Re: [exim] DynaStop - I like it!

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] DynaStop - I like it!
Marc Perkel wrote:
> Testing it out and so far I like it.
>
> http://tanaya.net/DynaStop/
>
>
> Spam often doesn't retry


I keep hearing that, and perhaps it was true at one time.

But *all* my server logs, heavily verbose, yes, for the better part of a year
show not only the reverse to now be true, but *massively* so.

The 'retry' may not be queue-driven as we would do it for an 'honest' balked
delivery, so perhaps it is technically accurate to not call it a 'retry' in
smtp-terms.

But the pattern - and the 'hole' they are seeking - is the same.

Attacks come in successive waves, often predictable by time-of-day, spaced just
far enough apart to overcome typical greylisting, and have all the earmarks of
zombie farms under psuedo-dynamic update:

- They present the same, harvested-but-long-since invalid and/or lame to the
point of silliness dictionary-attack usernames.

'keilholz@', 'anastasio@', <domain.tld>@, <domain_oldusername>@',
<alphameric_string>@', '<presumed_common_name>@', '<reversed_harvested_name>@'

- Their forged HELO's repeat, again and again, ELSE they HELO by IP, or as the
very host they are targeting, or with their adsl ID as a HELO.

- The originating networks & IP blocks are cycled and re-used at regular
intervals. Some for *years*.

- They auto-abandon on a short delay (most just over 30 seconds), and on second
such 'jail' term if not the first.

The only thing that does not repeat for long are the 'Subject: and 'From:'
headers and (apparently) the payload.

You may not class these as smtp-compliant 'retry'.

But if you think these seldom *repeat* you are either experiencing
pure-dumb-BS-luck, are just not analysing your logs deeply enough, OR have cut
yourself out of the data-collection and 'scouting' side of the war too soon.

I don't care what would be 'attracted' to a secondary MX, nor to a 'honeytrap'
or 'tarpit'. That's like buying your ladyfriend a bra with three cups.
Amusing. Once. Maybe.

All I care about are the ones that target the 'real' server.

The good news is that a blocklist of 400-600 partially-wildcarded 'HELO' names
nails about 70-80%, and twice that gets nearly all of them - both figures now
solidly verified against two or more RBL's. About 1/4 of these persist
year-on-year for the 5+ years we have been watching.

Within a month or so, the perps will have 'harvested' a new batch of compliant
Winboxen. Same HELO's, new IP, new payload. SS,DD ==> DS,DD.

So - yes - DynaStop will nail a very high percentage of these - but I still
think rDNS and DYN-RBL caches will be faster, leaner, and much more up-to-date.

YMMV, as everyone's servers see at least *some* difference.

Bill