Re: Bogus MX -> blacklist service viable?

Fri, 22 Feb 2008 04:55:52 -0800 


Aaron Wolfe wrote:

On Thu, Feb 21, 2008 at 11:47 PM, Marc Perkel <[EMAIL PROTECTED]> wrote:

  

 Steve Radich wrote:
 > Sorry; apparently I was unclear.
 >
 > MX records I'm saying as follows:
 >       100 - Real
 >       200 - Real perhaps, as many "real" as you want
 >       300 - Bogus - one that blocks port 25 with tcp reset for example
 >       400 - accept port, logs ip -> blacklist (not to be scored
 > aggressively at all) with a 421/retry.
 >
 > If a whole bunch of places are seeing the same smtp server hitting this
 > 400 level MX then I'm saying that seems like a useful thing to be
 > included in a blacklist using a low score in sa.
 >
 > The point was to offer the 400 level mx as a free service to log the ips
 > quickly for those that don't want to set up the server themselves.
 >
 > In theory the 400 level MX wouldn't be used by "real" smtp very often,
 > hence it's likely a spammer and therefore the IP could be auto
 > blacklisted.  Realize I'm NOT proposing we block on this, just score
 > based on this list.
 >
 > Steve Radich - http://www.aspdeveloper.net /
 > http://www.virtualserverfaq.com
 > BitShop, Inc. - Development, Training, Hosting, Troubleshooting -
 > http://www.bitshop.com
 >
 >

 I'm actually doing something like that. What I do is track hits on the
 highest MX that has not hit the lowest numbered MX, then because I use
 Exim I can track which IP addresses don't send the QUIT command to close

    


I am thinking about playing around with the same type of thing here..
Is this any different from looking for "lost connection after DATA" or
"lost connection after RCPT" errors in a postfix server's logs?  Not
sure why you can detect this because you run Exim specifically.   Or
am I missing something?

  

Exim has ACLs that let you do things when the QUIT is received or not 
received. Exim probably has 100x the commans that Postfix does and you 
can do a lot of tricky stuff in Exim that no other MTA has.

  

 the connection. This combination creates a highly reliable blacklist and
 I'm currently tracking about 1.1 million virus infected spambots that
 have tried to spam me in the last 4 days.

 It's my hostkarma list.



    


Sounds interesting.. do you block based on this list or just use it
for scoring in SA or something like that?  What is the false positve
rate?


  



Yes, I do block based on this list. Ther are some false positives but 
it's rare. I have a way for people to remove themselves from the list. 
There are other criteria that we blacklist on as well that makes for a 
few FP. But it's extremely low. I've put a lot of effort into getting it 
right.

























					Reply via email to