Re: [exim] Backscatter

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim-users
Subject: Re: [exim] Backscatter
Ted Cooper wrote:
> On 05/06/10 14:44, W B Hacker wrote:
>> I'm no fan of Marc's ways of 'tasting' or playing with spam to
>> inflate stats instead of simply blocking it - but he is by no means
>> alone in raising the bar to unwanted sender callouts.
>
> He's the only one causing me issues. Everyone else just rejects the
> message and gets on with life. He's also not checking for spam - just
> assuming everything is spam. I'll occasionally have a complaint from
> someone unable to send to someone they could email last week, but
> they're easy enough to handle locally.
>
>> Curious as to which ISP would have paid any attention to his
>> 'service' in the first place?
>
> It's People Telecom in Australia for this particular client. I'm working
> very hard on getting them to drop the feedback loop in question and am
> considering talking to the postmaster of the recipient domain to get
> them to switch to a different filtering provider.


You can tell them in all honsety that folks too far away to drill their
collective ass for brains have started to Locally Blacklist them.

>
>> Local rules will either block or 'sanitize' (as above) the same folks
>> they list *when misbehaving* ELSE NOT, hide fewer 'false positives'.
>> All w/o need of calling a Remote BL or being concerned if it is
>> available, responding rapidly, or accurate.
>
> The main reason I added ips.backscatterer.org to my bounce checking is
> because of several joe job spam runs.
>
> Each of the hosts sending the bounce messages was passing every rDNS,
> HELO, and DNSBL. They were mostly eastern block servers which accepted
> all emails to any address and then bounced them. The bounce messages did
> not always include the content but instead just the rejection message so
> content filters couldn't even pick them up. The spam runs were always
> done overnight for my timezone so I could not act on them until it was
> all over.


Ah - OK. 'nuther reason I don't see those is that I have over the courseof many
years accumulated in excess of 1200 of the world's most careless ISP's into a
Local Blacklist. Several orders of magnitude less ambitious than Marc and his
bogus MTA honeytraps etc. But these cover a large percentage of the WinBot
indifferent.

Most of Brazil, much of China, a good deal of Taiwan, Korea, and the
Philippines, Pakistan, Burma, Bangladesh - and a very large number of the
carriers and ISP's of the former East bloc are in there.

Nothing arbitrary about it. Each of the 'inmates' has supported the sending of
spam or backscatter to one or more of our users at least once.

And one is all you get from a sysadmin with Irish Alzheimer's.

>
> Even after the runs, none of these servers were listed on any major or
> minor list, except backscatterer.


Odds are I have 'em. Can send you the file off-list if you like. ELSE grep it
against a list of those you had the joe-job from and see if they are in there.

It hasn't been cleaned in years and years so will have both dups and a few that
have mended their ways. wanadoo.<tld> for example has one of their countries let
out of that jail in the last year or so.

I also impose a few strategic 'delay' calls - most are shorter than 15 seconds,
but a smelly arrival can hit about six of those, a clean one none at all.

Comparable effectivness to greylisting, of which I have tried several and given
them up as not worth the resources.

Here's another thing to look for:

See if any of the violators had a hostname or HELO or MAIL FROM that used one of
these prefixes - all of which rarely come from a polite server:

{ssl:page:ns:hosted1:serv1:set1:lyris:nagios:seek}

...or your own hostname, one test serving multiple needs here...

AFAIK, the only non-spammer that has ever sent vtraffic to us 'ssl' as a prefix
is Heiko S [1]. YMMV bigtime on this one.


> As a result, I now use it "safe" mode
> on servers and it has worked amazingly well. It has stopped a number of
> bounce attacks and callout attacks since. The ONLY headache I've had
> with it has been the stupid blacklisting and notifications.
>
>>From your post, I believe that your experience with bounce messages
> greatly differs to mine.


ACK. The itsms above, plus modifed source-code in hosts.c that doen't alter the
functionality, but provides more useful log entries.

Of the lot, it is largely my REGEXP-block LBL file that makes the difference.

Sort of a catch-all, as it is lsearched or wildlsearched by MANY acl's, so an
entry might be used to match any of several tests or just one.

> Everyone seems to get their own flavour of spam
> and attacks which makes having a catchall view on particular method
> quite difficult.
>


ACK. As I started with - no single right answer..

That said - I have had an R&D server up for over a year that has no SA, and with
about 1500 fewer lines in the configure file. It gets about one spam every day
or two vs one every 2 or 3 days for the production box using SA.

Most of those would be blocked if I can get my arms around a 'resource cheap'
test to detect 'PowerMTA'.

Even so, already 'good enough' to justify dropping SA and perhaps adding a
second WinCrobe/phish scanner to augment ClamAV.

Cheers,

Bill


[1] I can't ask him why he uses an 'ssl' prefix, of course, as he blocks me for
not allowing a callout, and I block him for using 'ssl.' Catch 22...

;-)