Re: [sa-list] Re: detecting brute-force spams
On Tue, 8 Feb 2005, Dennis Davis wrote: While I like the idea of using an RBL for these types of things, since in theory it would save a lot of load if these emails never even hit spamassassin...my custom rule mentality was more or less for *submitting* to that RBL. This is outside the scope of normal sa-stuff since essentially you need to track hits per-domain, which could possibly be for more than one user, so the standard db's (ala bayes) have permissions issues. I could probably come up with some kind of insane client-server logging protocol that looks at the x-envelope-to and the receiving hosts. Essentially we're looking for a senderbase-style DB versus domain/hits per domain. -Dan On Tue, 8 Feb 2005, Rich Puhek wrote: From: Rich Puhek <[EMAIL PROTECTED]> To: "Dan Mahoney, System Admin" <[EMAIL PROTECTED]> Cc: users@spamassassin.apache.org Date: Tue, 08 Feb 2005 10:29:57 -0600 Subject: Re: detecting brute-force spams Dan Mahoney, System Admin wrote: Hey all, I host about 500 domains, and every once in a while I see something where a domain gets hammered for a bunch of non-existent users (in my setup, this results in all the emails going to the same place). Is there a custom rule that can be kicked in to detect multiple recipients of the same email? (snip) I haven't tried the custom rule approach, but I've found increasing success with non SA methods. Yes it's well worth looking at other methods. For example: http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html I don't use the above, but have set up something similar using exim. Sites I catch running dictionary attacks are restricted to a single connection to my mail servers. And are subject to progressively larger delays for every bad address they attempt to use. It does my heart good to see log lines similar to: 2005-02-07 19:45:03 H=(smtp.com) [217.158.171.56] I=[138.38.32.23]:25 F=<[EMAIL PROTECTED]> temporarily rejected RCPT <[EMAIL PROTECTED]>: 217.158.171.56 bad recipients 20, delay 30720 You'd think they'd notice the looong delays between RCPT TO commands being temporarily rejected. ... I did switch one of the MX machines to postfix recently. Postfix includes the ability to verify addresses prior to accepting mail, so dictionary attacks can be identified right away. That really cuts down on the quantity of mail sitting in the queue. You can do much the same with exim, depending on how you configure it. That's how I managed to implement the automatic tarpit described above. The OpenBSD operating system even comes with its own tarpitting daemon. It's called spamd, which can cause some confusion. From the man page: spamd is a fake sendmail(8)-like daemon which rejects false mail. If the pf(4) packet filter is configured to redirect port 25 (SMTP) to this dae- mon, it will attempt to waste the time and resources of the spam sender. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101 -- "That just erased my whole stereotype that british men are smart..." -SK, April 6, 2K, about 3PM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: detecting brute-force spams
On Tue, 8 Feb 2005, Rich Puhek wrote: > From: Rich Puhek <[EMAIL PROTECTED]> > To: "Dan Mahoney, System Admin" <[EMAIL PROTECTED]> > Cc: users@spamassassin.apache.org > Date: Tue, 08 Feb 2005 10:29:57 -0600 > Subject: Re: detecting brute-force spams > > Dan Mahoney, System Admin wrote: > > Hey all, > > > > I host about 500 domains, and every once in a while I see something where a > > domain gets hammered for a bunch of non-existent users (in my setup, this > > results in all the emails going to the same place). > > > > Is there a custom rule that can be kicked in to detect multiple recipients > > of the same email? > > > (snip) > > I haven't tried the custom rule approach, but I've found increasing success > with non SA methods. Yes it's well worth looking at other methods. For example: http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html I don't use the above, but have set up something similar using exim. Sites I catch running dictionary attacks are restricted to a single connection to my mail servers. And are subject to progressively larger delays for every bad address they attempt to use. It does my heart good to see log lines similar to: 2005-02-07 19:45:03 H=(smtp.com) [217.158.171.56] I=[138.38.32.23]:25 F=<[EMAIL PROTECTED]> temporarily rejected RCPT <[EMAIL PROTECTED]>: 217.158.171.56 bad recipients 20, delay 30720 You'd think they'd notice the looong delays between RCPT TO commands being temporarily rejected. ... > I did switch one of the MX machines to postfix recently. Postfix includes the > ability to verify addresses prior to accepting mail, so dictionary attacks can > be identified right away. That really cuts down on the quantity of mail > sitting in the queue. You can do much the same with exim, depending on how you configure it. That's how I managed to implement the automatic tarpit described above. The OpenBSD operating system even comes with its own tarpitting daemon. It's called spamd, which can cause some confusion. From the man page: spamd is a fake sendmail(8)-like daemon which rejects false mail. If the pf(4) packet filter is configured to redirect port 25 (SMTP) to this dae- mon, it will attempt to waste the time and resources of the spam sender. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: detecting brute-force spams
Dan Mahoney, System Admin wrote: Hey all, I host about 500 domains, and every once in a while I see something where a domain gets hammered for a bunch of non-existent users (in my setup, this results in all the emails going to the same place). Is there a custom rule that can be kicked in to detect multiple recipients of the same email? (snip) I haven't tried the custom rule approach, but I've found increasing success with non SA methods. First, I've got a couple of spamtrap addresses that feed into a script which parses the email, adding the first non local relay into a local RBL (actually into a MySQL DB from which the RBL is automatically built), which is used with spamassassin. It's a bit risky, since there's no human review prior to adding the mail, but I've been careful about what emails become spamtraps. I wanted to whip up a script to scan the logs and find the biggest offending IPs or IP ranges. In my application, however, I have a central mail hub, with multiple SMTP relays handling external mail (and AV scanning). The external relays were running amavisd-new with dual sendmail. Since the external relays accept for everyone in the local domains the dictionary attacks were a big deal (or a nice feature, since the sending machine didn't gain any information about my user base). Given the volume, it wasn't a trivial task to match the log files on the machines (the mail hub logs that I'm seeing connections to unknown users -- I could use BAD_RCPT_THROTTLE, but all the connections come from my MX servers... D'oh!). I did switch one of the MX machines to postfix recently. Postfix includes the ability to verify addresses prior to accepting mail, so dictionary attacks can be identified right away. That really cuts down on the quantity of mail sitting in the queue. Now it's simple to scan the mail log on the MX server for user unknown messages that I can relate to a spam source. Pipe to awk, pipe to sort, pipe uniq -c, pipe to sort again, pipe to head, and I have a top ten list of offenders to double-check and possibly add to a blacklist. My next step will be to migrate the other MX server to postfix. Right now, It accepts mail for non-existent users, passes them to the mailhub, the hub generates a bounce, and the bounce either sits on the sendmail MX server, or gets rejected by the postfix server. --Rich
Re: detecting brute-force spams
> Is there a custom rule that can be kicked in to detect multiple recipients
> of the same email?
header LW_MULT_RECIP3 ToCc =~
/(?:"[^"]{0,31}")?\@([^\s,]+)(?:(?:"[^"]{0,31}")[EMAIL PROTECTED]@\1){2}/
describe LW_MULT_RECIP3 Three or more recipients in same domain
score LW_MULT_RECIP3 1
I have a set of those with increasing numbers of recipients and increasing
scores. (But remember that all of the scores for the smaller matches will
add to the total score.) Generally in my case if I see 8 recipients at the
same ISP, it is guaranteed spam. That may not be the case for everyone.
Change the very last number in braces ({2} in this case) to change the
number of required recipients. Remember that this is one less than the
number of recipients that must hit.
Loren
