Kenneth Porter wrote:
On Tuesday, September 11, 2007 12:30 PM -0700 Marc Perkel
<[EMAIL PROTECTED]> wrote:
The details are a little to complex for this forum but the new trick is
mostly based on the fact that spam bots general don't issue the QUIT
command and when combined with other factors allows me to catch spam
bots
on the first try.
At last we get some technical details. Please post the methodology on
a web page for review. For example, how do you know you don't get a
QUIT command?
OK - had quite a few trolls here who seem to be hostile to my
breakthroughs so I wasn't that motivated to post information.
I'm using Exim and Exim has a new feature in their latest 4.6.8 version
where they added a "notquit" acl. The notquit is executed if the
connection terminates without a quit.
I have a very complex configuration and I'm not going to be able to go
into all the details of how this works. But in addition to being able to
detect the notquit condition I can also monitor a dozen other behaviors
that mostly only spammers do. Another one for example is hitting my fake
high MX records when I have 4 lower MX records available. In both these
conditions there are a number of sanity checks to reduce false positives
but when I combine all these conditionals and that feeds my "hostkarma"
database which stores 3 days of reporting data. Every 5 minutes I rum a
pascal program I wrote that generates the zone files for my 5 name
servers which I reload to update the data with the new zone information.
That's as much detail as I'm going to go into here. But the result is
that I have 720,000 IP addresses of virus infected computers and I'm
fiultering about 1600 domains and I'm not getting any more than the
normal few false positive complaints. And those are due to other
unrelated mistakes that I'm still working on.
One of the kool things about it is the speed that I can detect these. I
don't have to wait for multiple attempts which takes a long time. I can
have them blacklisted in the same 5 minute cycle from the first time
they hit me. And fast is good.
I've eliminated bot spam entirely. About the only spam I get is from
yahoo and hotmail that SA doesn't catch.
