>Saturday, August 17, 2002 you wrote:
>LC> Dictionary spammers will typically open on SMTP session and then
>LC> send one msgs to 25 to 50 [EMAIL PROTECTED]
>
> There must be some program they are trying to get around by
> limiting the recipients like this.
Most MTA's have param to limit max RCPT TO per SMTP session. I figure the
spammers were hitting this too often, the ENTIRE session was being
discarded by the recipient, so dropping to 25 "got under the radar" enough.
IMGate, as installed by me (not available in the config I give out for
free), now includes capabilities to detect dictionary attacks, to blacklist
the spamming ip's, and to reduce the errors per SMPT session to one, so
after one error, IMGate immediately hangs up on the abuser, rather than
passively returning a 5xx and expecting the sender to hang up.
> This is definitely new to me.
> Used to they'd just hit you with 1,000 or 2,000 rctp to's if
> you'd let them but now they hit with 25 or so and quit.
yep, they've gotten more clever, but this particular advance wasn't rocket
science. I figure most spammers are as dumb as the are mean. There was a
Louisiana spammer in an article last week complaining that one year he made
$12M spamming (hmm, if Darth Spammer calls on me, I'm going over to the
Dark Side) but now he's down to $10K / week.
> Plus the other thing they are doing is going right through the
> secondary MX servers.
I always tell IMGate users to take IMail out of their MX records, since
spammers hit all MX records, no matter what the MX preference value.
We are also seeing spammers scanning networks for SMTP service on port 25
and spamming that. So IMGate people need to block access to port 25 of
their imail server. They can use pop-before-smtp and send outbound through
IMGate.
>LC> The next phase of IMGate will be to take the war from the SMTP
>LC> application level down to the tcp/ip protocol level where IMGate
>LC> will automatically
>
> That's where it needs to be.
It's already there. Remember Dusty "ZZ Topper" Carden who used to help out
here a lot a couple of years ago. He runs 5 FreeBSD IMGate's and every one
has ipfilter running with a list of 500+ blocked ip's. Other IMGate users
are also adding packet filtering to there boxes.
btw, I just installed an IMGate in Ohio last Thursday in front of a
sendmail mailbox server. To show you how nightmarish abuse has become, a
few numbers from the its first day of operation:
Here is a partial list of the msg rejects per sending ip:
14748 24.232.148.6 <<<<< fibertel.com.ar, we know you well
6584 202.106.101.26
6584 202.106.101.26
2272 218.145.227.94
841 64.86.155.135
804 206.222.1.5
798 203.154.95.135
676 202.134.0.198
653 64.27.167.226
613 216.247.70.245
516 64.251.23.133
486 24.202.135.96
462 168.234.193.154
451 4.37.106.187
415 200.69.220.189
408 167.206.112.85
388 209.25.238.162
380 66.33.48.49
318 67.36.239.193
303 66.180.247.22
300 151.197.50.222
293 203.177.73.229
285 200.72.23.50
283 66.180.247.21
282 66.134.56.234
276 216.144.69.91
276 168.103.197.139
275 217.10.215.134
.. etc, etc, for 100's of lines
For these totals:
Grand Totals
------------
messages
96534 received
27735 delivered
0 forwarded
475 deferred (4592 deferrals)
2646 bounced
115630 rejected <<<<<<<<<<<<<!!!!!!!!
The categories of rejects break down like this:
2 RBL dialups.relays.osirusoft.com
6 RBL orbs.dorkslayers.com
10 ACL from_senders_bogus
13 SMTP invalid [EMAIL PROTECTED]
44 RBL sbl.spamhaus.org
49 SMTP invalid [EMAIL PROTECTED]
75 RBL korea.services.net
77 Other (ip's blacklisted for pipelining)
85 RBL rbl-plus.mail-abuse.org
90 ACL unauthorized relay
99 ACL mta_clients_relay
140 SMTP unauthorized pipelining
218 RBL dynablock.wirehub.net
286 ACL mta_clients_dict blacked for dictionary attacks
326 ACL body checks mostly KLEZ
399 SMTP Bad HELO $domain, localhost, localhost.localdomain
451 RBL proxies.relays.monkeys.com
535 ACL from_senders_nxdomain
755 DNS timeout for MTA PTR hostname (forged @sender.domain)
1189 ACL to_recipients_dead sending to dead accoutns
1489 ACL mta_clients_hel exceeded Hard Error Limit in one session
1575 ACL header checks
2256 RBL relays.ordb.org
2637 RBL relays.osirusoft.com
2859 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
3220 ACL from_senders_black
3703 RBL blackholes.wirehub.net
3845 ACL mta_clients_slet
5016 ACL mta_clients_dead
5301 DNS no A/MX for @sender.domain
5567 ACL mta_clients_rbl
6153 RBL bl.spamcop.net
9685 ACL from_senders_clueless
24253 ACL mta_clients_bogus
26244 ACL from_senders_slet
I won't take the time/space to explain all those categories, just take it
on board that anti-abuse battles are fought on an all-azimuth, multi-front
war.
Arnold IMGatenegger sadistically likes to take them out in as many ways
possible. :))
Len
__________________________________________________________________
www.menandmice.com/DNS-training : DNS Training
BIND8NT.MEIway.com : ISC BIND for NT4 & W2K
IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
