Tim Meadowcroft wrote:
On Friday 25 Feb 2005 13:35, Bryan Scott wrote:
I had thought about a similar thing, but in my more earnest programming
days ended up temporarily blacklisting those who error out five or more
times in a row. Those who show up on the temporary blacklist 20 or so
times within a given time frame were blacklisted longer. That seemed to
thwart the attacks pretty well, without permanently denying legitimate
but temporarily infected mail servers.
But if you don't want to be black-listed as rfc-ignorant (and/or you're being joe-jobbed) then you have to be a little more polite when the sender is <> (ie for bounces), and I found a lot of spammers automatically send as <> (and using one of those things to mangle outgoing addresses so can reject false bounces won;t do much good - the rfc-ignorant crowd just try to send you an email from <> and add you to the blacklist if you don't accept it, which in turn seems more than a little ignorant).
Now I simple reply with different DENY messages depending on if $sender eq "" or not, but that's why I was suggesting the mod to check_badrcptto so I'd hard deny anyone who quoted certain "known only to spammers" addresses.
-- Tim
"known only to spammers", I think that's their policy- scanning dictionary, designed to not ever be real users but close to real sounding in order to slip under the human radar if we ever read logs. Joey Mabrey was their favorite@ a couple of months ago. kathey@ is still popular. Today I got To: <[EMAIL PROTECTED] from a /24 block a dozen times today. From a dozen different IP's in same block, that has to be a wanker crew.
I think they're looking for open relays, policy-scanning by clues in the bounce, disguising a relay attempt as a bounce, encapsulating commands to trojans inside the long to@ and from@, and talking trash always.
For the same reason that soundex and metaphone didn't do too well whitelisting search terms for htdig, they should blacklist fairly well--if a spammer can't get a date in a whorehouse he's less than 40% human. That's a wrong assumption because the most common honest typos are hitting the adjacent key, and reversing two characters, which are going to fool soundex metaphone. I'd therefore like a non-phonetic percentage of correct spelling check to catch those false positives phonetic checking would cause for honestly mis-spelling (adjacent key, or two chars in reversed order).
For now what I've done is written some new log filtering scripts for a human filter. I can't imagine how a dozen different mta IP's can legitimately all be relaying to [EMAIL PROTECTED] I think I'll either put her in badrcptto or accept to [EMAIL PROTECTED]
-Bob
