Re: Spam harvesting using Fake Authentication
On Sun, 18 Aug 2013, Len Conrad wrote: Came up with a cool trick that seems to be working well after running for several months. I do the same by harvesting the IPs that fail SMTP AUTH a number of times, and then if more than a number of IPs in a ClassC, I block the entire ClassC. I do the same with postscreen/pregreet IPs and ClassC. Have you considered TCP Tarpitting instead of just blocking them? Blocking them doesn't actually *punish* them. Getting their MTAs *stuck* for hours or days does. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Constitution is a written instrument. As such its meaning does not alter. That which it meant when adopted, it means now. -- U.S. Supreme Court SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905) --- 5 days until the 1934th anniversary of the destruction of Pompeii
Tarpitting (was Re: Spam harvesting using Fake Authentication)
On Mon, 19 Aug 2013 07:31:33 -0700 (PDT) John Hardin jhar...@impsec.org wrote: Have you considered TCP Tarpitting instead of just blocking them? Blocking them doesn't actually *punish* them. Getting their MTAs *stuck* for hours or days does. IMO, tarpitting is useless. When you have hundreds, thousands or more compromised zombie computers at your disposal, you're not even going to notice tarpitting. Spammers can also use custom software with short timeouts to move on quickly if they think they're being tarpitted. Regards, David.
Re: Tarpitting (was Re: Spam harvesting using Fake Authentication)
On Mon, 19 Aug 2013, David F. Skoll wrote: On Mon, 19 Aug 2013 07:31:33 -0700 (PDT) John Hardin jhar...@impsec.org wrote: Have you considered TCP Tarpitting instead of just blocking them? Blocking them doesn't actually *punish* them. Getting their MTAs *stuck* for hours or days does. IMO, tarpitting is useless. When you have hundreds, thousands or more compromised zombie computers at your disposal, you're not even going to notice tarpitting. How likely is a repeat offender to be a zombie? It seems to me that greylisting and TCP tarpitting catch both sides of the problem. Greylisting blocks junk from the single-attempt zombies, and TCP tarpitting will catch the ones who are persistent offenders. Spammers can also use custom software with short timeouts to move on quickly if they think they're being tarpitted. We can't solve the problem completely with this, so it's not worth the effort to *reduce* the problem? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Constitution is a written instrument. As such its meaning does not alter. That which it meant when adopted, it means now. -- U.S. Supreme Court SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905) --- 5 days until the 1934th anniversary of the destruction of Pompeii
Re: Tarpitting (was Re: Spam harvesting using Fake Authentication)
On Mon, 19 Aug 2013 07:52:15 -0700 (PDT) John Hardin jhar...@impsec.org wrote: Have you considered TCP Tarpitting instead of just blocking them? Blocking them doesn't actually *punish* them. Getting their MTAs *stuck* for hours or days does. IMO, tarpitting is useless. When you have hundreds, thousands or more compromised zombie computers at your disposal, you're not even going to notice tarpitting. How likely is a repeat offender to be a zombie? Very. It'll be the same offender, but most likely a different zombie. It seems to me that greylisting and TCP tarpitting catch both sides of the problem. Greylisting blocks junk from the single-attempt zombies, and TCP tarpitting will catch the ones who are persistent offenders. In my opinion, greylisting is worth the tradeoff because it actually works; I have data to back that up. I do not have data to show that tarpitting does any good and my gut feeling is that it doesn't. We can't solve the problem completely with this, so it's not worth the effort to *reduce* the problem? Again in my opinion, tarpitting doesn't even reduce the problem measurably. Do you have data to show that tarpitting is actually effective? Regards, David.
Re: Spam harvesting using Fake Authentication
On 8/19/2013 7:31 AM, John Hardin wrote: On Sun, 18 Aug 2013, Len Conrad wrote: Came up with a cool trick that seems to be working well after running for several months. I do the same by harvesting the IPs that fail SMTP AUTH a number of times, and then if more than a number of IPs in a ClassC, I block the entire ClassC. I do the same with postscreen/pregreet IPs and ClassC. Have you considered TCP Tarpitting instead of just blocking them? Blocking them doesn't actually *punish* them. Getting their MTAs *stuck* for hours or days does. I doubt their MTA stay stuck for long. But I do take in their whole message. And I don't let them know they are blocked so I'm just wasting their bandwidth. But it's added about 1/4 of a million IPs to my blacklist. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: Tarpitting (was Re: Spam harvesting using Fake Authentication)
It seems to me that greylisting and TCP tarpitting catch both sides of the problem. Greylisting blocks junk from the single-attempt zombies, and TCP tarpitting will catch the ones who are persistent offenders. Maybe, probably not. Modern MTAs, even the ones that are not spambots, can run hundreds or thousands of connections in parallel. I very much doubt that you can tarpit enough of them to matter.
Re: Tarpitting (was Re: Spam harvesting using Fake Authentication)
On Mon, 19 Aug 2013, David F. Skoll wrote: On Mon, 19 Aug 2013 07:52:15 -0700 (PDT) John Hardin jhar...@impsec.org wrote: Have you considered TCP Tarpitting instead of just blocking them? Blocking them doesn't actually *punish* them. Getting their MTAs *stuck* for hours or days does. IMO, tarpitting is useless. When you have hundreds, thousands or more compromised zombie computers at your disposal, you're not even going to notice tarpitting. How likely is a repeat offender to be a zombie? Very. It'll be the same offender, but most likely a different zombie. Forgive me, my question was unclear. By repeat offender I meant IP address. It seems to me that greylisting and TCP tarpitting catch both sides of the problem. Greylisting blocks junk from the single-attempt zombies, and TCP tarpitting will catch the ones who are persistent offenders. In my opinion, greylisting is worth the tradeoff because it actually works; I have data to back that up. I do not have data to show that tarpitting does any good and my gut feeling is that it doesn't. We can't solve the problem completely with this, so it's not worth the effort to *reduce* the problem? Again in my opinion, tarpitting doesn't even reduce the problem measurably. Do you have data to show that tarpitting is actually effective? No data, only anecdotes. I only run services for three domains with a couple of users each; I don't really have a good source of any statistically-meaningful data and I haven't run any kind of formal analysis of what little I do have. I'm also somewhat conservative on when an IP gets added to the SMTP tarpit list. In addition, tarpitting is at least partly intended to help *others*, by getting the attacker stuck before it moves on to the next target. FWIW I also do it for PHP scans and it seems somewhat effective there. It's *very* effective for MSSQL scanners. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #4: If your shooting stance is good, you're probably not moving fast enough nor using cover correctly. --- 5 days until the 1934th anniversary of the destruction of Pompeii
Re: Tarpitting (was Re: Spam harvesting using Fake Authentication)
On Mon, 19 Aug 2013 08:36:14 -0700 (PDT) John Hardin jhar...@impsec.org wrote: [...] In addition, tarpitting is at least partly intended to help *others*, by getting the attacker stuck before it moves on to the next target. OK; I guess it's just a difference in mindset. I approach the problem with the following assumptions: 1) I assume that no matter how much computing power I have, the attacker has at least an order of magnitude more. 2) I assume that no matter how much bandwidth I have, the attacker has at least an order of magnitude more. These assumptions are not always true (probably not even usually true), but they're certainly true for the worst offenders who send the bulk of spam. They also keep me humble and prevent me from having a false sense of security. FWIW I also do it for PHP scans and it seems somewhat effective there. It's *very* effective for MSSQL scanners. How do you measure the effectiveness? Regards, David.
X-Spam headers omission for trusted IPs
Hello, Is there any setting in spamassassin to make it NOT add the X-Spam headers for mails which are originating from trusted ips (listed in trusted_networks) ? Thanks!
Re: Tarpitting (was Re: Spam harvesting using Fake Authentication)
On Mon, 19 Aug 2013, David F. Skoll wrote: On Mon, 19 Aug 2013 08:36:14 -0700 (PDT) John Hardin jhar...@impsec.org wrote: [...] In addition, tarpitting is at least partly intended to help *others*, by getting the attacker stuck before it moves on to the next target. OK; I guess it's just a difference in mindset. I approach the problem with the following assumptions: 1) I assume that no matter how much computing power I have, the attacker has at least an order of magnitude more. 2) I assume that no matter how much bandwidth I have, the attacker has at least an order of magnitude more. These assumptions are not always true (probably not even usually true), but they're certainly true for the worst offenders who send the bulk of spam. They also keep me humble and prevent me from having a false sense of security. That's reasonable. FWIW I also do it for PHP scans and it seems somewhat effective there. It's *very* effective for MSSQL scanners. How do you measure the effectiveness? Not formally, just by the number that get stuck. Those (mssql) at least I can notify a responsible party with some hope if it getting fixed. There's also a lot of MS RDP and 5900/tcp traffic stuck recently (and this is only one server). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- North Korea: the only country in the world where people would risk execution to flee to communist China. -- Ride Fast --- 5 days until the 1934th anniversary of the destruction of Pompeii
Re: X-Spam headers omission for trusted IPs
On Mon, 19 Aug 2013, Catalin Constantin wrote: Hello, Is there any setting in spamassassin to make it NOT add the X-Spam headers for mails which are originating from trusted ips (listed in trusted_networks) ? Bear in mind, trusted networks is trusted to not forge Received: headers, not trusted to not send spam. Spam can be received from networks in trusted_networks. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- North Korea: the only country in the world where people would risk execution to flee to communist China. -- Ride Fast --- 5 days until the 1934th anniversary of the destruction of Pompeii
RE: sa-learn and exchange integration
Hi all, I just registered to be able to post this. I have a working solution for learning with sa-learn messages placed into a special folders by exchange 2013 users. This works for me as I have a small number of users (this is a family server) but might be adapted to more corporate infrastructure without having to create login files for each user. As you may know, public folders cannot be accessed through imap anymore under exchange 2013. (I haven't been able to and the literature says I shouldn't be able to, but if someone managed, please tell me.) However, all mail from each root folder for each user can be downloaded to the spamassassin mail gateway using offlinebackup. The idea is to create a root folder in the mailbox of each user in your organisation called say 'Learn As Spam'. I did this manually, but you can probably do a bulk add for large organisation using the info in this link http://careexchange.in/create-a-custom-root-folder-in-all-the-mailboxes-bulk-in-exchange-2010/ http://careexchange.in/create-a-custom-root-folder-in-all-the-mailboxes-bulk-in-exchange-2010/ . Next setup offlineimap to download the contents of that folder only for all users and store it in '/SpamLearn/' in your mail gateway. Again, I do this manually, but I suspect people can use the script I give in post 15 of this thread http://www.howtoforge.com/forums/showthread.php?t=60708page=2 http://www.howtoforge.com/forums/showthread.php?t=60708page=2 to create a file containing the list of email addresses of valid users of your exchange organisation, and then write a script to cycle through the list of those emails, logging in to the email accounts using the mail admin credentials (note that you need to have given access to all mailboxes with the mail admin credentials using this link http://social.technet.microsoft.com/Forums/exchange/en-US/a88dfbd3-8461-4848-90a8-003044805de0/grant-full-access-to-all-mailboxes-in-particular-domain http://social.technet.microsoft.com/Forums/exchange/en-US/a88dfbd3-8461-4848-90a8-003044805de0/grant-full-access-to-all-mailboxes-in-particular-domain . I haven't tested this automated way, but if admin has imap acces it should work). Once you have the emails all stored in a folder of your mail gateway, I then use this script to learn all mails and delete the learnt mails. Credits for script go to Freddie Witherden. Mail.domain.com is my mail server running exchange and gateway.domain.com is my mail gateway server running spamassassin #! /bin/sh [ -x /usr/bin/sa-learn ] || exit 0 # Sync Imap Folder, activate this only if offline imap is not started on boot #offlineimap -o # For every existing user folder in SpamLearn for i in /SpamLearn/*; do if [ -d $i/Learn As Spam/cur ]; then cd $i/Learn As Spam/cur # Get the mails to train spamassassin for f in *; do if [ -e $f ]; then # Start by removing the headers generated by exchange and co sed -i '/^Received: from mail.domain.com/,/^Received: by gateway.domain.com/{d}' $f sed -i '/Received:/,$!d' $f sed -i '/^X-MS-Exchange-Organization-Network-Message-Id/,/^X-MS-Exchange-Organization-AuthAs/{d}' $f sed -i '/^X-domain-MailScanner-Information/,/^X-domain-MailScanner-From/{d}' $f # Debian-exim does not have read access to the mails so we pipe them cat $f | su - -s /bin/bash mail -c sa-learn --spam | grep -v Learned tokens from # Move files to the Spam dir #mv $f ../../.Junk/cur/ # Or just delete it rm -f $f fi done fi; if [ -d $i/Learn As Spam/new ]; then cd $i/Learn As Spam/new # Get the mails to train spamassassin for f in *; do if [ -e $f ]; then # Start by removing the headers generated by exchange and co sed -i '/^Received: from Server.domain.com/,/^Received: by gateway.domain.com/{d}' $f sed -i '/Received:/,$!d' $f sed -i '/^X-MS-Exchange-Organization-Network-Message-Id/,/^X-MS-Exchange-Organization-AuthAs/{d}' $f sed -i '/^X-domainMailScanner-Information/,/^X-domain-MailScanner-From/{d}' $f # Debian-exim does not have read access to the mails so we pipe them cat $f | su - -s /bin/bash mail -c sa-learn --spam | grep -v Learned tokens from # Move files to the Spam dir #mv $f ../../.Junk/cur/ # Or just delete it rm -f $f fi done fi; done # Print completed # echo 'SpamAssassin Learn Completed.' exit 0 Note that I use a lot of seds to remove all headers added by transferring
Re: RP_MATCHES_RCVD letting in SPAM
So, I have this in my /etc/mail/spamassassin/local.cf: score RP_MATCHES_RCVD 0 Yet, even after restart of spamd, mail comes thru with a -2.8. What should I look at? I know other stuff is read as I changed trusted and local network IP's and had a typo in one. lint called me out on it. joe a.
Re: RP_MATCHES_RCVD letting in SPAM
On Mon, 19 Aug 2013, Joe Acquisto-j4 wrote: So, I have this in my /etc/mail/spamassassin/local.cf: score RP_MATCHES_RCVD 0 Yet, even after restart of spamd, mail comes thru with a -2.8. I assume you mean by that, RP_MATCHES_RCVD is still hitting and scoring points? What should I look at? Silly question: are you using Amavis? Are you sure that spamd is using that configuration file? I know other stuff is read as I changed trusted and local network IP's and had a typo in one. lint called me out on it. The command-line SA environment is not necessarily the same environment as the daemon uses. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Genuine Advantage (WGA) means that now you use your computer at the sufferance of Microsoft Corporation. They can kill it remotely without your consent at any time for any reason; it also shuts down in sympathy when the servers at Microsoft crash. --- 5 days until the 1934th anniversary of the destruction of Pompeii
Re: RP_MATCHES_RCVD letting in SPAM
On 8/19/2013 at 6:54 PM, John Hardin jhar...@impsec.org wrote: On Mon, 19 Aug 2013, Joe Acquisto-j4 wrote: So, I have this in my /etc/mail/spamassassin/local.cf: score RP_MATCHES_RCVD 0 Yet, even after restart of spamd, mail comes thru with a -2.8. I assume you mean by that, RP_MATCHES_RCVD is still hitting and scoring points? You assume correctly, Sir. What should I look at? Silly question: are you using Amavis? No. ISP is, tho. Are you sure that spamd is using that configuration file? I thought so, as I put in the PW_IS_BAD_TLD rule someone on list provided, but now I see it is scoring 3.0, while I have it set to 4.0 in the config I think it is using. Has PW_IS_BAD_TLD been incorporated in to the base rule set? I guess I need to dig in and refresh myself on where the config file to use is defined. joe a. I know other stuff is read as I changed trusted and local network IP's and had a typo in one. lint called me out on it. The command-line SA environment is not necessarily the same environment as the daemon uses. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Genuine Advantage (WGA) means that now you use your computer at the sufferance of Microsoft Corporation. They can kill it remotely without your consent at any time for any reason; it also shuts down in sympathy when the servers at Microsoft crash. --- 5 days until the 1934th anniversary of the destruction of Pompeii