On Mon, 21 Aug 2006, Loren Wilton wrote: > From: Loren Wilton <[EMAIL PROTECTED]> > Resent-From: [EMAIL PROTECTED] > To: SpamAssassin Users List <users@spamassassin.apache.org> > Resent-To: [EMAIL PROTECTED] > Date: Mon, 21 Aug 2006 01:09:37 -0700 > Resent-Date: Mon, 21 Aug 2006 09:11:20 +0100 (BST) > Subject: Enumerating the robots? > X-Spam-Score: -2.0 (--) > > It was mentioned that several people are getting hammered > by world-wide robot attacks. I see from the little spam I > get that there is a new spam sending tool for robots that is > running a stock spam. I suspect the traffic is a combination of > distributing the new spam tool and sending out the new spam. > > With all this traffic from robots, lots of people here must be > getting quite a lot of information in their logs about connections > from robots. I wonder if there would be value in a central > database that attempts to enumerater the robots?
I reject a lot of connections using simple HELO tests etc. For example: 2006-08-22 14:47:33 H=(138.38.32.20) [85.95.65.33] I=[138.38.32.20]:25 F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>: Imposters are persona non grata. In this case the connecting IP [85.95.65.33] announced itself as the IP address [138.38.32.20] of the server to which it was connecting. The envelope sender <[EMAIL PROTECTED]> almost certainly means this was an attempt to send a phishing scam. Other tricks used include connecting IPs announcing themselves as as one of the email domains handled by the server to which they're connecting: 2006-08-22 15:00:08 H=(bath.ac.uk) [201.217.19.209] I=[138.38.32.20]:25 F=<[EMAIL PROTECTED]> rejected RCPT <[EMAIL PROTECTED]>: Charlatan, how can you be bath.ac.uk ? And there seems to be a lot of machines out there that think they're called "friend". I'm more than happy to reject stuff using such simple tests[1]. But placing the connecting IPs in a database is a different matter. You might wish to set standards for inclusion. My "kill 'em all, let God decide" attitude might not be acceptable to some. [1] Many such hosts may well be in some of the RBLs I use. I don't know. These cheap test are run before examining any of the RBLs I use. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101