On Mon, 21 Aug 2006, Loren Wilton wrote:
> From: Loren Wilton <[EMAIL PROTECTED]>
> Resent-From: [EMAIL PROTECTED]
> To: SpamAssassin Users List <users@spamassassin.apache.org>
> Resent-To: [EMAIL PROTECTED]
> Date: Mon, 21 Aug 2006 01:09:37 -0700
> Resent-Date: Mon, 21 Aug 2006 09:11:20 +0100 (BST)
> Subject: Enumerating the robots?
> X-Spam-Score: -2.0 (--)
>
> It was mentioned that several people are getting hammered
> by world-wide robot attacks. I see from the little spam I
> get that there is a new spam sending tool for robots that is
> running a stock spam. I suspect the traffic is a combination of
> distributing the new spam tool and sending out the new spam.
>
> With all this traffic from robots, lots of people here must be
> getting quite a lot of information in their logs about connections
> from robots. I wonder if there would be value in a central
> database that attempts to enumerater the robots?
I reject a lot of connections using simple HELO tests etc.
For example:
2006-08-22 14:47:33 H=(138.38.32.20) [85.95.65.33] I=[138.38.32.20]:25
F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>: Imposters are persona
non grata.
In this case the connecting IP [85.95.65.33] announced itself as the
IP address [138.38.32.20] of the server to which it was connecting.
The envelope sender <[EMAIL PROTECTED]>
almost certainly means this was an attempt to send a phishing scam.
Other tricks used include connecting IPs announcing themselves as
as one of the email domains handled by the server to which they're
connecting:
2006-08-22 15:00:08 H=(bath.ac.uk) [201.217.19.209] I=[138.38.32.20]:25
F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>: Charlatan, how can you
be bath.ac.uk ?
And there seems to be a lot of machines out there that think they're
called "friend".
I'm more than happy to reject stuff using such simple tests[1]. But
placing the connecting IPs in a database is a different matter. You
might wish to set standards for inclusion. My "kill 'em all, let
God decide" attitude might not be acceptable to some.
[1] Many such hosts may well be in some of the RBLs I use. I don't
know. These cheap test are run before examining any of the RBLs
I use.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
