spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Perkel <m...@perkel.com>
Subject Re: Experimental - use my server for your high fake MX record
Date Thu, 08 May 2008 15:49:38 GMT


ram wrote:
> IOn Wed, 2008-05-07 at 08:50 -0700, Marc Perkel wrote:
>   
>> Looking for a few volunteers who want to reduce their spambot spam and 
>> at the same time help me track spambots for my black list. This is free 
>> and mutual benefit. I (junkemailfilter.com) want to be your highest 
>> numbered fake MX record. Here's how you would configure your domain:
>>
>> mail.yourdomain.com MX 10
>> tarbaby.junkemailfilter.com MX 20
>>
>> I will never actually receive your email. The recipient all always get a 
>> 451 error just after the DATA command. So if your servers are down you 
>> won't lose anything. A 451 error is a "I'm not ready, come back later" 
>> error.
>>
>> This will help you reduce your spambot spam generally by half. 
>>     
>
> ...
>
> I use fake MX as well. But even if my lower MXes are perfectly
> available. I have seen quiet a lot of legitimate traffic coming on my
> fake MX and get turned down with a tempfail. 
>
>   So If you are populating blacklists based on this data , better be
> careful. (I'm sure you would have seen that yourself) 
>
> Anyway I think moving an MX record to a third party with no bussiness
> contact would not be possible for anyone
>
> Thanks
> Ram
>
>
>   

Hi Ram,

Being a high numbered MX in itself doesn't get you listed on this new 
server I set up. It's just a prequalifier of what I want to look at. In 
order to get listed they also have to fail to send a QUIT after the 451 
error and they have to commit some other significant sins. I'm looking 
at a number of things in the helo, the sender, the recipient, rDNS, etc. 
What I'm doing isn't going to catch as high of a percentage as I would 
if I were the official spam filtering host for the domain because I'm 
not running all my tests on it. I'm cutting them off before the data is 
sent. I'm not even seeing the message headers.

However, I do think that I'll catch a lot of what I'm looking for and 
that's virus infected spambots. That's the only think I'm targeting here 
and I think I can distinguish them well enough that I can catch most all 
the spambot traffic with no false positives on legit email. I'm hoping 
for 50% accuracy of catching spambots on the first attempt.

To participate all you have to do is set your highest numbered MX to 
point to:

tarbaby.junkemailfilter.com

Several people have asked me how I'm doing this and can they have my 
code to do it themselves. My situation is unique enough that it just 
won't work very easilly any place else and it's definitely not clean 
enough for just anyone to install. But I'll try to describe it here.

First to do what I'm doing you have to be using EXIM. If you aren't 
running exim then you just can't do it. In fact, with all due respect, I 
can't see how anyone can do spam filtering and not use exim as their MTA.

Exim has a feature where you can execute code based on how the 
connection is closed. It have a NOTQUIT acl and you can look at if the 
connection timed out and a number of other things that caused the 
connection to close without issuing a quit. Before the 451 error I store 
information in variables that I can retrieve in the notquit acl and 
based on that information I can send messages to another server that 
accumulating information from all my servers. This server is basically 
running stats on a one minute cycle to determine what data goes into my 
various white/black/yellow lists and that feeds my 4 rbldnsd servers 
which are updated every minute.

Blacklist data is stored for 5 days and then it expired. Every 6 hours 
the oldest log file is deleted and everything is moved down a slot and a 
new log file created. Thus if someone fixed the virus then they will 
eventually be cleaned off the list. Users also have a web form where 
they can get themselves removed if there is a false positive.

The list isn't perfect but it is my goal to have no false positives. 
Unlike some lists who think that some sloppy admins "deserve to be 
blacklisted" my attitude is if the listing is wrong it's my fault and I 
want to fix it. And unlike many other blacklisating services I focuse 
more on my white listing and yellow listing and use that information to 
reduce the chance of false positives in my blacklists.

I also see the value of being as cooperative with others because 
although I'm good at coming up with new ideas, other are better at 
taking the ideas and doing it right. So many times I'll put an idea out 
there and someone else will do it better and I get to run their better 
version.

I am of the opinion that 100% of spambot spam can be stopped because I'm 
doing it.I want to try to expand on that and get data from other sources 
and see if I can't help others make some progress too.

Hope this is helpful.


Mime
View raw message