Autor: Alan J. Flavell Data: A: Richard Clayton CC: Exim users list Assumpte: Re: [exim] Re: Report of new spam technique
On Sun, 6 Feb 2005, Richard Clayton wrote:
> An absolutely key measurement is delivery failures. Legitimate email,
> from mailing lists etc, will mainly have valid destination addresses and
> will tend not to trip detectors at remote sites. However, virus/worm
> activity and hijacked machines sending spam will have significantly
> higher failure rates... a good rule of thumb (your volumes may vary)
> is that 100 failures over 24 hours is unacceptable
Yes, but based on what? Envelope-sender address? IP address of
offering MTA?
A couple of years back, I put a stanza in our RCPT ACL for detecting a
certain kind dictionary attack. It basically triggered if it reached
"n" invalid RCPT TO addresses in the same call, without at least "m"
valid addresses (where n and m were parameters to be chosen, e.g 5 and
2). But of course it relies on the attacker trying several addressees
per call. That kind of dictionary attack was very prevalent a couple
of years back, which prompted me to devise that action; later, it
seemed to go out of fashion.
Actually, the stanza isn't doing very much at the moment, beyond
cutting a warning in the log. At the time, I had been having the ACL
write the offending IPs to a file, and using that file as a blacklist.
But later (and after the attacks had faded away), we had an incident
where AOL had tried to send us a bunch of non-delivery reports for
faked addresses which didn't exist, all in a single call - and the
stanza had then promptly blacklisted AOL as a dictionary attacker.
Oops. So I had turned off the actual blocking, although the logging
is still operative.
But funnily enough I've been seeing fresh outbreaks of it (or
something quite like it) recently: the detection stanza triggered 50
times last week. They came in a number of fairly tight bunches, with
gaps of a couple of days between the bunches.
Anyhow, to get back to your point... I was wondering whether your
aggregation of invalid RCPT addresses was done per envelope-sender or
per MTA IP (or even something else?).
Many spammers vary their (faked) envelope-sender address, and many of
them are now also working through numerous zombies. So, although
either approach may keep out some proportion of spam, there's another
portion that can get past both criteria.
> Basically you leverage the inability of viruses (and spammers) to
> tell good addresses from bad PLUS all the fancy detectors running at
> remote sites whose results you get to feed back into your decision
> making :)