LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Roberto,
your suggestion to use SF as it is at the moment is good, however a few problems may come up.

We've discovered that some list servers actually send 'good' emails to the high number mx record (i think this is by design but am not 100% sure).

if we run this with your suggestion then the email is lost, to 'la la land' where as with my original suggestion, the dummy smtp actually drops the connection a couple of seconds after the DATA command is issued. in other words the SMTP conversation is never completed.
the bottom line effect is:
- Spammer don't care, as they don't monitor the conversation.
- Real SMTP servers will try to resend, and will eventually give up this MX record and try another. at least they should.

we are only testing this on 8 of our domains out of over 500.
it's working really nicely so far. of course we don't have any of the functionality of SF which we've become so used to like the connection lists, blacklisting of the ip's etc.

by the way, we don't have any allowed/disallowed lists. we accept ALL connections, and drop them after the data command. 

Amir

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
ImInAfrica Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 27 June 2006 Location: FL, USA Status: Offline Points: 60	Post Options Post Reply Quote ImInAfrica Report Post Thanks(0) Quote Reply Posted: 12 December 2007 at 5:21pm
	Roberto, your suggestion to use SF as it is at the moment is good, however a few problems may come up. We've discovered that some list servers actually send 'good' emails to the high number mx record (i think this is by design but am not 100% sure). if we run this with your suggestion then the email is lost, to 'la la land' where as with my original suggestion, the dummy smtp actually drops the connection a couple of seconds after the DATA command is issued. in other words the SMTP conversation is never completed. the bottom line effect is: - Spammer don't care, as they don't monitor the conversation. - Real SMTP servers will try to resend, and will eventually give up this MX record and try another. at least they should. we are only testing this on 8 of our domains out of over 500. it's working really nicely so far. of course we don't have any of the functionality of SF which we've become so used to like the connection lists, blacklisting of the ip's etc. by the way, we don't have any allowed/disallowed lists. we accept ALL connections, and drop them after the data command. Amir

dcook Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 31 January 2005 Location: United States Status: Offline Points: 174	Post Options Post Reply Quote dcook Report Post Thanks(0) Quote Reply Posted: 12 December 2007 at 10:31am
	I just set the BL_HoneypotBlockedIPsFileName varible in the filters.ini -- I'll give that a whirl.
	Dwight www.vividmix.com

dcook Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 31 January 2005 Location: United States Status: Offline Points: 174	Post Options Post Reply Quote dcook Report Post Thanks(0) Quote Reply Posted: 12 December 2007 at 10:28am
	In my setup the IP's are not being saved to a file although the file is specified. Is there an ini variable I must set? I have been parsing the logs to get the IP's -- it's an effort.
	Dwight www.vividmix.com

WebGuyz Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348	Post Options Post Reply Quote WebGuyz Report Post Thanks(0) Quote Reply Posted: 12 December 2007 at 12:49am
	Roberto, What if your adding all the IP's to the blacklist of the machine your using for the spam trap. Eventually, as more and more IP's are harvested and added to that local SF copy, less and less traffic will get thru as the entire will no longer be sent. Or am I missing something in this scenario?
	http://www.webguyz.net

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4105	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 11 December 2007 at 10:02pm
	Jeremy, The issue we see is a potential waste of bandwidth. If you have a * in the Allowed Domains, SpamFilter will accept all emails and will behave as an open relay. While it's true that the "null" option will cause all emails to be sent to la-la land, to the remote sender the email will appear as having been sent successfully. But this also means that the sender is actually sending the entire content of the email, and will continue to send multiple emails, as to them they are all being delivered. But if you have bandwidth to spare, it's not an issue (actually, you're doing the world a favor as spammers think you're a good open relay when in fact, no emails are being delivered....!)
	Roberto Franceschetti LogSat Software Spam Filter ISP

jerbo128 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 06 March 2006 Status: Offline Points: 178	Post Options Post Reply Quote jerbo128 Report Post Thanks(0) Quote Reply Posted: 11 December 2007 at 11:54am
	Dcook- The ip's are saved to a text file that you specify in SpamFilter. I setup my dummy instance so that almost all filters are not running such as maps, surbl, bayes, etc to save resources. I added a * to allowed domains and to the honeypot email address list. So essentially, it is acting like an open relay (by accepting mail for all domains) but since it never completes the transaction - it is not a security risk. I was amazed at how fast spammers started sending mail. Nothing like harvesting spammer ips. Roberto - Do you see a benefit either way to using keyword filter as you described above versus using the honeypot like I am doing? If one is using the keyword filter - will a *::null:honeypot setup work? Jeremy

dcook Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 31 January 2005 Location: United States Status: Offline Points: 174	Post Options Post Reply Quote dcook Report Post Thanks(0) Quote Reply Posted: 11 December 2007 at 11:31am
	OK, this may be a dumb question ... If one configures the honeypot as described, how would you get a list of the IP's captured. Are they in a file or do I have to get them from the log? Thanks!
	Dwight www.vividmix.com

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4105	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 08 December 2007 at 5:53pm
	Amir, You could configure another SpamFilter with a keyword filter containing a wildcard or just one letter (with the ::NULL option so that emails are not processed and just dropped), so that all incoming emails are spam. The IP would be reported to the SFDB, and wold thus contribute in assigning it a negative rank (one single report is not enough to mark it as blacklisted, but it may help). You could also add a honepot email with a wildcard (ex. *@mydomain.com) so that all attempts would cause the IP to fall in the honeypot and you cold build yourself a list of IPs to locally blacklist. Licensing-wise, if you install the second instance of SpamFilter on the same server running your primary SpamFilter, you will be within the licensing terms, as we only require a license for the server where you install SpamFilter. You can run as many instances as you wish on it (by "server" in a virtual (VMWARE..) environment, we then mean a virtual guest server). We require
	Roberto Franceschetti LogSat Software Spam Filter ISP

ImInAfrica Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 27 June 2006 Location: FL, USA Status: Offline Points: 60	Post Options Post Reply Quote ImInAfrica Report Post Thanks(0) Quote Reply Posted: 08 December 2007 at 5:14pm
	Hi all, We've been experimenting with a dummy smtp server. A dummy smtp server is software which accepts SMTP connections, but never completes the communication. Ours drops the connection after the DATA command. basically, i setup a MX 99 on some of our domains (same server as SF different IP address), and started running the program. Within minutes I started getting connections on it. so much so that within 24 hours we've had over 4000 connections (all verified as spam) to just 8 domains. that's an average of 500 messages per domain. The software we have is somewhat buggy, probably slow, and isn't as resource considerate as SF. I'd like to know what the people around here think about this as a spam 'fighting' technique, and maybe Roberto can release a stripped down version of SF purely for dummy smtp connections? Regards Amir

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Dummy SMTP - Opinions required - New feature?