Experimental - use my server for your high fake MX record

[Marc Perkel]

Looking for a few volunteers who want to reduce their spambot spam and 
at the same time help me track spambots for my black list. This is free 
and mutual benefit. I (junkemailfilter.com) want to be your highest 
numbered fake MX record. Here's how you would configure your domain:


mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20

I will never actually receive your email. The recipient all always get a 
451 error just after the DATA command. So if your servers are down you 
won't lose anything. A 451 error is a "I'm not ready, come back later" 
error.


This will help you reduce your spambot spam generally by half. Many 
spambots try the highest number MX records first and never try again. So 
these attempts just go away. Your system load drops, your spam is 
reduced, spamassassin doesn't have to work as hard. And some spammers 
will actually blacklist you because when they see a junkemailfilter,com 
host in the MX they don't even try because they know that it will only 
reduce their spambot army to even attenpt to send a spam.


I have developed an extremely accurate way of detecting spambots and 
getting them listed on the first attempt to send spam. It involves 
detecting a combination of several sins that if they hit this 
combination, and most do, it's a virus infected spambot. Without going 
into great detail one of the unique things I look for is hosts not 
closing the connection with quit but rather allowing the connection to 
time out after receiving the 451 error. When you combine that it's the 
highest MX, no QUIT, and several other tests on HELO and other things I 
can get these hosts blacklisted which blacks their spam for everyone who 
uses my blacklists. And - unless you are huge - you can use my 
blacklists for free.


Here's what an SMTP session to my tarbaby server looks like.

telnet tarbaby.junkemailfilter.com 25
Trying 65.49.42.79...
Connected to tarbaby.junkemailfilter.com.
Escape character is '^]'.
220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008 
08:20:24 -0700

helo mydomain.com
250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
mail from:<>
250 OK
rcpt to:[EMAIL PROTECTED]
250 Accepted
data
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com

So - if you are interested all you have to do is set your highest 
numbered MX to tarbaby.junkemailfilter.com. If you want to know more 
about my lists you can read about them here.


http://wiki.junkemailfilter.com/index.php/Main_Page

This is experimental. I'm looking to see what kind of useful data I can 
derive from this to see how well it work and if I'll continue it. Send 
me a private email if you have any questions.

Re: Experimental - use my server for your high fake MX record

[mouss]

Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam and 
at the same time help me track spambots for my black list. This is 
free and mutual benefit. I (junkemailfilter.com) want to be your 
highest numbered fake MX record. Here's how you would configure your 
domain:


mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20

I will never actually receive your email. The recipient all always get 
a 451 error just after the DATA command. So if your servers are down 
you won't lose anything. A 451 error is a "I'm not ready, come back 
later" error.


what if he comes back later to the same MX, again and again (AFAIK, this 
is the case with qmail)? mail will be lost.




This will help you reduce your spambot spam generally by half. Many 
spambots try the highest number MX records first and never try again. 
So these attempts just go away. Your system load drops, your spam is 
reduced, spamassassin doesn't have to work as hard. And some spammers 
will actually blacklist you because when they see a 
junkemailfilter,com host in the MX they don't even try because they 
know that it will only reduce their spambot army to even attenpt to 
send a spam.


do you have any evidence for this? or more generally, do spammers really 
check the MX name for such patterns?


I have developed an extremely accurate way of detecting spambots and 
getting them listed on the first attempt to send spam. It involves 
detecting a combination of several sins that if they hit this 
combination, and most do, it's a virus infected spambot. Without going 
into great detail one of the unique things I look for is hosts not 
closing the connection with quit but rather allowing the connection to 
time out after receiving the 451 error. When you combine that it's the 
highest MX, no QUIT, and several other tests on HELO and other things 
I can get these hosts blacklisted which blacks their spam for everyone 
who uses my blacklists. And - unless you are huge - you can use my 
blacklists for free.


Here's what an SMTP session to my tarbaby server looks like.

telnet tarbaby.junkemailfilter.com 25
Trying 65.49.42.79...
Connected to tarbaby.junkemailfilter.com.
Escape character is '^]'.
220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008 
08:20:24 -0700

helo mydomain.com
250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
mail from:<>
250 OK
rcpt to:[EMAIL PROTECTED]
250 Accepted
data
451 DEFER - Try a lower numbered MX record - 
http://www.junkemailfilter.com


So - if you are interested all you have to do is set your highest 
numbered MX to tarbaby.junkemailfilter.com. If you want to know more 
about my lists you can read about them here.


http://wiki.junkemailfilter.com/index.php/Main_Page

This is experimental. I'm looking to see what kind of useful data I 
can derive from this to see how well it work and if I'll continue it. 
Send me a private email if you have any questions.

Re: Experimental - use my server for your high fake MX record

[DAve]

Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam and 
at the same time help me track spambots for my black list. This is free 
and mutual benefit. I (junkemailfilter.com) want to be your highest 
numbered fake MX record. Here's how you would configure your domain:


A generous offer and an admirable effort. But if you think I or my 
clients are going to route mail to your servers you are mistaken. Even 
if I knew you personally, I don't think ethics or common sense would 
allow me to do so.


DAve



mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20

I will never actually receive your email. The recipient all always get a 
451 error just after the DATA command. So if your servers are down you 
won't lose anything. A 451 error is a "I'm not ready, come back later" 
error.


This will help you reduce your spambot spam generally by half. Many 
spambots try the highest number MX records first and never try again. So 
these attempts just go away. Your system load drops, your spam is 
reduced, spamassassin doesn't have to work as hard. And some spammers 
will actually blacklist you because when they see a junkemailfilter,com 
host in the MX they don't even try because they know that it will only 
reduce their spambot army to even attenpt to send a spam.


I have developed an extremely accurate way of detecting spambots and 
getting them listed on the first attempt to send spam. It involves 
detecting a combination of several sins that if they hit this 
combination, and most do, it's a virus infected spambot. Without going 
into great detail one of the unique things I look for is hosts not 
closing the connection with quit but rather allowing the connection to 
time out after receiving the 451 error. When you combine that it's the 
highest MX, no QUIT, and several other tests on HELO and other things I 
can get these hosts blacklisted which blacks their spam for everyone who 
uses my blacklists. And - unless you are huge - you can use my 
blacklists for free.


Here's what an SMTP session to my tarbaby server looks like.

telnet tarbaby.junkemailfilter.com 25
Trying 65.49.42.79...
Connected to tarbaby.junkemailfilter.com.
Escape character is '^]'.
220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008 
08:20:24 -0700

helo mydomain.com
250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
mail from:<>
250 OK
rcpt to:[EMAIL PROTECTED]
250 Accepted
data
451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com

So - if you are interested all you have to do is set your highest 
numbered MX to tarbaby.junkemailfilter.com. If you want to know more 
about my lists you can read about them here.


http://wiki.junkemailfilter.com/index.php/Main_Page

This is experimental. I'm looking to see what kind of useful data I can 
derive from this to see how well it work and if I'll continue it. Send 
me a private email if you have any questions.







--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

Re: Experimental - use my server for your high fake MX record

[Kevin W. Gagel]

- Original Message -
>Marc Perkel wrote:
>> Looking for a few volunteers who want to reduce their spambot spam and 
>> at the same time help me track spambots for my black list. This is free 
>> and mutual benefit. I (junkemailfilter.com) want to be your highest 
>> numbered fake MX record. Here's how you would configure your domain:
>
>A generous offer and an admirable effort. But if you think I or my 
>clients are going to route mail to your servers you are mistaken. Even 
>if I knew you personally, I don't think ethics or common sense would 
>allow me to do so.
>
>DAve

Personally I use the honeypot project. I recomend it. See:
http://www.projecthoneypot.org
For info.

--
Kevin W. Gagel 
Postmaster for
College of New Caledonia
(250) 562-2131 loc. 5448
[EMAIL PROTECTED]
http://www.cnc.bc.ca
Anti-Spam info at:
http://avas.cnc.bc.ca


---
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://gateway.cnc.bc.ca
---

Re: Experimental - use my server for your high fake MX record

[Randy Ramsdell]

DAve wrote:

Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam 
and at the same time help me track spambots for my black list. This 
is free and mutual benefit. I (junkemailfilter.com) want to be your 
highest numbered fake MX record. Here's how you would configure your 
domain:


A generous offer and an admirable effort. But if you think I or my 
clients are going to route mail to your servers you are mistaken. Even 
if I knew you personally, I don't think ethics or common sense would 
allow me to do so.


DAve
Not taking a position on this, but isn't outsourcing spam filtering 
normal? Although I would think one would consider carefully about 
outsourcing their e-mail filtering, I don' think common sense or ethics 
have a whole lot to do with it.

mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20

I will never actually receive your email. The recipient all always 
get a 451 error just after the DATA command. So if your servers are 
down you won't lose anything. A 451 error is a "I'm not ready, come 
back later" error.


This will help you reduce your spambot spam generally by half. Many 
spambots try the highest number MX records first and never try again. 
So these attempts just go away. Your system load drops, your spam is 
reduced, spamassassin doesn't have to work as hard. And some spammers 
will actually blacklist you because when they see a 
junkemailfilter,com host in the MX they don't even try because they 
know that it will only reduce their spambot army to even attenpt to 
send a spam.


I have developed an extremely accurate way of detecting spambots and 
getting them listed on the first attempt to send spam. It involves 
detecting a combination of several sins that if they hit this 
combination, and most do, it's a virus infected spambot. Without 
going into great detail one of the unique things I look for is hosts 
not closing the connection with quit but rather allowing the 
connection to time out after receiving the 451 error. When you 
combine that it's the highest MX, no QUIT, and several other tests on 
HELO and other things I can get these hosts blacklisted which blacks 
their spam for everyone who uses my blacklists. And - unless you are 
huge - you can use my blacklists for free.


Here's what an SMTP session to my tarbaby server looks like.

telnet tarbaby.junkemailfilter.com 25
Trying 65.49.42.79...
Connected to tarbaby.junkemailfilter.com.
Escape character is '^]'.
220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008 
08:20:24 -0700

helo mydomain.com
250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
mail from:<>
250 OK
rcpt to:[EMAIL PROTECTED]
250 Accepted
data
451 DEFER - Try a lower numbered MX record - 
http://www.junkemailfilter.com


So - if you are interested all you have to do is set your highest 
numbered MX to tarbaby.junkemailfilter.com. If you want to know more 
about my lists you can read about them here.


http://wiki.junkemailfilter.com/index.php/Main_Page

This is experimental. I'm looking to see what kind of useful data I 
can derive from this to see how well it work and if I'll continue it. 
Send me a private email if you have any questions.

Re: Experimental - use my server for your high fake MX record

[DAve]

Randy Ramsdell wrote:

DAve wrote:

Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam 
and at the same time help me track spambots for my black list. This 
is free and mutual benefit. I (junkemailfilter.com) want to be your 
highest numbered fake MX record. Here's how you would configure your 
domain:


A generous offer and an admirable effort. But if you think I or my 
clients are going to route mail to your servers you are mistaken. Even 
if I knew you personally, I don't think ethics or common sense would 
allow me to do so.


DAve
Not taking a position on this, but isn't outsourcing spam filtering 
normal? Although I would think one would consider carefully about 
outsourcing their e-mail filtering, I don' think common sense or ethics 
have a whole lot to do with it.


If I have no control over junkmailfilter.com's mail servers someone will 
need to take responsibility for any mail that arrives there, since I 
cannot control what junkmailfilter.com might do or not do with the 
connections that arrive there.


If we were to outsource our mail handling we would need to inform each 
and every client, some contracts would need to be changed, some clients 
who maintain their own DNS would need to make adjustments. It would also 
be one more variable in the mix when someone says "where is my mail?"


I cannot blindly start announcing a MX for a server/network I do not 
control or have a contract with.


Your business practices may vary ;^)

DAve


mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20

I will never actually receive your email. The recipient all always 
get a 451 error just after the DATA command. So if your servers are 
down you won't lose anything. A 451 error is a "I'm not ready, come 
back later" error.


This will help you reduce your spambot spam generally by half. Many 
spambots try the highest number MX records first and never try again. 
So these attempts just go away. Your system load drops, your spam is 
reduced, spamassassin doesn't have to work as hard. And some spammers 
will actually blacklist you because when they see a 
junkemailfilter,com host in the MX they don't even try because they 
know that it will only reduce their spambot army to even attenpt to 
send a spam.


I have developed an extremely accurate way of detecting spambots and 
getting them listed on the first attempt to send spam. It involves 
detecting a combination of several sins that if they hit this 
combination, and most do, it's a virus infected spambot. Without 
going into great detail one of the unique things I look for is hosts 
not closing the connection with quit but rather allowing the 
connection to time out after receiving the 451 error. When you 
combine that it's the highest MX, no QUIT, and several other tests on 
HELO and other things I can get these hosts blacklisted which blacks 
their spam for everyone who uses my blacklists. And - unless you are 
huge - you can use my blacklists for free.


Here's what an SMTP session to my tarbaby server looks like.

telnet tarbaby.junkemailfilter.com 25
Trying 65.49.42.79...
Connected to tarbaby.junkemailfilter.com.
Escape character is '^]'.
220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008 
08:20:24 -0700

helo mydomain.com
250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18]
mail from:<>
250 OK
rcpt to:[EMAIL PROTECTED]
250 Accepted
data
451 DEFER - Try a lower numbered MX record - 
http://www.junkemailfilter.com


So - if you are interested all you have to do is set your highest 
numbered MX to tarbaby.junkemailfilter.com. If you want to know more 
about my lists you can read about them here.


http://wiki.junkemailfilter.com/index.php/Main_Page

This is experimental. I'm looking to see what kind of useful data I 
can derive from this to see how well it work and if I'll continue it. 
Send me a private email if you have any questions.














--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

Re: Experimental - use my server for your high fake MX record

[Marc Perkel]

Randy Ramsdell wrote:

DAve wrote:

Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam 
and at the same time help me track spambots for my black list. This 
is free and mutual benefit. I (junkemailfilter.com) want to be your 
highest numbered fake MX record. Here's how you would configure your 
domain:


A generous offer and an admirable effort. But if you think I or my 
clients are going to route mail to your servers you are mistaken. 
Even if I knew you personally, I don't think ethics or common sense 
would allow me to do so.


DAve
Not taking a position on this, but isn't outsourcing spam filtering 
normal? Although I would think one would consider carefully about 
outsourcing their e-mail filtering, I don' think common sense or 
ethics have a whole lot to do with it.




Thanks Randy,

I am in the outsourced spam filtering business so this all seems natural 
to me. And I look at it as win/win. I get useful data, the person 
letting me use their high numbered MX record gets some spam reduction. 
I'm not interested in the content of the message or anything other than 
catching the IP addresses of virus infected spam bots. That's all I want 
to do.

Re: Experimental - use my server for your high fake MX record

[Randy Ramsdell]

Marc Perkel wrote:



Randy Ramsdell wrote:

DAve wrote:

Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam 
and at the same time help me track spambots for my black list. This 
is free and mutual benefit. I (junkemailfilter.com) want to be your 
highest numbered fake MX record. Here's how you would configure 
your domain:


A generous offer and an admirable effort. But if you think I or my 
clients are going to route mail to your servers you are mistaken. 
Even if I knew you personally, I don't think ethics or common sense 
would allow me to do so.


DAve
Not taking a position on this, but isn't outsourcing spam filtering 
normal? Although I would think one would consider carefully about 
outsourcing their e-mail filtering, I don' think common sense or 
ethics have a whole lot to do with it.




Thanks Randy,

I am in the outsourced spam filtering business so this all seems 
natural to me. And I look at it as win/win. I get useful data, the 
person letting me use their high numbered MX record gets some spam 
reduction. I'm not interested in the content of the message or 
anything other than catching the IP addresses of virus infected spam 
bots. That's all I want to do.


I think sender score does something similar, but I am not very familiar 
with how they obtain stats. I recall something about  an isp, etc... 
providing log data and then use the data to rate domains.  Comcast  
started using them. Personally, I wasn't impressed with the data they 
had for certain domains, especially our own and I see a need to improve 
that actually.


As DAve pointed out, getting someone to redirect corporate e-mail to you 
for testing may  not be something people could or would do. As a paid 
vendor for someone with appropriate agreements, it becomes more reasonable.

Re: Experimental - use my server for your high fake MX record

[Aaron Wolfe]

On Wed, May 7, 2008 at 5:11 PM, Marc Perkel <[EMAIL PROTECTED]> wrote:

>
>
> Randy Ramsdell wrote:
>
> > DAve wrote:
> >
> > > Marc Perkel wrote:
> > >
> > > > Looking for a few volunteers who want to reduce their spambot spam
> > > > and at the same time help me track spambots for my black list. This is 
> > > > free
> > > > and mutual benefit. I (junkemailfilter.com) want to be your highest
> > > > numbered fake MX record. Here's how you would configure your domain:
> > > >
> > >
> > > A generous offer and an admirable effort. But if you think I or my
> > > clients are going to route mail to your servers you are mistaken. Even if 
> > > I
> > > knew you personally, I don't think ethics or common sense would allow me 
> > > to
> > > do so.
> > >
> > > DAve
> > >
> > Not taking a position on this, but isn't outsourcing spam filtering
> > normal? Although I would think one would consider carefully about
> > outsourcing their e-mail filtering, I don' think common sense or ethics have
> > a whole lot to do with it.
> >
> >
> Thanks Randy,
>
> I am in the outsourced spam filtering business so this all seems natural
> to me. And I look at it as win/win. I get useful data, the person letting me
> use their high numbered MX record gets some spam reduction. I'm not
> interested in the content of the message or anything other than catching the
> IP addresses of virus infected spam bots. That's all I want to do.
>
>
If you just want IPs, maybe instead of running an SMTP service that 450s,
you would want to use a packet filter like iptables instead.  You could get
the IPs simply by what packets you saw come in to port 25 and noone would
have to worry you were stealing their mail.

-Aaron

Re: Experimental - use my server for your high fake MX record

[John Hardin]

On Wed, 7 May 2008, Aaron Wolfe wrote:

If you just want IPs, maybe instead of running an SMTP service that 
450s, you would want to use a packet filter like iptables instead.  You 
could get the IPs simply by what packets you saw come in to port 25 and 
noone would have to worry you were stealing their mail.


(1) Mark is trying to collect data on how the remote MTA behaves when 
presented with a 451 tmpfail result. A firewall rule can't do that.


(2) If someone doesn't trust him when he says "I won't accept or read your 
mail", why will they trust him if he says "I have it firewalled off"?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
  adware architecture incorporating spyware, profiling, competitor
  suppression and delivery confirmation (U.S. Patent #20070157227)
---
 Tomorrow: the 63rd anniversary of VE day

Re: Experimental - use my server for your high fake MX record

[Aaron Wolfe]

On Wed, May 7, 2008 at 5:44 PM, John Hardin <[EMAIL PROTECTED]> wrote:

> On Wed, 7 May 2008, Aaron Wolfe wrote:
>
>  If you just want IPs, maybe instead of running an SMTP service that 450s,
> > you would want to use a packet filter like iptables instead.  You could get
> > the IPs simply by what packets you saw come in to port 25 and noone would
> > have to worry you were stealing their mail.
> >
>
> (1) Mark is trying to collect data on how the remote MTA behaves when
> presented with a 451 tmpfail result. A firewall rule can't do that.
>

>From his message: "I'm not interested in the content of the message or
anything other than catching the IP addresses of virus infected spam bots.
That's all I want to do."


>
> (2) If someone doesn't trust him when he says "I won't accept or read your
> mail", why will they trust him if he says "I have it firewalled off"?
>

Because you can very easily check for yourself to see that this is true.

-Aaron


> --
>  John Hardin KA7OHZ
> http://www.impsec.org/~jhardin/
>  [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>  Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
>  adware architecture incorporating spyware, profiling, competitor
>  suppression and delivery confirmation (U.S. Patent #20070157227)
> ---
>  Tomorrow: the 63rd anniversary of VE day
>

Re: Experimental - use my server for your high fake MX record

[John Hardin]

On Wed, 7 May 2008, Aaron Wolfe wrote:


On Wed, May 7, 2008 at 5:44 PM, John Hardin <[EMAIL PROTECTED]> wrote:


(1) Mark is trying to collect data on how the remote MTA behaves when
presented with a 451 tmpfail result. A firewall rule can't do that.


From his message: "I'm not interested in the content of the message or
anything other than catching the IP addresses of virus infected spam bots.
That's all I want to do."


Yeah, I worded that a little poorly. He determines whether that IP is a 
spambot (and thus of interest) by how it responds to the 451. Just 
collecting the IP addresses of all MTAs that contact the high MX is 
not useful as that, by itself, is legitimate behavior.



(2) If someone doesn't trust him when he says "I won't accept or read your
mail", why will they trust him if he says "I have it firewalled off"?


Because you can very easily check for yourself to see that this is true.


You can verify the 451-before-DATA behavior as well. All that tells you is 
whether or not he's blatantly dishonest.


Mark, perhaps a better approach would be to write a small daemon that 
listens on port 25 and does the minimal SMTP-451 chat and TCP analysis, 
and then reports the IPs of spambots to you via some auditable channel, 
parhaps a simple cleartext HTTP request to a CGI script at your website. 
That way anyone who wants to participate can set up a collection point 
under their control, and all you get is the results of the TCP analysis.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  End users want eye candy and the "ooo's and hhh's" experience
  when reading mail. To them email isn't a tool, but an entertainment
  form. -- Steve Lake
---
 Tomorrow: the 63rd anniversary of VE day

Re: Experimental - use my server for your high fake MX record

[DAve]

John Hardin wrote:

On Wed, 7 May 2008, Aaron Wolfe wrote:


On Wed, May 7, 2008 at 5:44 PM, John Hardin <[EMAIL PROTECTED]> wrote:


(1) Mark is trying to collect data on how the remote MTA behaves when
presented with a 451 tmpfail result. A firewall rule can't do that.


From his message: "I'm not interested in the content of the message or
anything other than catching the IP addresses of virus infected spam 
bots.

That's all I want to do."


Yeah, I worded that a little poorly. He determines whether that IP is a 
spambot (and thus of interest) by how it responds to the 451. Just 
collecting the IP addresses of all MTAs that contact the high MX is not 
useful as that, by itself, is legitimate behavior.


(2) If someone doesn't trust him when he says "I won't accept or read 
your

mail", why will they trust him if he says "I have it firewalled off"?


Because you can very easily check for yourself to see that this is true.


You can verify the 451-before-DATA behavior as well. All that tells you 
is whether or not he's blatantly dishonest.


Mark, perhaps a better approach would be to write a small daemon that 
listens on port 25 and does the minimal SMTP-451 chat and TCP analysis, 
and then reports the IPs of spambots to you via some auditable channel, 
parhaps a simple cleartext HTTP request to a CGI script at your website. 
That way anyone who wants to participate can set up a collection point 
under their control, and all you get is the results of the TCP analysis.




That would be absolutely possible even in my corporate environment. I 
may even be able to dig up a server to do so with in the next month.


DAve


--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

Re: Experimental - use my server for your high fake MX record

[Justin Mason]

Kevin W. Gagel writes:
> - Original Message -
> >Marc Perkel wrote:
> >> Looking for a few volunteers who want to reduce their spambot spam and 
> >> at the same time help me track spambots for my black list. This is free 
> >> and mutual benefit. I (junkemailfilter.com) want to be your highest 
> >> numbered fake MX record. Here's how you would configure your domain:
> >
> >A generous offer and an admirable effort. But if you think I or my 
> >clients are going to route mail to your servers you are mistaken. Even 
> >if I knew you personally, I don't think ethics or common sense would 
> >allow me to do so.
> >
> >DAve
> 
> Personally I use the honeypot project. I recomend it. See:
> http://www.projecthoneypot.org
> For info.

btw, if you have spare spamtrap *domains* -- not just /etc/aliases
forwards -- we'd love to get a couple pointed at the SpamAssassin
spamtraps...

--j.

Re: Experimental - use my server for your high fake MX record

[ram]

IOn Wed, 2008-05-07 at 08:50 -0700, Marc Perkel wrote:
> Looking for a few volunteers who want to reduce their spambot spam and 
> at the same time help me track spambots for my black list. This is free 
> and mutual benefit. I (junkemailfilter.com) want to be your highest 
> numbered fake MX record. Here's how you would configure your domain:
> 
> mail.yourdomain.com MX 10
> tarbaby.junkemailfilter.com MX 20
> 
> I will never actually receive your email. The recipient all always get a 
> 451 error just after the DATA command. So if your servers are down you 
> won't lose anything. A 451 error is a "I'm not ready, come back later" 
> error.
> 
> This will help you reduce your spambot spam generally by half. 

...

I use fake MX as well. But even if my lower MXes are perfectly
available. I have seen quiet a lot of legitimate traffic coming on my
fake MX and get turned down with a tempfail. 

  So If you are populating blacklists based on this data , better be
careful. (I'm sure you would have seen that yourself) 

Anyway I think moving an MX record to a third party with no bussiness
contact would not be possible for anyone

Thanks
Ram

Re: Experimental - use my server for your high fake MX record

[ram]

On Thu, 2008-05-08 at 09:33 +0100, Justin Mason wrote:
> Kevin W. Gagel writes:
> > - Original Message -
> > >Marc Perkel wrote:
> > >> Looking for a few volunteers who want to reduce their spambot spam and 
> > >> at the same time help me track spambots for my black list. This is free 
> > >> and mutual benefit. I (junkemailfilter.com) want to be your highest 
> > >> numbered fake MX record. Here's how you would configure your domain:
> > >
> > >A generous offer and an admirable effort. But if you think I or my 
> > >clients are going to route mail to your servers you are mistaken. Even 
> > >if I knew you personally, I don't think ethics or common sense would 
> > >allow me to do so.
> > >
> > >DAve
> > 
> > Personally I use the honeypot project. I recomend it. See:
> > http://www.projecthoneypot.org
> > For info.
> 
> btw, if you have spare spamtrap *domains* -- not just /etc/aliases
> forwards -- we'd love to get a couple pointed at the SpamAssassin
> spamtraps...
> 

What should the MX'es be pointed to ? 

Also what are tricks of getting mails on your spamtrap ? 




> --j.

Re: Experimental - use my server for your high fake MX record

[Marc Perkel]

ram wrote:

IOn Wed, 2008-05-07 at 08:50 -0700, Marc Perkel wrote:
  
Looking for a few volunteers who want to reduce their spambot spam and 
at the same time help me track spambots for my black list. This is free 
and mutual benefit. I (junkemailfilter.com) want to be your highest 
numbered fake MX record. Here's how you would configure your domain:


mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20

I will never actually receive your email. The recipient all always get a 
451 error just after the DATA command. So if your servers are down you 
won't lose anything. A 451 error is a "I'm not ready, come back later" 
error.


This will help you reduce your spambot spam generally by half. 



...

I use fake MX as well. But even if my lower MXes are perfectly
available. I have seen quiet a lot of legitimate traffic coming on my
fake MX and get turned down with a tempfail. 


  So If you are populating blacklists based on this data , better be
careful. (I'm sure you would have seen that yourself) 


Anyway I think moving an MX record to a third party with no bussiness
contact would not be possible for anyone

Thanks
Ram


  


Hi Ram,

Being a high numbered MX in itself doesn't get you listed on this new 
server I set up. It's just a prequalifier of what I want to look at. In 
order to get listed they also have to fail to send a QUIT after the 451 
error and they have to commit some other significant sins. I'm looking 
at a number of things in the helo, the sender, the recipient, rDNS, etc. 
What I'm doing isn't going to catch as high of a percentage as I would 
if I were the official spam filtering host for the domain because I'm 
not running all my tests on it. I'm cutting them off before the data is 
sent. I'm not even seeing the message headers.


However, I do think that I'll catch a lot of what I'm looking for and 
that's virus infected spambots. That's the only think I'm targeting here 
and I think I can distinguish them well enough that I can catch most all 
the spambot traffic with no false positives on legit email. I'm hoping 
for 50% accuracy of catching spambots on the first attempt.


To participate all you have to do is set your highest numbered MX to 
point to:


tarbaby.junkemailfilter.com

Several people have asked me how I'm doing this and can they have my 
code to do it themselves. My situation is unique enough that it just 
won't work very easilly any place else and it's definitely not clean 
enough for just anyone to install. But I'll try to describe it here.


First to do what I'm doing you have to be using EXIM. If you aren't 
running exim then you just can't do it. In fact, with all due respect, I 
can't see how anyone can do spam filtering and not use exim as their MTA.


Exim has a feature where you can execute code based on how the 
connection is closed. It have a NOTQUIT acl and you can look at if the 
connection timed out and a number of other things that caused the 
connection to close without issuing a quit. Before the 451 error I store 
information in variables that I can retrieve in the notquit acl and 
based on that information I can send messages to another server that 
accumulating information from all my servers. This server is basically 
running stats on a one minute cycle to determine what data goes into my 
various white/black/yellow lists and that feeds my 4 rbldnsd servers 
which are updated every minute.


Blacklist data is stored for 5 days and then it expired. Every 6 hours 
the oldest log file is deleted and everything is moved down a slot and a 
new log file created. Thus if someone fixed the virus then they will 
eventually be cleaned off the list. Users also have a web form where 
they can get themselves removed if there is a false positive.


The list isn't perfect but it is my goal to have no false positives. 
Unlike some lists who think that some sloppy admins "deserve to be 
blacklisted" my attitude is if the listing is wrong it's my fault and I 
want to fix it. And unlike many other blacklisating services I focuse 
more on my white listing and yellow listing and use that information to 
reduce the chance of false positives in my blacklists.


I also see the value of being as cooperative with others because 
although I'm good at coming up with new ideas, other are better at 
taking the ideas and doing it right. So many times I'll put an idea out 
there and someone else will do it better and I get to run their better 
version.


I am of the opinion that 100% of spambot spam can be stopped because I'm 
doing it.I want to try to expand on that and get data from other sources 
and see if I can't help others make some progress too.


Hope this is helpful.

Re: Experimental - use my server for your high fake MX record

[John Hardin]

On Thu, 8 May 2008, Marc Perkel wrote:

To participate all you have to do is set your highest numbered MX to 
point to:


tarbaby.junkemailfilter.com

Several people have asked me how I'm doing this and can they have my 
code to do it themselves. My situation is unique enough that it just 
won't work very easilly any place else and it's definitely not clean 
enough for just anyone to install.


You should make an effort to clean it up so that others *can* install it 
as a standalone daemon, as I suggested. Why? How long will it be before 
the spambots explicitly refuse to contact your honeypot if it is listed as 
an MX for the domain they're attacking?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The real opiate of the masses isn't religion; it's the belief that
  somewhere there is a benefit that can be delivered without a
  corresponding cost.   -- Tom of "Radio Free NJ"
---
 Today: the 63rd anniversary of VE day

Re: Experimental - use my server for your high fake MX record

[Marc Perkel]

John Hardin wrote:

On Thu, 8 May 2008, Marc Perkel wrote:

To participate all you have to do is set your highest numbered MX to 
point to:


tarbaby.junkemailfilter.com

Several people have asked me how I'm doing this and can they have my 
code to do it themselves. My situation is unique enough that it just 
won't work very easilly any place else and it's definitely not clean 
enough for just anyone to install.


You should make an effort to clean it up so that others *can* install 
it as a standalone daemon, as I suggested. Why? How long will it be 
before the spambots explicitly refuse to contact your honeypot if it 
is listed as an MX for the domain they're attacking?




Good point. I suppose that if this grows I can point to my traps using 
other hostnames. I can also set up traps on virtual server under OpenVZ 
so spammers won't know what IP ranges to avoid.

Re: Experimental - use my server for your high fake MX record

[Kevin Parris]

Well now, if a spambot actually does start recognizing and avoiding his system, 
doesn't that mean he wins and the spammer loses?


>>> John Hardin <[EMAIL PROTECTED]> 05/08/08 12:11 PM >>>
On Thu, 8 May 2008, Marc Perkel wrote:

> To participate all you have to do is set your highest numbered MX to 
> point to:
>
> tarbaby.junkemailfilter.com
>
> Several people have asked me how I'm doing this and can they have my 
> code to do it themselves. My situation is unique enough that it just 
> won't work very easilly any place else and it's definitely not clean 
> enough for just anyone to install.

You should make an effort to clean it up so that others *can* install it as a 
standalone daemon, as I suggested. Why? How long will it be before the spambots 
explicitly refuse to contact your honeypot if it is listed as an MX for the 
domain they're attacking?

Re: Experimental - use my server for your high fake MX record

[Marc Perkel]

Kevin Parris wrote:

Well now, if a spambot actually does start recognizing and avoiding his system, 
doesn't that mean he wins and the spammer loses?

  

I would say YES!



You should make an effort to clean it up so that others *can* install it as a 
standalone daemon, as I suggested. Why? How long will it be before the spambots 
explicitly refuse to contact your honeypot if it is listed as an MX for the 
domain they're attacking?



  


I don't see that happening. If the spammers were that sharp they would 
send quit and close the connection properly and defeat the meathod 
rather than defeating just me. But it would cost them some bandwidth and 
speed to do that. Especially if I added some delays before doing the 
rejection which would cause the spammer to have to keep the connection 
open longer which they aren't going to do.


I'm going to think about the delay thing. You inspired possibly another 
good idea.

RE: Experimental - use my server for your high fake MX record

[Maurice Lucas]

Or,

The spammers will find his host and don't use the highest MX record. Or just 
remove his host from all the results.

My best solution would be:
Marc,

-  Clean up the code

-  Write a manual howto install so every admin can install it

-  Write an extra bit of code which will send you all the information 
WITHOUT the information below.

-  Everybody who wants it can use your great software and we all win*

I have contracts with my customers that I will not use their email for other 
business then to deliver it to its destination. Some of my customers will get 
into problems if other people know their contacts.
So I can give you all information about an email message without

-  The from

-  The to

-  The body
But with all the IP addresses and with the QUIT after 451 status.


* we all know you wouldn't use it as a selling point to spammers or do 
something else with it but can/will you write that into a contract with all 
other admins. And pay a large sum of money if some data is "found" on the 
internet.
And do we want that type of "silly" contracts.
No we want to stop spam and not kill every other spamkiller (application or 
person)

met vriendelijke groet,

Maurice Lucas

TAOS-IT

Paulus Buijsstraat 191
2613 HR  Delft
www.taos-it.nl<http://www.taos-it.nl/>
KvK Haaglanden nr. 27254410

From: Marc Perkel [mailto:[EMAIL PROTECTED]
Sent: donderdag 8 mei 2008 19:07
To: Kevin Parris
Cc: users@spamassassin.apache.org
Subject: Re: Experimental - use my server for your high fake MX record



Kevin Parris wrote:

Well now, if a spambot actually does start recognizing and avoiding his system, 
doesn't that mean he wins and the spammer loses?




I would say YES!






You should make an effort to clean it up so that others *can* install it as a 
standalone daemon, as I suggested. Why? How long will it be before the spambots 
explicitly refuse to contact your honeypot if it is listed as an MX for the 
domain they're attacking?









I don't see that happening. If the spammers were that sharp they would send 
quit and close the connection properly and defeat the meathod rather than 
defeating just me. But it would cost them some bandwidth and speed to do that. 
Especially if I added some delays before doing the rejection which would cause 
the spammer to have to keep the connection open longer which they aren't going 
to do.

I'm going to think about the delay thing. You inspired possibly another good 
idea.

Re: Experimental - use my server for your high fake MX record

[Jo Rhett]

On May 7, 2008, at 9:17 AM, mouss wrote:
what if he comes back later to the same MX, again and again (AFAIK,  
this is the case with qmail)? mail will be lost.



Good.  Time for qmail to die ;-)


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: Experimental - use my server for your high fake MX record

[mouss]

Jo Rhett wrote:


On May 7, 2008, at 9:17 AM, mouss wrote:
what if he comes back later to the same MX, again and again (AFAIK, 
this is the case with qmail)? mail will be lost.



Good.  Time for qmail to die ;-)




start by updating the RFCs.

Re: Experimental - use my server for your high fake MX record

[Marc Perkel]

mouss wrote:

Jo Rhett wrote:


On May 7, 2008, at 9:17 AM, mouss wrote:
what if he comes back later to the same MX, again and again (AFAIK, 
this is the case with qmail)? mail will be lost.



Good.  Time for qmail to die ;-)




start by updating the RFCs.



Qmail only has a problem with lowest numbered MX getting a 4xx. It works 
fine with the highest numbered MX with 4xx.

Re: Experimental - use my server for your high fake MX record

[mouss]

Marc Perkel wrote:



mouss wrote:

Jo Rhett wrote:


On May 7, 2008, at 9:17 AM, mouss wrote:
what if he comes back later to the same MX, again and again (AFAIK, 
this is the case with qmail)? mail will be lost.



Good.  Time for qmail to die ;-)




start by updating the RFCs.



Qmail only has a problem with lowest numbered MX getting a 4xx. It 
works fine with the highest numbered MX with 4xx.


do you have a pointer for this?

AFAIK, it "sticks" on 4xx independently of the priority.

Re: Experimental - use my server for your high fake MX record

[Jo Rhett]

On May 21, 2008, at 1:44 PM, mouss wrote:

Good.  Time for qmail to die ;-)


start by updating the RFCs.


The RFCs are, and have always been clear on how MX records are  
supposed to be used.


Are you just a nonsense machine?  The SA list's personal eliza run  
through the borker?


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: Experimental - use my server for your high fake MX record

[Marc Perkel]

Jo Rhett wrote:


On May 7, 2008, at 9:17 AM, mouss wrote:
what if he comes back later to the same MX, again and again (AFAIK, 
this is the case with qmail)? mail will be lost.



Good.  Time for qmail to die ;-)




Agreed. Qmail should die!

Re: Experimental - use my server for your high fake MX record

[mouss]

Jo Rhett wrote:


On May 21, 2008, at 1:44 PM, mouss wrote:

Good.  Time for qmail to die ;-)


start by updating the RFCs.


The RFCs are, and have always been clear on how MX records are 
supposed to be used.



Different people interpret when a "delivery attempt succeeds" differently.




[Insults removed]

Re: Experimental - use my server for your high fake MX record

[Robin Bowes]

Marc Perkel wrote:



Jo Rhett wrote:


On May 7, 2008, at 9:17 AM, mouss wrote:
what if he comes back later to the same MX, again and again (AFAIK, 
this is the case with qmail)? mail will be lost.



Good.  Time for qmail to die ;-)




Agreed. Qmail should die!


Why?

R.

Re: Experimental - use my server for your high fake MX record

[Robin Bowes]

Marc Perkel wrote:

First to do what I'm doing you have to be using EXIM. If you aren't 
running exim then you just can't do it. In fact, with all due respect, I 
can't see how anyone can do spam filtering and not use exim as their MTA.


qpsmtpd is another viable alternative.

Exim has a feature where you can execute code based on how the 
connection is closed. It have a NOTQUIT acl and you can look at if the 
connection timed out and a number of other things that caused the 
connection to close without issuing a quit. Before the 451 error I store 
information in variables that I can retrieve in the notquit acl and 
based on that information I can send messages to another server that 
accumulating information from all my servers.


qpsmtpd has hooks that are called at various stages of the SMTP 
transaction. I believe it has one that fires on connection close.


You can write plugins that are invoked by specific hooks and do pretty 
much whatever you want (they're just perl scripts).


R.

Re: Experimental - use my server for your high fake MX record

[Michelle Konzack]

Am 2008-05-23 11:18:57, schrieb Robin Bowes:
> Marc Perkel wrote:
> 
> >First to do what I'm doing you have to be using EXIM. If you aren't 
> >running exim then you just can't do it. In fact, with all due respect, I 
> >can't see how anyone can do spam filtering and not use exim as their MTA.
> 
> qpsmtpd is another viable alternative.

I use "courier-mta" and have "spamassassin" and "clamav-ng" integrated.

Do I mis something?

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
+49/177/935194750, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature