Marc Perkel wrote:
> Testing it out and so far I like it.
>
> http://tanaya.net/DynaStop/
>
>
> Spam often doesn't retry
I keep hearing that, and perhaps it was true at one time.
But *all* my server logs, heavily verbose, yes, for the better part of a year
show not only the reverse to now be true, but *massively* so.
The 'retry' may not be queue-driven as we would do it for an 'honest' balked
delivery, so perhaps it is technically accurate to not call it a 'retry' in
smtp-terms.
But the pattern - and the 'hole' they are seeking - is the same.
Attacks come in successive waves, often predictable by time-of-day, spaced just
far enough apart to overcome typical greylisting, and have all the earmarks of
zombie farms under psuedo-dynamic update:
- They present the same, harvested-but-long-since invalid and/or lame to the
point of silliness dictionary-attack usernames.
'keilholz@', 'anastasio@', <domain.tld>@, <domain_oldusername>@',
<alphameric_string>@', '<presumed_common_name>@', '<reversed_harvested_name>@'
- Their forged HELO's repeat, again and again, ELSE they HELO by IP, or as the
very host they are targeting, or with their adsl ID as a HELO.
- The originating networks & IP blocks are cycled and re-used at regular
intervals. Some for *years*.
- They auto-abandon on a short delay (most just over 30 seconds), and on second
such 'jail' term if not the first.
The only thing that does not repeat for long are the 'Subject: and 'From:'
headers and (apparently) the payload.
You may not class these as smtp-compliant 'retry'.
But if you think these seldom *repeat* you are either experiencing
pure-dumb-BS-luck, are just not analysing your logs deeply enough, OR have cut
yourself out of the data-collection and 'scouting' side of the war too soon.
I don't care what would be 'attracted' to a secondary MX, nor to a 'honeytrap'
or 'tarpit'. That's like buying your ladyfriend a bra with three cups.
Amusing. Once. Maybe.
All I care about are the ones that target the 'real' server.
The good news is that a blocklist of 400-600 partially-wildcarded 'HELO' names
nails about 70-80%, and twice that gets nearly all of them - both figures now
solidly verified against two or more RBL's. About 1/4 of these persist
year-on-year for the 5+ years we have been watching.
Within a month or so, the perps will have 'harvested' a new batch of compliant
Winboxen. Same HELO's, new IP, new payload. SS,DD ==> DS,DD.
So - yes - DynaStop will nail a very high percentage of these - but I still
think rDNS and DYN-RBL caches will be faster, leaner, and much more up-to-date.
YMMV, as everyone's servers see at least *some* difference.
Bill
