Mailing List Archive: SpamAssassin: users

Experimental - use my server for your high fake MX record

1 2

View All

Index | Next | Previous | View Threaded

marc at perkel

May 7, 2008, 8:50 AM

Post #1 of 32 (413 views)
Permalink

Experimental - use my server for your high fake MX record

Looking for a few volunteers who want to reduce their spambot spam and
at the same time help me track spambots for my black list. This is free
and mutual benefit. I (junkemailfilter.com) want to be your highest
numbered fake MX record. Here's how you would configure your domain:

mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20

I will never actually receive your email. The recipient all always get a
451 error just after the DATA command. So if your servers are down you
won't lose anything. A 451 error is a "I'm not ready, come back later"
error.

This will help you reduce your spambot spam generally by half. Many
spambots try the highest number MX records first and never try again. So
these attempts just go away. Your system load drops, your spam is
reduced, spamassassin doesn't have to work as hard. And some spammers
will actually blacklist you because when they see a junkemailfilter,com
host in the MX they don't even try because they know that it will only
reduce their spambot army to even attenpt to send a spam.

I have developed an extremely accurate way of detecting spambots and
getting them listed on the first attempt to send spam. It involves
detecting a combination of several sins that if they hit this
combination, and most do, it's a virus infected spambot. Without going
into great detail one of the unique things I look for is hosts not
closing the connection with quit but rather allowing the connection to
time out after receiving the 451 error. When you combine that it's the
highest MX, no QUIT, and several other tests on HELO and other things I
can get these hosts blacklisted which blacks their spam for everyone who
uses my blacklists. And - unless you are huge - you can use my
blacklists for free.

Here's what an SMTP session to my tarbaby server looks like.

telnet tarbaby.junkemailfilter.com 25
Trying 65.49.42.79...
Connected to tarbaby.junkemailfilter.com.
Escape character is '^]'.
220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008
08:20:24 -0700
helo mydomain.com
250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
mail from:<>
250 OK
rcpt to:xxx[at]ccc.com
250 Accepted
data
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com

So - if you are interested all you have to do is set your highest
numbered MX to tarbaby.junkemailfilter.com. If you want to know more
about my lists you can read about them here.

http://wiki.junkemailfilter.com/index.php/Main_Page

This is experimental. I'm looking to see what kind of useful data I can
derive from this to see how well it work and if I'll continue it. Send
me a private email if you have any questions.

mouss at netoyen

May 7, 2008, 9:17 AM

Post #2 of 32 (401 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

Marc Perkel wrote:
> Looking for a few volunteers who want to reduce their spambot spam and
> at the same time help me track spambots for my black list. This is
> free and mutual benefit. I (junkemailfilter.com) want to be your
> highest numbered fake MX record. Here's how you would configure your
> domain:
>
> mail.yourdomain.com MX 10
> tarbaby.junkemailfilter.com MX 20
>
> I will never actually receive your email. The recipient all always get
> a 451 error just after the DATA command. So if your servers are down
> you won't lose anything. A 451 error is a "I'm not ready, come back
> later" error.

what if he comes back later to the same MX, again and again (AFAIK, this
is the case with qmail)? mail will be lost.

>
> This will help you reduce your spambot spam generally by half. Many
> spambots try the highest number MX records first and never try again.
> So these attempts just go away. Your system load drops, your spam is
> reduced, spamassassin doesn't have to work as hard. And some spammers
> will actually blacklist you because when they see a
> junkemailfilter,com host in the MX they don't even try because they
> know that it will only reduce their spambot army to even attenpt to
> send a spam.

do you have any evidence for this? or more generally, do spammers really
check the MX name for such patterns?
>
> I have developed an extremely accurate way of detecting spambots and
> getting them listed on the first attempt to send spam. It involves
> detecting a combination of several sins that if they hit this
> combination, and most do, it's a virus infected spambot. Without going
> into great detail one of the unique things I look for is hosts not
> closing the connection with quit but rather allowing the connection to
> time out after receiving the 451 error. When you combine that it's the
> highest MX, no QUIT, and several other tests on HELO and other things
> I can get these hosts blacklisted which blacks their spam for everyone
> who uses my blacklists. And - unless you are huge - you can use my
> blacklists for free.
>
> Here's what an SMTP session to my tarbaby server looks like.
>
> telnet tarbaby.junkemailfilter.com 25
> Trying 65.49.42.79...
> Connected to tarbaby.junkemailfilter.com.
> Escape character is '^]'.
> 220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008
> 08:20:24 -0700
> helo mydomain.com
> 250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
> mail from:<>
> 250 OK
> rcpt to:xxx[at]ccc.com
> 250 Accepted
> data
> 451 DEFER - Try a lower numbered MX record -
> http://www.junkemailfilter.com
>
> So - if you are interested all you have to do is set your highest
> numbered MX to tarbaby.junkemailfilter.com. If you want to know more
> about my lists you can read about them here.
>
> http://wiki.junkemailfilter.com/index.php/Main_Page
>
> This is experimental. I'm looking to see what kind of useful data I
> can derive from this to see how well it work and if I'll continue it.
> Send me a private email if you have any questions.
>

dave.list at pixelhammer

May 7, 2008, 9:23 AM

Post #3 of 32 (401 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

Marc Perkel wrote:
> Looking for a few volunteers who want to reduce their spambot spam and
> at the same time help me track spambots for my black list. This is free
> and mutual benefit. I (junkemailfilter.com) want to be your highest
> numbered fake MX record. Here's how you would configure your domain:

A generous offer and an admirable effort. But if you think I or my
clients are going to route mail to your servers you are mistaken. Even
if I knew you personally, I don't think ethics or common sense would
allow me to do so.

DAve

>
> mail.yourdomain.com MX 10
> tarbaby.junkemailfilter.com MX 20
>
> I will never actually receive your email. The recipient all always get a
> 451 error just after the DATA command. So if your servers are down you
> won't lose anything. A 451 error is a "I'm not ready, come back later"
> error.
>
> This will help you reduce your spambot spam generally by half. Many
> spambots try the highest number MX records first and never try again. So
> these attempts just go away. Your system load drops, your spam is
> reduced, spamassassin doesn't have to work as hard. And some spammers
> will actually blacklist you because when they see a junkemailfilter,com
> host in the MX they don't even try because they know that it will only
> reduce their spambot army to even attenpt to send a spam.
>
> I have developed an extremely accurate way of detecting spambots and
> getting them listed on the first attempt to send spam. It involves
> detecting a combination of several sins that if they hit this
> combination, and most do, it's a virus infected spambot. Without going
> into great detail one of the unique things I look for is hosts not
> closing the connection with quit but rather allowing the connection to
> time out after receiving the 451 error. When you combine that it's the
> highest MX, no QUIT, and several other tests on HELO and other things I
> can get these hosts blacklisted which blacks their spam for everyone who
> uses my blacklists. And - unless you are huge - you can use my
> blacklists for free.
>
> Here's what an SMTP session to my tarbaby server looks like.
>
> telnet tarbaby.junkemailfilter.com 25
> Trying 65.49.42.79...
> Connected to tarbaby.junkemailfilter.com.
> Escape character is '^]'.
> 220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008
> 08:20:24 -0700
> helo mydomain.com
> 250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
> mail from:<>
> 250 OK
> rcpt to:xxx[at]ccc.com
> 250 Accepted
> data
> 451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com
>
> So - if you are interested all you have to do is set your highest
> numbered MX to tarbaby.junkemailfilter.com. If you want to know more
> about my lists you can read about them here.
>
> http://wiki.junkemailfilter.com/index.php/Main_Page
>
> This is experimental. I'm looking to see what kind of useful data I can
> derive from this to see how well it work and if I'll continue it. Send
> me a private email if you have any questions.
>
>
>

--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

gagel at cnc

May 7, 2008, 10:17 AM

Post #4 of 32 (400 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

----- Original Message -----
>Marc Perkel wrote:
>> Looking for a few volunteers who want to reduce their spambot spam and
>> at the same time help me track spambots for my black list. This is free
>> and mutual benefit. I (junkemailfilter.com) want to be your highest
>> numbered fake MX record. Here's how you would configure your domain:
>
>A generous offer and an admirable effort. But if you think I or my
>clients are going to route mail to your servers you are mistaken. Even
>if I knew you personally, I don't think ethics or common sense would
>allow me to do so.
>
>DAve

Personally I use the honeypot project. I recomend it. See:
http://www.projecthoneypot.org
For info.

------------------------------------------
Kevin W. Gagel
Postmaster for
College of New Caledonia
(250) 562-2131 loc. 5448
postmaster[at]cnc.bc.ca
http://www.cnc.bc.ca
Anti-Spam info at:
http://avas.cnc.bc.ca

-------------------------------------------------------------------
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://gateway.cnc.bc.ca
-------------------------------------------------------------------

rramsdell at livedatagroup

May 7, 2008, 11:32 AM

Post #5 of 32 (398 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

DAve wrote:
> Marc Perkel wrote:
>> Looking for a few volunteers who want to reduce their spambot spam
>> and at the same time help me track spambots for my black list. This
>> is free and mutual benefit. I (junkemailfilter.com) want to be your
>> highest numbered fake MX record. Here's how you would configure your
>> domain:
>
> A generous offer and an admirable effort. But if you think I or my
> clients are going to route mail to your servers you are mistaken. Even
> if I knew you personally, I don't think ethics or common sense would
> allow me to do so.
>
> DAve
Not taking a position on this, but isn't outsourcing spam filtering
normal? Although I would think one would consider carefully about
outsourcing their e-mail filtering, I don' think common sense or ethics
have a whole lot to do with it.
>> mail.yourdomain.com MX 10
>> tarbaby.junkemailfilter.com MX 20
>>
>> I will never actually receive your email. The recipient all always
>> get a 451 error just after the DATA command. So if your servers are
>> down you won't lose anything. A 451 error is a "I'm not ready, come
>> back later" error.
>>
>> This will help you reduce your spambot spam generally by half. Many
>> spambots try the highest number MX records first and never try again.
>> So these attempts just go away. Your system load drops, your spam is
>> reduced, spamassassin doesn't have to work as hard. And some spammers
>> will actually blacklist you because when they see a
>> junkemailfilter,com host in the MX they don't even try because they
>> know that it will only reduce their spambot army to even attenpt to
>> send a spam.
>>
>> I have developed an extremely accurate way of detecting spambots and
>> getting them listed on the first attempt to send spam. It involves
>> detecting a combination of several sins that if they hit this
>> combination, and most do, it's a virus infected spambot. Without
>> going into great detail one of the unique things I look for is hosts
>> not closing the connection with quit but rather allowing the
>> connection to time out after receiving the 451 error. When you
>> combine that it's the highest MX, no QUIT, and several other tests on
>> HELO and other things I can get these hosts blacklisted which blacks
>> their spam for everyone who uses my blacklists. And - unless you are
>> huge - you can use my blacklists for free.
>>
>> Here's what an SMTP session to my tarbaby server looks like.
>>
>> telnet tarbaby.junkemailfilter.com 25
>> Trying 65.49.42.79...
>> Connected to tarbaby.junkemailfilter.com.
>> Escape character is '^]'.
>> 220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008
>> 08:20:24 -0700
>> helo mydomain.com
>> 250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
>> mail from:<>
>> 250 OK
>> rcpt to:xxx[at]ccc.com
>> 250 Accepted
>> data
>> 451 DEFER - Try a lower numbered MX record -
>> http://www.junkemailfilter.com
>>
>> So - if you are interested all you have to do is set your highest
>> numbered MX to tarbaby.junkemailfilter.com. If you want to know more
>> about my lists you can read about them here.
>>
>> http://wiki.junkemailfilter.com/index.php/Main_Page
>>
>> This is experimental. I'm looking to see what kind of useful data I
>> can derive from this to see how well it work and if I'll continue it.
>> Send me a private email if you have any questions.
>>
>>
>>
>
>

dave.list at pixelhammer

May 7, 2008, 11:57 AM

Post #6 of 32 (398 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

Randy Ramsdell wrote:
> DAve wrote:
>> Marc Perkel wrote:
>>> Looking for a few volunteers who want to reduce their spambot spam
>>> and at the same time help me track spambots for my black list. This
>>> is free and mutual benefit. I (junkemailfilter.com) want to be your
>>> highest numbered fake MX record. Here's how you would configure your
>>> domain:
>>
>> A generous offer and an admirable effort. But if you think I or my
>> clients are going to route mail to your servers you are mistaken. Even
>> if I knew you personally, I don't think ethics or common sense would
>> allow me to do so.
>>
>> DAve
> Not taking a position on this, but isn't outsourcing spam filtering
> normal? Although I would think one would consider carefully about
> outsourcing their e-mail filtering, I don' think common sense or ethics
> have a whole lot to do with it.

If I have no control over junkmailfilter.com's mail servers someone will
need to take responsibility for any mail that arrives there, since I
cannot control what junkmailfilter.com might do or not do with the
connections that arrive there.

If we were to outsource our mail handling we would need to inform each
and every client, some contracts would need to be changed, some clients
who maintain their own DNS would need to make adjustments. It would also
be one more variable in the mix when someone says "where is my mail?"

I cannot blindly start announcing a MX for a server/network I do not
control or have a contract with.

Your business practices may vary ;^)

DAve

>>> mail.yourdomain.com MX 10
>>> tarbaby.junkemailfilter.com MX 20
>>>
>>> I will never actually receive your email. The recipient all always
>>> get a 451 error just after the DATA command. So if your servers are
>>> down you won't lose anything. A 451 error is a "I'm not ready, come
>>> back later" error.
>>>
>>> This will help you reduce your spambot spam generally by half. Many
>>> spambots try the highest number MX records first and never try again.
>>> So these attempts just go away. Your system load drops, your spam is
>>> reduced, spamassassin doesn't have to work as hard. And some spammers
>>> will actually blacklist you because when they see a
>>> junkemailfilter,com host in the MX they don't even try because they
>>> know that it will only reduce their spambot army to even attenpt to
>>> send a spam.
>>>
>>> I have developed an extremely accurate way of detecting spambots and
>>> getting them listed on the first attempt to send spam. It involves
>>> detecting a combination of several sins that if they hit this
>>> combination, and most do, it's a virus infected spambot. Without
>>> going into great detail one of the unique things I look for is hosts
>>> not closing the connection with quit but rather allowing the
>>> connection to time out after receiving the 451 error. When you
>>> combine that it's the highest MX, no QUIT, and several other tests on
>>> HELO and other things I can get these hosts blacklisted which blacks
>>> their spam for everyone who uses my blacklists. And - unless you are
>>> huge - you can use my blacklists for free.
>>>
>>> Here's what an SMTP session to my tarbaby server looks like.
>>>
>>> telnet tarbaby.junkemailfilter.com 25
>>> Trying 65.49.42.79...
>>> Connected to tarbaby.junkemailfilter.com.
>>> Escape character is '^]'.
>>> 220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008
>>> 08:20:24 -0700
>>> helo mydomain.com
>>> 250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
>>> mail from:<>
>>> 250 OK
>>> rcpt to:xxx[at]ccc.com
>>> 250 Accepted
>>> data
>>> 451 DEFER - Try a lower numbered MX record -
>>> http://www.junkemailfilter.com
>>>
>>> So - if you are interested all you have to do is set your highest
>>> numbered MX to tarbaby.junkemailfilter.com. If you want to know more
>>> about my lists you can read about them here.
>>>
>>> http://wiki.junkemailfilter.com/index.php/Main_Page
>>>
>>> This is experimental. I'm looking to see what kind of useful data I
>>> can derive from this to see how well it work and if I'll continue it.
>>> Send me a private email if you have any questions.
>>>
>>>
>>>
>>
>>
>
>
>

--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

marc at perkel

May 7, 2008, 2:11 PM

Post #7 of 32 (395 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

rramsdell at livedatagroup

May 7, 2008, 2:21 PM

Post #8 of 32 (395 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

Marc Perkel wrote:
>
>
> Randy Ramsdell wrote:
>> DAve wrote:
>>> Marc Perkel wrote:
>>>> Looking for a few volunteers who want to reduce their spambot spam
>>>> and at the same time help me track spambots for my black list. This
>>>> is free and mutual benefit. I (junkemailfilter.com) want to be your
>>>> highest numbered fake MX record. Here's how you would configure
>>>> your domain:
>>>
>>> A generous offer and an admirable effort. But if you think I or my
>>> clients are going to route mail to your servers you are mistaken.
>>> Even if I knew you personally, I don't think ethics or common sense
>>> would allow me to do so.
>>>
>>> DAve
>> Not taking a position on this, but isn't outsourcing spam filtering
>> normal? Although I would think one would consider carefully about
>> outsourcing their e-mail filtering, I don' think common sense or
>> ethics have a whole lot to do with it.
>>
>
> Thanks Randy,
>
> I am in the outsourced spam filtering business so this all seems
> natural to me. And I look at it as win/win. I get useful data, the
> person letting me use their high numbered MX record gets some spam
> reduction. I'm not interested in the content of the message or
> anything other than catching the IP addresses of virus infected spam
> bots. That's all I want to do.
>
I think sender score does something similar, but I am not very familiar
with how they obtain stats. I recall something about an isp, etc...
providing log data and then use the data to rate domains. Comcast
started using them. Personally, I wasn't impressed with the data they
had for certain domains, especially our own and I see a need to improve
that actually.

As DAve pointed out, getting someone to redirect corporate e-mail to you
for testing may not be something people could or would do. As a paid
vendor for someone with appropriate agreements, it becomes more reasonable.

aawolfe at gmail

May 7, 2008, 2:35 PM

Post #9 of 32 (395 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

On Wed, May 7, 2008 at 5:11 PM, Marc Perkel <marc[at]perkel.com> wrote:

>
>
> Randy Ramsdell wrote:
>
> > DAve wrote:
> >
> > > Marc Perkel wrote:
> > >
> > > > Looking for a few volunteers who want to reduce their spambot spam
> > > > and at the same time help me track spambots for my black list. This is free
> > > > and mutual benefit. I (junkemailfilter.com) want to be your highest
> > > > numbered fake MX record. Here's how you would configure your domain:
> > > >
> > >
> > > A generous offer and an admirable effort. But if you think I or my
> > > clients are going to route mail to your servers you are mistaken. Even if I
> > > knew you personally, I don't think ethics or common sense would allow me to
> > > do so.
> > >
> > > DAve
> > >
> > Not taking a position on this, but isn't outsourcing spam filtering
> > normal? Although I would think one would consider carefully about
> > outsourcing their e-mail filtering, I don' think common sense or ethics have
> > a whole lot to do with it.
> >
> >
> Thanks Randy,
>
> I am in the outsourced spam filtering business so this all seems natural
> to me. And I look at it as win/win. I get useful data, the person letting me
> use their high numbered MX record gets some spam reduction. I'm not
> interested in the content of the message or anything other than catching the
> IP addresses of virus infected spam bots. That's all I want to do.
>
>
If you just want IPs, maybe instead of running an SMTP service that 450s,
you would want to use a packet filter like iptables instead. You could get
the IPs simply by what packets you saw come in to port 25 and noone would
have to worry you were stealing their mail.

-Aaron

jhardin at impsec

May 7, 2008, 2:44 PM

Post #10 of 32 (394 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

On Wed, 7 May 2008, Aaron Wolfe wrote:

> If you just want IPs, maybe instead of running an SMTP service that
> 450s, you would want to use a packet filter like iptables instead. You
> could get the IPs simply by what packets you saw come in to port 25 and
> noone would have to worry you were stealing their mail.

(1) Mark is trying to collect data on how the remote MTA behaves when
presented with a 451 tmpfail result. A firewall rule can't do that.

(2) If someone doesn't trust him when he says "I won't accept or read your
mail", why will they trust him if he says "I have it firewalled off"?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin[at]impsec.org FALaholic #11174 pgpk -a jhardin[at]impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
Tomorrow: the 63rd anniversary of VE day

aawolfe at gmail

May 7, 2008, 3:37 PM

Post #11 of 32 (394 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

On Wed, May 7, 2008 at 5:44 PM, John Hardin <jhardin[at]impsec.org> wrote:

> On Wed, 7 May 2008, Aaron Wolfe wrote:
>
> If you just want IPs, maybe instead of running an SMTP service that 450s,
> > you would want to use a packet filter like iptables instead. You could get
> > the IPs simply by what packets you saw come in to port 25 and noone would
> > have to worry you were stealing their mail.
> >
>
> (1) Mark is trying to collect data on how the remote MTA behaves when
> presented with a 451 tmpfail result. A firewall rule can't do that.
>

From his message: "I'm not interested in the content of the message or
anything other than catching the IP addresses of virus infected spam bots.
That's all I want to do."

>
> (2) If someone doesn't trust him when he says "I won't accept or read your
> mail", why will they trust him if he says "I have it firewalled off"?
>

Because you can very easily check for yourself to see that this is true.

-Aaron

> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/<http://www.impsec.org/%7Ejhardin/>
> jhardin[at]impsec.org FALaholic #11174 pgpk -a jhardin[at]impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
> adware architecture incorporating spyware, profiling, competitor
> suppression and delivery confirmation (U.S. Patent #20070157227)
> -----------------------------------------------------------------------
> Tomorrow: the 63rd anniversary of VE day
>

jhardin at impsec

May 7, 2008, 3:53 PM

Post #12 of 32 (395 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

On Wed, 7 May 2008, Aaron Wolfe wrote:

> On Wed, May 7, 2008 at 5:44 PM, John Hardin <jhardin[at]impsec.org> wrote:
>
>> (1) Mark is trying to collect data on how the remote MTA behaves when
>> presented with a 451 tmpfail result. A firewall rule can't do that.
>
> From his message: "I'm not interested in the content of the message or
> anything other than catching the IP addresses of virus infected spam bots.
> That's all I want to do."

Yeah, I worded that a little poorly. He determines whether that IP is a
spambot (and thus of interest) by how it responds to the 451. Just
collecting the IP addresses of all MTAs that contact the high MX is
not useful as that, by itself, is legitimate behavior.

>> (2) If someone doesn't trust him when he says "I won't accept or read your
>> mail", why will they trust him if he says "I have it firewalled off"?
>
> Because you can very easily check for yourself to see that this is true.

You can verify the 451-before-DATA behavior as well. All that tells you is
whether or not he's blatantly dishonest.

Mark, perhaps a better approach would be to write a small daemon that
listens on port 25 and does the minimal SMTP-451 chat and TCP analysis,
and then reports the IPs of spambots to you via some auditable channel,
parhaps a simple cleartext HTTP request to a CGI script at your website.
That way anyone who wants to participate can set up a collection point
under their control, and all you get is the results of the TCP analysis.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin[at]impsec.org FALaholic #11174 pgpk -a jhardin[at]impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
Tomorrow: the 63rd anniversary of VE day

dave.list at pixelhammer

May 7, 2008, 7:56 PM

Post #13 of 32 (385 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

John Hardin wrote:
> On Wed, 7 May 2008, Aaron Wolfe wrote:
>
>> On Wed, May 7, 2008 at 5:44 PM, John Hardin <jhardin[at]impsec.org> wrote:
>>
>>> (1) Mark is trying to collect data on how the remote MTA behaves when
>>> presented with a 451 tmpfail result. A firewall rule can't do that.
>>
>> From his message: "I'm not interested in the content of the message or
>> anything other than catching the IP addresses of virus infected spam
>> bots.
>> That's all I want to do."
>
> Yeah, I worded that a little poorly. He determines whether that IP is a
> spambot (and thus of interest) by how it responds to the 451. Just
> collecting the IP addresses of all MTAs that contact the high MX is not
> useful as that, by itself, is legitimate behavior.
>
>>> (2) If someone doesn't trust him when he says "I won't accept or read
>>> your
>>> mail", why will they trust him if he says "I have it firewalled off"?
>>
>> Because you can very easily check for yourself to see that this is true.
>
> You can verify the 451-before-DATA behavior as well. All that tells you
> is whether or not he's blatantly dishonest.
>
> Mark, perhaps a better approach would be to write a small daemon that
> listens on port 25 and does the minimal SMTP-451 chat and TCP analysis,
> and then reports the IPs of spambots to you via some auditable channel,
> parhaps a simple cleartext HTTP request to a CGI script at your website.
> That way anyone who wants to participate can set up a collection point
> under their control, and all you get is the results of the TCP analysis.
>

That would be absolutely possible even in my corporate environment. I
may even be able to dig up a server to do so with in the next month.

DAve

--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

jm at jmason

May 8, 2008, 1:33 AM

Post #14 of 32 (380 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

Kevin W. Gagel writes:
> ----- Original Message -----
> >Marc Perkel wrote:
> >> Looking for a few volunteers who want to reduce their spambot spam and
> >> at the same time help me track spambots for my black list. This is free
> >> and mutual benefit. I (junkemailfilter.com) want to be your highest
> >> numbered fake MX record. Here's how you would configure your domain:
> >
> >A generous offer and an admirable effort. But if you think I or my
> >clients are going to route mail to your servers you are mistaken. Even
> >if I knew you personally, I don't think ethics or common sense would
> >allow me to do so.
> >
> >DAve
>
> Personally I use the honeypot project. I recomend it. See:
> http://www.projecthoneypot.org
> For info.

btw, if you have spare spamtrap *domains* -- not just /etc/aliases
forwards -- we'd love to get a couple pointed at the SpamAssassin
spamtraps...

--j.

ram at netcore

May 8, 2008, 5:44 AM

Post #15 of 32 (381 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

IOn Wed, 2008-05-07 at 08:50 -0700, Marc Perkel wrote:
> Looking for a few volunteers who want to reduce their spambot spam and
> at the same time help me track spambots for my black list. This is free
> and mutual benefit. I (junkemailfilter.com) want to be your highest
> numbered fake MX record. Here's how you would configure your domain:
>
> mail.yourdomain.com MX 10
> tarbaby.junkemailfilter.com MX 20
>
> I will never actually receive your email. The recipient all always get a
> 451 error just after the DATA command. So if your servers are down you
> won't lose anything. A 451 error is a "I'm not ready, come back later"
> error.
>
> This will help you reduce your spambot spam generally by half.

...

I use fake MX as well. But even if my lower MXes are perfectly
available. I have seen quiet a lot of legitimate traffic coming on my
fake MX and get turned down with a tempfail.

So If you are populating blacklists based on this data , better be
careful. (I'm sure you would have seen that yourself)

Anyway I think moving an MX record to a third party with no bussiness
contact would not be possible for anyone

Thanks
Ram

ram at netcore

May 8, 2008, 5:49 AM

Post #16 of 32 (381 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

On Thu, 2008-05-08 at 09:33 +0100, Justin Mason wrote:
> Kevin W. Gagel writes:
> > ----- Original Message -----
> > >Marc Perkel wrote:
> > >> Looking for a few volunteers who want to reduce their spambot spam and
> > >> at the same time help me track spambots for my black list. This is free
> > >> and mutual benefit. I (junkemailfilter.com) want to be your highest
> > >> numbered fake MX record. Here's how you would configure your domain:
> > >
> > >A generous offer and an admirable effort. But if you think I or my
> > >clients are going to route mail to your servers you are mistaken. Even
> > >if I knew you personally, I don't think ethics or common sense would
> > >allow me to do so.
> > >
> > >DAve
> >
> > Personally I use the honeypot project. I recomend it. See:
> > http://www.projecthoneypot.org
> > For info.
>
> btw, if you have spare spamtrap *domains* -- not just /etc/aliases
> forwards -- we'd love to get a couple pointed at the SpamAssassin
> spamtraps...
>

What should the MX'es be pointed to ?

Also what are tricks of getting mails on your spamtrap ?

> --j.

marc at perkel

May 8, 2008, 8:49 AM

Post #17 of 32 (378 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

ram wrote:
> IOn Wed, 2008-05-07 at 08:50 -0700, Marc Perkel wrote:
>
>> Looking for a few volunteers who want to reduce their spambot spam and
>> at the same time help me track spambots for my black list. This is free
>> and mutual benefit. I (junkemailfilter.com) want to be your highest
>> numbered fake MX record. Here's how you would configure your domain:
>>
>> mail.yourdomain.com MX 10
>> tarbaby.junkemailfilter.com MX 20
>>
>> I will never actually receive your email. The recipient all always get a
>> 451 error just after the DATA command. So if your servers are down you
>> won't lose anything. A 451 error is a "I'm not ready, come back later"
>> error.
>>
>> This will help you reduce your spambot spam generally by half.
>>
>
> ...
>
> I use fake MX as well. But even if my lower MXes are perfectly
> available. I have seen quiet a lot of legitimate traffic coming on my
> fake MX and get turned down with a tempfail.
>
> So If you are populating blacklists based on this data , better be
> careful. (I'm sure you would have seen that yourself)
>
> Anyway I think moving an MX record to a third party with no bussiness
> contact would not be possible for anyone
>
> Thanks
> Ram
>
>
>

Hi Ram,

Being a high numbered MX in itself doesn't get you listed on this new
server I set up. It's just a prequalifier of what I want to look at. In
order to get listed they also have to fail to send a QUIT after the 451
error and they have to commit some other significant sins. I'm looking
at a number of things in the helo, the sender, the recipient, rDNS, etc.
What I'm doing isn't going to catch as high of a percentage as I would
if I were the official spam filtering host for the domain because I'm
not running all my tests on it. I'm cutting them off before the data is
sent. I'm not even seeing the message headers.

However, I do think that I'll catch a lot of what I'm looking for and
that's virus infected spambots. That's the only think I'm targeting here
and I think I can distinguish them well enough that I can catch most all
the spambot traffic with no false positives on legit email. I'm hoping
for 50% accuracy of catching spambots on the first attempt.

To participate all you have to do is set your highest numbered MX to
point to:

tarbaby.junkemailfilter.com

Several people have asked me how I'm doing this and can they have my
code to do it themselves. My situation is unique enough that it just
won't work very easilly any place else and it's definitely not clean
enough for just anyone to install. But I'll try to describe it here.

First to do what I'm doing you have to be using EXIM. If you aren't
running exim then you just can't do it. In fact, with all due respect, I
can't see how anyone can do spam filtering and not use exim as their MTA.

Exim has a feature where you can execute code based on how the
connection is closed. It have a NOTQUIT acl and you can look at if the
connection timed out and a number of other things that caused the
connection to close without issuing a quit. Before the 451 error I store
information in variables that I can retrieve in the notquit acl and
based on that information I can send messages to another server that
accumulating information from all my servers. This server is basically
running stats on a one minute cycle to determine what data goes into my
various white/black/yellow lists and that feeds my 4 rbldnsd servers
which are updated every minute.

Blacklist data is stored for 5 days and then it expired. Every 6 hours
the oldest log file is deleted and everything is moved down a slot and a
new log file created. Thus if someone fixed the virus then they will
eventually be cleaned off the list. Users also have a web form where
they can get themselves removed if there is a false positive.

The list isn't perfect but it is my goal to have no false positives.
Unlike some lists who think that some sloppy admins "deserve to be
blacklisted" my attitude is if the listing is wrong it's my fault and I
want to fix it. And unlike many other blacklisating services I focuse
more on my white listing and yellow listing and use that information to
reduce the chance of false positives in my blacklists.

I also see the value of being as cooperative with others because
although I'm good at coming up with new ideas, other are better at
taking the ideas and doing it right. So many times I'll put an idea out
there and someone else will do it better and I get to run their better
version.

I am of the opinion that 100% of spambot spam can be stopped because I'm
doing it.I want to try to expand on that and get data from other sources
and see if I can't help others make some progress too.

Hope this is helpful.

jhardin at impsec

May 8, 2008, 9:11 AM

Post #18 of 32 (379 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

On Thu, 8 May 2008, Marc Perkel wrote:

> To participate all you have to do is set your highest numbered MX to
> point to:
>
> tarbaby.junkemailfilter.com
>
> Several people have asked me how I'm doing this and can they have my
> code to do it themselves. My situation is unique enough that it just
> won't work very easilly any place else and it's definitely not clean
> enough for just anyone to install.

You should make an effort to clean it up so that others *can* install it
as a standalone daemon, as I suggested. Why? How long will it be before
the spambots explicitly refuse to contact your honeypot if it is listed as
an MX for the domain they're attacking?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin[at]impsec.org FALaholic #11174 pgpk -a jhardin[at]impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The real opiate of the masses isn't religion; it's the belief that
somewhere there is a benefit that can be delivered without a
corresponding cost. -- Tom of "Radio Free NJ"
-----------------------------------------------------------------------
Today: the 63rd anniversary of VE day

marc at perkel

May 8, 2008, 9:26 AM

Post #19 of 32 (378 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

John Hardin wrote:
> On Thu, 8 May 2008, Marc Perkel wrote:
>
>> To participate all you have to do is set your highest numbered MX to
>> point to:
>>
>> tarbaby.junkemailfilter.com
>>
>> Several people have asked me how I'm doing this and can they have my
>> code to do it themselves. My situation is unique enough that it just
>> won't work very easilly any place else and it's definitely not clean
>> enough for just anyone to install.
>
> You should make an effort to clean it up so that others *can* install
> it as a standalone daemon, as I suggested. Why? How long will it be
> before the spambots explicitly refuse to contact your honeypot if it
> is listed as an MX for the domain they're attacking?
>

Good point. I suppose that if this grows I can point to my traps using
other hostnames. I can also set up traps on virtual server under OpenVZ
so spammers won't know what IP ranges to avoid.

KPARRIS at ed

May 8, 2008, 10:00 AM

Post #20 of 32 (379 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

Well now, if a spambot actually does start recognizing and avoiding his system, doesn't that mean he wins and the spammer loses?

>>> John Hardin <jhardin[at]impsec.org> 05/08/08 12:11 PM >>>
On Thu, 8 May 2008, Marc Perkel wrote:

> To participate all you have to do is set your highest numbered MX to
> point to:
>
> tarbaby.junkemailfilter.com
>
> Several people have asked me how I'm doing this and can they have my
> code to do it themselves. My situation is unique enough that it just
> won't work very easilly any place else and it's definitely not clean
> enough for just anyone to install.

You should make an effort to clean it up so that others *can* install it as a standalone daemon, as I suggested. Why? How long will it be before the spambots explicitly refuse to contact your honeypot if it is listed as an MX for the domain they're attacking?

marc at perkel

May 8, 2008, 10:07 AM

Post #21 of 32 (378 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

Kevin Parris wrote:
> Well now, if a spambot actually does start recognizing and avoiding his system, doesn't that mean he wins and the spammer loses?
>
>
I would say YES!
>
>
> You should make an effort to clean it up so that others *can* install it as a standalone daemon, as I suggested. Why? How long will it be before the spambots explicitly refuse to contact your honeypot if it is listed as an MX for the domain they're attacking?
>
>
>
>

I don't see that happening. If the spammers were that sharp they would
send quit and close the connection properly and defeat the meathod
rather than defeating just me. But it would cost them some bandwidth and
speed to do that. Especially if I added some delays before doing the
rejection which would cause the spammer to have to keep the connection
open longer which they aren't going to do.

I'm going to think about the delay thing. You inspired possibly another
good idea.

mslucas at taos-it

May 8, 2008, 11:07 AM

Post #22 of 32 (378 views)
Permalink

RE: Experimental - use my server for your high fake MX record [In reply to]

Or,....

The spammers will find his host and don't use the highest MX record. Or just remove his host from all the results.

My best solution would be:
Marc,

- Clean up the code

- Write a manual howto install so every admin can install it

- Write an extra bit of code which will send you all the information WITHOUT the information below.

- Everybody who wants it can use your great software and we all win*

I have contracts with my customers that I will not use their email for other business then to deliver it to its destination. Some of my customers will get into problems if other people know their contacts.
So I can give you all information about an email message without

- The from

- The to

- The body
But with all the IP addresses and with the QUIT after 451 status.

* we all know you wouldn't use it as a selling point to spammers or do something else with it but can/will you write that into a contract with all other admins. And pay a large sum of money if some data is "found" on the internet.
And do we want that type of "silly" contracts.
No we want to stop spam and not kill every other spamkiller (application or person)

met vriendelijke groet,

Maurice Lucas

TAOS-IT
............................................................................
Paulus Buijsstraat 191
2613 HR Delft
www.taos-it.nl<http://www.taos-it.nl/>
KvK Haaglanden nr. 27254410

From: Marc Perkel [mailto:marc[at]perkel.com]
Sent: donderdag 8 mei 2008 19:07
To: Kevin Parris
Cc: users[at]spamassassin.apache.org
Subject: Re: Experimental - use my server for your high fake MX record

Kevin Parris wrote:

Well now, if a spambot actually does start recognizing and avoiding his system, doesn't that mean he wins and the spammer loses?

I would say YES!

You should make an effort to clean it up so that others *can* install it as a standalone daemon, as I suggested. Why? How long will it be before the spambots explicitly refuse to contact your honeypot if it is listed as an MX for the domain they're attacking?

I don't see that happening. If the spammers were that sharp they would send quit and close the connection properly and defeat the meathod rather than defeating just me. But it would cost them some bandwidth and speed to do that. Especially if I added some delays before doing the rejection which would cause the spammer to have to keep the connection open longer which they aren't going to do.

I'm going to think about the delay thing. You inspired possibly another good idea.

jrhett at netconsonance

May 21, 2008, 11:53 AM

Post #23 of 32 (269 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

On May 7, 2008, at 9:17 AM, mouss wrote:
> what if he comes back later to the same MX, again and again (AFAIK,
> this is the case with qmail)? mail will be lost.

<snarky comment>
Good. Time for qmail to die ;-)
</snarky comment>

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness

mouss at netoyen

May 21, 2008, 1:44 PM

Post #24 of 32 (268 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

Jo Rhett wrote:
>
> On May 7, 2008, at 9:17 AM, mouss wrote:
>> what if he comes back later to the same MX, again and again (AFAIK,
>> this is the case with qmail)? mail will be lost.
>
> <snarky comment>
> Good. Time for qmail to die ;-)
> </snarky comment>
>

start by updating the RFCs.

marc at perkel

May 21, 2008, 2:43 PM

Post #25 of 32 (266 views)
Permalink

Re: Experimental - use my server for your high fake MX record [In reply to]

mouss wrote:
> Jo Rhett wrote:
>>
>> On May 7, 2008, at 9:17 AM, mouss wrote:
>>> what if he comes back later to the same MX, again and again (AFAIK,
>>> this is the case with qmail)? mail will be lost.
>>
>> <snarky comment>
>> Good. Time for qmail to die ;-)
>> </snarky comment>
>>
>
> start by updating the RFCs.
>

Qmail only has a problem with lowest numbered MX getting a 4xx. It works
fine with the highest numbered MX with 4xx.

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com