Mike Cardwell wrote:
Marc Perkel wrote:
BTW - for those who are curious, the lists are generated mostly from
Exim rules. Exim has a feature that allows me to track hosts that
don't use QUIT to close a connection. Thus the combination of fake
mx, no quit, No or bad RDNS or dynamic IP, and various HELO sins is
usually enough to identify spam bots. SA doesn't run on the tarbaby
server because I do a 4xx error at the beginning of data. But it's
quite the harvestor of botnets and I can usually blacklist them on
the very first attempt.
Regarding your technique of listing hosts that don't use QUIT. I
noticed something interesting the other day, but haven't gathered any
statistics yet. A lot of what appear to be zombied machines seem to
close the TCP connection with my SMTP server by firing off a packet
containing an RST packet rather than the expected FIN packet.
A cool idea would be an application in a similar vain to p0f, but
which passively detected the SMTP client software, rather than
operating system. It might then be possible to distribute signatures
that identified specific zombie software, as well as real mtas.
I'm going to have to look into that. That might be a significant
indicator of spam.
