ram wrote:
IOn Wed, 2008-05-07 at 08:50 -0700, Marc Perkel wrote:
Looking for a few volunteers who want to reduce their spambot spam and
at the same time help me track spambots for my black list. This is free
and mutual benefit. I (junkemailfilter.com) want to be your highest
numbered fake MX record. Here's how you would configure your domain:
mail.yourdomain.com MX 10
tarbaby.junkemailfilter.com MX 20
I will never actually receive your email. The recipient all always get a
451 error just after the DATA command. So if your servers are down you
won't lose anything. A 451 error is a "I'm not ready, come back later"
error.
This will help you reduce your spambot spam generally by half.
...
I use fake MX as well. But even if my lower MXes are perfectly
available. I have seen quiet a lot of legitimate traffic coming on my
fake MX and get turned down with a tempfail.
So If you are populating blacklists based on this data , better be
careful. (I'm sure you would have seen that yourself)
Anyway I think moving an MX record to a third party with no bussiness
contact would not be possible for anyone
Thanks
Ram
Hi Ram,
Being a high numbered MX in itself doesn't get you listed on this new
server I set up. It's just a prequalifier of what I want to look at. In
order to get listed they also have to fail to send a QUIT after the 451
error and they have to commit some other significant sins. I'm looking
at a number of things in the helo, the sender, the recipient, rDNS, etc.
What I'm doing isn't going to catch as high of a percentage as I would
if I were the official spam filtering host for the domain because I'm
not running all my tests on it. I'm cutting them off before the data is
sent. I'm not even seeing the message headers.
However, I do think that I'll catch a lot of what I'm looking for and
that's virus infected spambots. That's the only think I'm targeting here
and I think I can distinguish them well enough that I can catch most all
the spambot traffic with no false positives on legit email. I'm hoping
for 50% accuracy of catching spambots on the first attempt.
To participate all you have to do is set your highest numbered MX to
point to:
tarbaby.junkemailfilter.com
Several people have asked me how I'm doing this and can they have my
code to do it themselves. My situation is unique enough that it just
won't work very easilly any place else and it's definitely not clean
enough for just anyone to install. But I'll try to describe it here.
First to do what I'm doing you have to be using EXIM. If you aren't
running exim then you just can't do it. In fact, with all due respect, I
can't see how anyone can do spam filtering and not use exim as their MTA.
Exim has a feature where you can execute code based on how the
connection is closed. It have a NOTQUIT acl and you can look at if the
connection timed out and a number of other things that caused the
connection to close without issuing a quit. Before the 451 error I store
information in variables that I can retrieve in the notquit acl and
based on that information I can send messages to another server that
accumulating information from all my servers. This server is basically
running stats on a one minute cycle to determine what data goes into my
various white/black/yellow lists and that feeds my 4 rbldnsd servers
which are updated every minute.
Blacklist data is stored for 5 days and then it expired. Every 6 hours
the oldest log file is deleted and everything is moved down a slot and a
new log file created. Thus if someone fixed the virus then they will
eventually be cleaned off the list. Users also have a web form where
they can get themselves removed if there is a false positive.
The list isn't perfect but it is my goal to have no false positives.
Unlike some lists who think that some sloppy admins "deserve to be
blacklisted" my attitude is if the listing is wrong it's my fault and I
want to fix it. And unlike many other blacklisating services I focuse
more on my white listing and yellow listing and use that information to
reduce the chance of false positives in my blacklists.
I also see the value of being as cooperative with others because
although I'm good at coming up with new ideas, other are better at
taking the ideas and doing it right. So many times I'll put an idea out
there and someone else will do it better and I get to run their better
version.
I am of the opinion that 100% of spambot spam can be stopped because I'm
doing it.I want to try to expand on that and get data from other sources
and see if I can't help others make some progress too.
Hope this is helpful.
