Autor: Marc Perkel Data: Para: W B Hacker CC: exim users Asunto: Re: [exim] No QUIT is spambot indicator
W B Hacker wrote: > Marc Perkel wrote:
>
>> Not that it is by itself but when combined with other conditions it is
>> very effective. My theory is that after the message is sent by the virus
>> sending the quit just takes more time and bandwidth so the spambot just
>> leaves the connection open on the server side.
>>
>> But - almost all of the connections that time out are spambots. So you
>> can combine this with a number of other sins and have a very effective
>> means of identifying spambots.
>>
>>
>>
>
> Maybe.
>
> Possible circular logic here. You may have *caused* them to time-out.
> I'm not looking at all timeouts. I'm narrowing it down with a lot of
conditions.
> To the extent you have already ID'ed a possible 'bot and sent a 'deny' or
> 'defer' to it, many of them lack the mechanism to understand or action SMTP-time
> rejections.
>
> Their coder didn't provide for the situation encountered. Simpler and cheaper
> for him to fire, forget, move on, not worry about what the victim had to say.
>
> If instead they sit on the connection it may be out of pure confusion.
>
> Most zombot masters want to hit as many targets in a day as they can do, so pay
> more attention to not getting stuck than to RFC handshake compliance.
>
> As little as a 3 second delay before sending your deny/defer/{whatever} sees
> most such drop off here.
>
> Bill
>
>
This is turning into a major advancement for me. Once I apply some
conditions to prevent detecting notquits I cause the result is 99.9
spam. That isn't good enough by itself but if I combine that with some
other sins that aren't good enough by themselves the combination is good
enough.
For example, my fake MX detection is 99.9% and this notquit is 99.9% so
you combide them and you get 99.9999% and that's good enough.
Basically most all good email servers are polite and do the quit. Most
all spam bot server don't want to expend the time and bandwidth to be
polite and that can be used in combination with other indicators to
catch spam.
The new 4.68 Exim is a major advancement with the notquit ACL and the
noupdate feature on the ratelimit.