Re: [CentOS] Spam, fail2ban and centos
On Wed, May 9, 2012 at 11:07 AM, Bob Hoffman wrote: > > I am starting to see a real pattern to all this. > > I would love to see someone do a case study on spam attacks. Their > system seems well honed to scale up with your defenses until they > finally have to 'appear' on their real computers like the ovh.net > servers, and many more hosts, I think you are over-analyzing. The senders are distributed and shift around whether you do anything defensive or not, and if you have ever accepted an address, even years ago with a system like qmail that accepted without checking anything, then tried to bounce bad addresses, those addresses will be on some lists that are re-tried forever no matter how many times you reject them now. I haven't watched this for a while but I used to be surprised that even though the senders were spread over hundreds of IPs, the overall rate seemed to be centrally controlled and in what would look like a dictionary attack the list seemed to be sorted, at least in big chunks, across the senders. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Spam, fail2ban and centos
on 5/9/2012 9:59 AM Les Mikesell spake the following: > On Wed, May 9, 2012 at 11:07 AM, Bob Hoffman wrote: >> >> I am starting to see a real pattern to all this. >> >> I would love to see someone do a case study on spam attacks. Their >> system seems well honed to scale up with your defenses until they >> finally have to 'appear' on their real computers like the ovh.net >> servers, and many more hosts, > > I think you are over-analyzing. The senders are distributed and shift > around whether you do anything defensive or not, and if you have ever > accepted an address, even years ago with a system like qmail that > accepted without checking anything, then tried to bounce bad > addresses, those addresses will be on some lists that are re-tried > forever no matter how many times you reject them now. I haven't > watched this for a while but I used to be surprised that even though > the senders were spread over hundreds of IPs, the overall rate seemed > to be centrally controlled and in what would look like a dictionary > attack the list seemed to be sorted, at least in big chunks, across > the senders. > I would turn that address into a spamtrap and use it to reject on your other servers... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Spam, fail2ban and centos
On Thu, May 10, 2012 at 10:52 AM, Scott Silva wrote: >> >> I think you are over-analyzing. The senders are distributed and shift >> around whether you do anything defensive or not, and if you have ever >> accepted an address, even years ago with a system like qmail that >> accepted without checking anything, then tried to bounce bad >> addresses, those addresses will be on some lists that are re-tried >> forever no matter how many times you reject them now. I haven't >> watched this for a while but I used to be surprised that even though >> the senders were spread over hundreds of IPs, the overall rate seemed >> to be centrally controlled and in what would look like a dictionary >> attack the list seemed to be sorted, at least in big chunks, across >> the senders. >> > I would turn that address into a spamtrap and use it to reject on your other > servers... It wasn't 'an address'. It was a dictionary attack to thousands of user names that don't exist at a few domains. Years ago I had used an SME server with its stock qmail setup to receive for those domains - up to the point where accepting/bouncing rejections became impractical. But by then the addresses must have gotten on some 'known good' spam list because they had been accepted at least once, and from then on there was a steady stream of about 50k/day delivery attempts . For unrelated business reasons we no longer use those domains but it went on for years and for all I know the list is still being used. After I switched to receiving with sendmail with all the real users in virtusertable the rate wasn't a problem - rejects happen very quickly with only a dbm lookup and a default reject rule. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Spam, fail2ban and centos
on 5/10/2012 9:47 AM Les Mikesell spake the following: > On Thu, May 10, 2012 at 10:52 AM, Scott Silva wrote: >>> >>> I think you are over-analyzing. The senders are distributed and shift >>> around whether you do anything defensive or not, and if you have ever >>> accepted an address, even years ago with a system like qmail that >>> accepted without checking anything, then tried to bounce bad >>> addresses, those addresses will be on some lists that are re-tried >>> forever no matter how many times you reject them now. I haven't >>> watched this for a while but I used to be surprised that even though >>> the senders were spread over hundreds of IPs, the overall rate seemed >>> to be centrally controlled and in what would look like a dictionary >>> attack the list seemed to be sorted, at least in big chunks, across >>> the senders. >>> >> I would turn that address into a spamtrap and use it to reject on your other >> servers... > > It wasn't 'an address'. It was a dictionary attack to thousands of > user names that don't exist at a few domains. Years ago I had used > an SME server with its stock qmail setup to receive for those domains > - up to the point where accepting/bouncing rejections became > impractical. But by then the addresses must have gotten on some > 'known good' spam list because they had been accepted at least once, > and from then on there was a steady stream of about 50k/day delivery > attempts . For unrelated business reasons we no longer use those > domains but it went on for years and for all I know the list is still > being used. After I switched to receiving with sendmail with all the > real users in virtusertable the rate wasn't a problem - rejects happen > very quickly with only a dbm lookup and a default reject rule. > But still... If you know those addresses are never legitimate anymore, they are perfect to port to a spamtrap, and use for local blocking of those senders... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
