lists. I also use the Spamhaus DROP list and Team Cymru's fullbogons list and require FCrDNS. Domains that can't be contacted, under a certain threshhold, eventually get culled from some lists, and over time there's a dramatic benefit. For instance on one mailserver I took over, I noticed that after adding a Spamhaus sbl-xbl check, required rDNS, and other basic stuff like requiring a legitimate HELO/EHLO, spam attempts dropped by perhaps a factor of 100. It was shocking. Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Lots of spammers use snowshoe hosts now, which run normal MTA software. Nicolai