Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Dummy SMTP - Opinions required - New feature?
  FAQ FAQ  Forum Search   Register Register  Login Login

Dummy SMTP - Opinions required - New feature?

 Post Reply Post Reply Page  12>
Author
ImInAfrica View Drop Down
Groupie
Groupie
Avatar

Joined: 27 June 2006
Location: FL, USA
Status: Offline
Points: 60
Post Options Post Options   Thanks (0) Thanks(0)   Quote ImInAfrica Quote  Post ReplyReply Direct Link To This Post Topic: Dummy SMTP - Opinions required - New feature?
    Posted: 08 December 2007 at 5:14pm
Hi all,
We've been experimenting with a dummy smtp server.
A dummy smtp server is software which accepts SMTP connections, but never completes the communication. Ours drops the connection after the DATA command.

basically, i setup a MX 99 on some of our domains (same server as SF different IP address), and started running the program. Within minutes I started getting connections on it. so much so that within 24 hours we've had over 4000 connections (all verified as spam) to just 8 domains. that's an average of 500 messages per domain.

The software we have is somewhat buggy, probably slow, and isn't as resource considerate as SF.

I'd like to know what the people around here think about this as a spam 'fighting' technique, and maybe Roberto can release a stripped down version of SF purely for dummy smtp connections?

Regards
Amir
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 08 December 2007 at 5:53pm
Amir,

You could configure another SpamFilter with a keyword filter containing a wildcard or just one letter (with the ::NULL option so that emails are not processed and just dropped), so that all incoming emails are spam. The IP would be reported to the SFDB, and wold thus contribute in assigning it a negative rank (one single report is not enough to mark it as blacklisted, but it may help). You could also add a honepot email with a wildcard (ex. *@mydomain.com) so that all attempts would cause the IP to fall in the honeypot and you cold build yourself a list of IPs to locally blacklist.

Licensing-wise, if you install the second instance of SpamFilter on the same server running your primary SpamFilter, you will be within the licensing terms, as we only require a license for the server where you install SpamFilter. You can run as many instances as you wish on it (by "server" in a virtual (VMWARE..) environment, we then mean a virtual guest server).
We require
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 11 December 2007 at 11:31am
OK, this may be a dumb question ... If one configures the honeypot as described, how would you get a list of the IP's captured. Are they in a file or do I have to get them from the log?
 
Thanks!
Dwight
www.vividmix.com
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 11 December 2007 at 11:54am

Dcook-

The ip's are saved to a text file that you specify in SpamFilter.
 
I setup my dummy instance so that almost all filters are not running such as maps, surbl, bayes, etc to save resources.  I added a * to allowed domains and to the honeypot email address list.  So essentially, it is acting like an open relay (by accepting mail for all domains) but since it never completes the transaction - it is not a security risk.
 
I was amazed at how fast spammers started sending mail.  Nothing like harvesting spammer ips.
 
Roberto -
 
Do you see a benefit either way to using keyword filter as you described above versus using the honeypot like I am doing?  If one is using the keyword filter - will a  *::null:honeypot setup work?
 
Jeremy
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 11 December 2007 at 10:02pm
Jeremy,

The issue we see is a potential waste of bandwidth. If you have a * in the Allowed Domains, SpamFilter will accept *all* emails and will behave as an open relay. While it's true that the "null" option will cause all emails to be sent to la-la land, to the remote sender the email will appear as having been sent successfully. But this also means that the sender is actually sending the entire content of the email, and will continue to send multiple emails, as to them they are all being delivered. But if you have bandwidth to spare, it's not an issue (actually, you're doing the world a favor as spammers think you're a good open relay when in fact, no emails are being delivered....!)
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 12:49am
Roberto,
 
  What if your adding all the IP's to the blacklist of the machine your using for the spam trap. Eventually, as more and more IP's are harvested and added to that local SF copy, less and less traffic will get thru as the entire will no longer be sent. Or am I missing something in this scenario?
http://www.webguyz.net
Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 10:28am
In my setup the IP's are not being saved to a file although the file is specified.  Is there an ini variable I must set? 
 
I have been parsing the logs to get the IP's -- it's an effort.
 
 
Dwight
www.vividmix.com
Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 10:31am
I just set the BL_HoneypotBlockedIPsFileName varible in the filters.ini -- I'll give that a whirl.
Dwight
www.vividmix.com
Back to Top
ImInAfrica View Drop Down
Groupie
Groupie
Avatar

Joined: 27 June 2006
Location: FL, USA
Status: Offline
Points: 60
Post Options Post Options   Thanks (0) Thanks(0)   Quote ImInAfrica Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 5:21pm
Roberto,
your suggestion to use SF as it is at the moment is good, however a few problems may come up.
We've discovered that some list servers actually send 'good' emails to the high number mx record (i think this is by design but am not 100% sure).
 
if we run this with your suggestion then the email is lost, to 'la la land' where as with my original suggestion, the dummy smtp actually drops the connection a couple of seconds after the DATA command is issued. in other words the SMTP conversation is never completed.
the bottom line effect is:
- Spammer don't care, as they don't monitor the conversation.
- Real SMTP servers will try to resend, and will eventually give up this MX record and try another. at least they should.
 
we are only testing this on 8 of our domains out of over 500.
it's working really nicely so far. of course we don't have any of the functionality of SF which we've become so used to like the connection lists, blacklisting of the ip's etc.
 
by the way, we don't have any allowed/disallowed lists. we accept ALL connections, and drop them after the data command. 
 
Amir
Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 5:29pm
I am testing a spamfilter running WITHOUT any MX records.  The spammers found it in minutes.  Also I have placed a wildcard in the honeypot field, allowed domains and recipients. 
 
I am using the IP's colected from the honeypot to populate the BL_IPs on the production spamfilter, and locally on the honeypot SF to kill future connections quickly.
 
Any comments appreciated.  Still testing here.
Dwight
www.vividmix.com
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 6:50pm
dcook,
 
 Do you have an A record named mail for each of these domains? How do they (spammers) know which IP to send mail to without an MX record?
http://www.webguyz.net
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 9:45pm
I added  10 domains to my dummy smtp. Now, 24 hours later, I have 30,000 ip's in my honeypot list. 
I feel like I am taking candy from a baby.  Those stupid idiots  :-)
 
I love it
 
Jeremy
 
 
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 10:10pm
Originally posted by jerbo128 jerbo128 wrote:

I added  10 domains to my dummy smtp. Now, 24 hours later, I have 30,000 ip's in my honeypot list. 
I feel like I am taking candy from a baby.  Those stupid idiots  :-)
  
 
How can you be sure that they are all spammers IP?
 
Do the RFC's specify that all servers look for the lowest MX record first and keep incrementing if they can't find them? I keep thinking there has to be a gotcha in doing this. Sounds too simple ;-)
 
Anyone out there able to definitively say that valid mail traffic always trys the lowest MX record and then next highest?
 
Thanks!
http://www.webguyz.net
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 11:04pm
I believe you are looking for RFC 2821:
"Multiple MX records contain a preference indication that MUST be used
   in sorting (see below).  Lower numbers are more preferred than higher
   ones.  If there are multiple destinations with the same preference
   and there is no clear reason to favor one (e.g., by recognition of an
   easily-reached address), then the sender-SMTP MUST randomize them to
   spread the load across multiple mail exchangers for a specific
   organization."
 
So I read that lower number must be tried first, working up the list.  Anyone else?
 
As for knowing that they are all spammers...  I have been keeping a very close eye on them for any false ip's.  So far - None. 
 
Jeremy


Edited by jerbo128 - 12 December 2007 at 11:06pm
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 12 December 2007 at 11:13pm
jerbo128 is absolutely correct. The RFC2821 does not *suggest* that lower preference MX records *should* be used. It is instead very clear and *requires* that the lowest MX records be used first (if they are online...). Any application that does not follow this rule is in violation of the RFCs. If there's a listserver that doesn't follow the standard, it has a bug :-) and it should be reported.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2007 at 1:29pm
OK Guys ... I joined the bandwagon and set up a test with allowed domains "*" and HoneyPotEmails as "*" .  10 min after adding an MX record I had a list of 150 IP's.  I am seeing the additions in the SFDB.  My only worry is if valid mail violates the RFC, the SFDB may become polluted.  Also, and this is VERY IMPORTANT, this will only work well if there is no chance that all the lower numbered MX servers are down at the same time.  If this happens then external mail servers should send to the "trap" server.  Many mail servers (mine included) cache the last server used for outbound mail and this could cause false additions to the IP black list and the SFDB if the primary servers are busy.
 
THOUGHTS?
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2007 at 2:34pm
Dan,
You may want to try the setup with no MX records pointing to the honeypot spamfilter.  I did and still get email.
 
Dwight
www.vividmix.com
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2007 at 5:11pm
Originally posted by dcook dcook wrote:

Dan,
You may want to try the setup with no MX records pointing to the honeypot spamfilter.  I did and still get email.
 
 
Still trying to understand how that can be. If you had a domain name acme.com and put in on the spam trap, how would a spammer know to send email to user xxx@acme.com at your  ip address.
 
Thanks!
http://www.webguyz.net
Back to Top
Stupid View Drop Down
Senior Member
Senior Member


Joined: 28 November 2005
Status: Offline
Points: 127
Post Options Post Options   Thanks (0) Thanks(0)   Quote Stupid Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2007 at 5:16pm
is it possible for you guys to share the list of the IPs?
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2007 at 5:28pm

Stupid - I can share my list. 

email me - jerbo128 - hotmail
 
 
Webguyz - I have found that spammers will try to send to almost every host that they can find.  www, mail, ns0, etc.
 
In the 2nd 24 hours of running this, I have collected another 40K ip's.
 
Jeremy


Edited by jerbo128 - 13 December 2007 at 5:29pm
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2007 at 5:36pm
Originally posted by jerbo128 jerbo128 wrote:

Webguyz - I have found that spammers will try to send to almost every host that they can find.  www, mail, ns0, etc.

 
In the 2nd 24 hours of running this, I have collected another 40K ip's.
 
Jeremy
 
Aha, so they are just trying all the A records.
 
I would be interested in your list but since I'm doing per domain filtering and have close to 400 domains and even if I did script it that would be 160 million new entries in my DB.
 
Roberto,
 
 We really need some way to share common blacklists for those doing SFE with per domain filtering. This idea looks good, howerver the duplication of all that data in SFE really stinks
 
http://www.webguyz.net
Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2007 at 5:41pm
No MX records -- that's the whole point to me.  Spammers are constantly fishing.  If you take an unused IP and use that to install your spamfilter with NO MX records.  The spammers will scan or probe your network and start sending email to the IP.  I had 150 emails sent to my install in 30 minutes.
 
I believe that no good email should go to an IP without an MX record!! So to me it's a great lure.
Dwight
www.vividmix.com
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2007 at 5:58pm
Originally posted by dcook dcook wrote:

 
I believe that no good email should go to an IP without an MX record!! So to me it's a great lure.
 
I agree. Maybe I can script something for my firewall and add all these spammer IP's on port 25 there. Unless of course, Roberto finds a way to share common blacklists in SFE and then I won't have to. LOL
http://www.webguyz.net
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2007 at 12:10pm
My 2 cents AGAIN.  The SFDB is sorta sharing black-lists depending on how aggressive your settings are.  Also, one of us could set up a dnsbl with IP security on access but when I did that, it became too much work to maintain accurately and ended up worse than SORBS.  So ... I have no answer except that I am willing to host a "registered user only" dnsbl if someone else wants to maintain it.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2007 at 12:20pm
I also went through the process of setting up a local dnsrbl but it was a handful. I understand your concern about the task of managing it.  
 
I also am concerned about polution of the spamfilter SFDB shared list.  We all need to be careful with our configurations and experiments.  Like you Dan we host many clients with different kinds of businesses.  I walk a bleeding edge of keeping the filters catching most of the spam but still allowing good email through.  It's hard to walk the line.  Embarrassed 


Edited by dcook - 14 December 2007 at 12:21pm
Dwight
www.vividmix.com
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2007 at 12:28pm
I too would be happy to host a copy of a dnsbl zone.  But I do not have the time to manage it either.  Seems to be the running word of the day!
 
Jeremy
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 15 December 2007 at 9:52am
We're following this thread to see if we're needed, but so far everyone is doing great in experimenting :-)
As a side-note, the SFDB is very resilient to false positives. We only blacklist IPs if we receive multiple reports about an IP, all made from different SpamFilter installations. If some of you incorrectly report an IP due to an incorrect honeypot entry, this practically will not influence the SFDB, as it's just a single report.

Now if many of you make the same mistake by reporting the same IP that is being blocked by a honeypot entry, chances are that, since all of you then received the same emails from that IP within a few minutes, again chances are that the email is actually indeed spam as you all received. If it's a newsletter or an email notification with large scopes (for example the Microsoft Updates Security notifications), the IP addresses of these legitimate senders should be already listed in a whitelist of approved senders we use within the SFDB, so the risk of causing false positives should be very low.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 15 December 2007 at 10:41am
Originally posted by Desperado Desperado wrote:

...  Also, and this is VERY IMPORTANT, this will only work well if there is no chance that all the lower numbered MX servers are down at the same time.  If this happens then external mail servers should send to the "trap" server. ... 
THOUGHTS?
 
This worried me as well. I'm going to implement a spamtrap and will write a asp script to ping my 2 valid SFE's (both MX 10) once a minute and if both are down then shutdown the spamtrap SF service. Would cause havoc to have valid traffic start hitting the spamtrap.
http://www.webguyz.net
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 15 December 2007 at 11:15am
Originally posted by jerbo128 jerbo128 wrote:

I too would be happy to host a copy of a dnsbl zone.  But I do not have the time to manage it either.  Seems to be the running word of the day!
 
Jeremy
 
I'm thinking a shared RBL would skew the SFDB. I like the idea of a large number of us SFE users who have a lot of email traffic/spam implementing this and feeding it back to the SFDB. That way you could harvest the IP's  for use locally, but also have a more robust SFDB because every one of us would only be harvesting ip's destined for our domains.
 
Roberto, maybe you could consider this as a future option in SFE where you have a spamtrap filter choice in SFE using a unique IP (different then valid traffic) which we could use to setup  our DNS records with a high MX value. Would save me the trouble of having to write a script to ping my SFE's to see if they were up. LOL


Edited by WebGuyz - 15 December 2007 at 11:17am
http://www.webguyz.net
Back to Top
dcook View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2005
Location: United States
Status: Offline
Points: 174
Post Options Post Options   Thanks (0) Thanks(0)   Quote dcook Quote  Post ReplyReply Direct Link To This Post Posted: 26 December 2007 at 9:15am
I wanted to touch base and see how the dummy smtp with MX value of 99 faired over the Christmas holiday.  This looks very promising and I'd like to keep us talking. 
 
We tried publishing the MX record of our dummy smtp as MX 99 on a few domains that get the most spam.  I determined our spam by domain ranking with an sql query on the quarantine.  The amount of single IP blacklists really grew over the holiday. I am sorting the list by IP and converting some of the entries to a whole class C if waranted, but it is a heap of addresses.
 
How are your tests running?
Dwight
www.vividmix.com
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.