Enumerating the robots?

[Loren Wilton <lw...@earthlink.net>]

It was mentioned that several people are getting hammered by world-wide 
robot attacks.  I see from the little spam I get that there is a new spam 
sending tool for robots that is running a stock spam.  I suspect the traffic 
is a combination of distributing the new spam tool and sending out the new 
spam.

With all this traffic from robots, lots of people here must be getting quite 
a lot of information in their logs about connections from robots.  I wonder 
if there would be value in a central database that attempts to enumerater 
the robots?

Most of them are probably on dynamic ip.  But if the sending IP and 
attempted connect time could be logged at many sites and combined, there 
would be fairly conclusive evidence that a given IP had been sending spam at 
a particular time.  Perhaps that could be submitted to at least some of the 
more responsible service providers, and they could do something to track it 
back to a customer and send them an email that their machine is infected. 
(Or possibly be even more proactive, I suppose.)

The database might also be usable in front door spam blocking.  Most people 
probably shouldn't be accepting direct connections from dynamic ips on 
someone else's network, especially if that ip has a recent history of 
sending spam (say in the last 6 hours or so).  It might be possible to make 
a server that could provide yes/no answers on whether the IP has sent spam 
in the last minute/hour/6 hours/day or so.

I'd think that such a database could be built almost automatically.  For 
instance, if you log the IPs of connection attempts that you reject for 
various problems, you could just harvest those IPs once an hour or so to 
some central site, no human judgement calls required.  If the mail is 
accepted and gets a high SA score, and you can still determine the sending 
IP, then that might be automatically harvested also.

Thoughts?  Does somethign like this have any value?

        Loren

Re: Enumerating the robots?

[DAve <da...@pixelhammer.com>]

jdow wrote:
> From: "DAve" <da...@pixelhammer.com>
> 
>> Loren Wilton wrote:
>>> It was mentioned that several people are getting hammered by 
>>> world-wide robot attacks.  I see from the little spam I get that 
>>> there is a new spam sending tool for robots that is running a stock 
>>> spam.  I suspect the traffic is a combination of distributing the new 
>>> spam tool and sending out the new spam.
>>>
>>> With all this traffic from robots, lots of people here must be 
>>> getting quite a lot of information in their logs about connections 
>>> from robots.  I wonder if there would be value in a central database 
>>> that attempts to enumerater the robots?
>>>
>>> Most of them are probably on dynamic ip.  But if the sending IP and 
>>> attempted connect time could be logged at many sites and combined, 
>>> there would be fairly conclusive evidence that a given IP had been 
>>> sending spam at a particular time.  Perhaps that could be submitted 
>>> to at least some of the more responsible service providers, and they 
>>> could do something to track it back to a customer and send them an 
>>> email that their machine is infected. (Or possibly be even more 
>>> proactive, I suppose.)
>>>
>>> The database might also be usable in front door spam blocking.  Most 
>>> people probably shouldn't be accepting direct connections from 
>>> dynamic ips on someone else's network, especially if that ip has a 
>>> recent history of sending spam (say in the last 6 hours or so).  It 
>>> might be possible to make a server that could provide yes/no answers 
>>> on whether the IP has sent spam in the last minute/hour/6 hours/day 
>>> or so.
>>>
>>> I'd think that such a database could be built almost automatically.  
>>> For instance, if you log the IPs of connection attempts that you 
>>> reject for various problems, you could just harvest those IPs once an 
>>> hour or so to some central site, no human judgement calls required.  
>>> If the mail is accepted and gets a high SA score, and you can still 
>>> determine the sending IP, then that might be automatically harvested 
>>> also.
>>>
>>> Thoughts?  Does somethign like this have any value?
>>>
>>>        Loren
>>
>> Something like http://dhsield.org, but limited to email instead of all 
>> ports?
> 
> Don't know. (Not going to click on THAT link. It looks like it might
> lead to a typo squatter potentially with malware. {^_-}) But I suspect
> the answer is yes.
> 
> {^_^}
> 
> 

Hmmm, dsheild, dhsield, dshield, six of one half dozen of the other ;^)

DAve

-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.

Re: Enumerating the robots?

[jdow <jd...@earthlink.net>]

From: "DAve" <da...@pixelhammer.com>

> Loren Wilton wrote:
>> It was mentioned that several people are getting hammered by world-wide 
>> robot attacks.  I see from the little spam I get that there is a new 
>> spam sending tool for robots that is running a stock spam.  I suspect 
>> the traffic is a combination of distributing the new spam tool and 
>> sending out the new spam.
>> 
>> With all this traffic from robots, lots of people here must be getting 
>> quite a lot of information in their logs about connections from robots.  
>> I wonder if there would be value in a central database that attempts to 
>> enumerater the robots?
>> 
>> Most of them are probably on dynamic ip.  But if the sending IP and 
>> attempted connect time could be logged at many sites and combined, there 
>> would be fairly conclusive evidence that a given IP had been sending 
>> spam at a particular time.  Perhaps that could be submitted to at least 
>> some of the more responsible service providers, and they could do 
>> something to track it back to a customer and send them an email that 
>> their machine is infected. (Or possibly be even more proactive, I suppose.)
>> 
>> The database might also be usable in front door spam blocking.  Most 
>> people probably shouldn't be accepting direct connections from dynamic 
>> ips on someone else's network, especially if that ip has a recent 
>> history of sending spam (say in the last 6 hours or so).  It might be 
>> possible to make a server that could provide yes/no answers on whether 
>> the IP has sent spam in the last minute/hour/6 hours/day or so.
>> 
>> I'd think that such a database could be built almost automatically.  For 
>> instance, if you log the IPs of connection attempts that you reject for 
>> various problems, you could just harvest those IPs once an hour or so to 
>> some central site, no human judgement calls required.  If the mail is 
>> accepted and gets a high SA score, and you can still determine the 
>> sending IP, then that might be automatically harvested also.
>> 
>> Thoughts?  Does somethign like this have any value?
>> 
>>        Loren
> 
> Something like http://dhsield.org, but limited to email instead of all 
> ports?

Don't know. (Not going to click on THAT link. It looks like it might
lead to a typo squatter potentially with malware. {^_-}) But I suspect
the answer is yes.

{^_^}

Re: Enumerating the robots?

[DAve <da...@pixelhammer.com>]

Loren Wilton wrote:
> It was mentioned that several people are getting hammered by world-wide 
> robot attacks.  I see from the little spam I get that there is a new 
> spam sending tool for robots that is running a stock spam.  I suspect 
> the traffic is a combination of distributing the new spam tool and 
> sending out the new spam.
> 
> With all this traffic from robots, lots of people here must be getting 
> quite a lot of information in their logs about connections from robots.  
> I wonder if there would be value in a central database that attempts to 
> enumerater the robots?
> 
> Most of them are probably on dynamic ip.  But if the sending IP and 
> attempted connect time could be logged at many sites and combined, there 
> would be fairly conclusive evidence that a given IP had been sending 
> spam at a particular time.  Perhaps that could be submitted to at least 
> some of the more responsible service providers, and they could do 
> something to track it back to a customer and send them an email that 
> their machine is infected. (Or possibly be even more proactive, I suppose.)
> 
> The database might also be usable in front door spam blocking.  Most 
> people probably shouldn't be accepting direct connections from dynamic 
> ips on someone else's network, especially if that ip has a recent 
> history of sending spam (say in the last 6 hours or so).  It might be 
> possible to make a server that could provide yes/no answers on whether 
> the IP has sent spam in the last minute/hour/6 hours/day or so.
> 
> I'd think that such a database could be built almost automatically.  For 
> instance, if you log the IPs of connection attempts that you reject for 
> various problems, you could just harvest those IPs once an hour or so to 
> some central site, no human judgement calls required.  If the mail is 
> accepted and gets a high SA score, and you can still determine the 
> sending IP, then that might be automatically harvested also.
> 
> Thoughts?  Does somethign like this have any value?
> 
>        Loren

Something like http://dhsield.org, but limited to email instead of all 
ports?

DAve


-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.

Re: Enumerating the robots?

[mouss <us...@free.fr>]

Loren Wilton wrote:
> It was mentioned that several people are getting hammered by 
> world-wide robot attacks.  I see from the little spam I get that there 
> is a new spam sending tool for robots that is running a stock spam.  I 
> suspect the traffic is a combination of distributing the new spam tool 
> and sending out the new spam.
>
> With all this traffic from robots, lots of people here must be getting 
> quite a lot of information in their logs about connections from 
> robots.  I wonder if there would be value in a central database that 
> attempts to enumerater the robots?

why central? a distributed db is more effective. yes, we'd need a way to 
give trust points to different people, but I find it safer than trusting 
a few secret self-designed group, be that a "good" group. and it can be 
more dynamic (and it can implement a "natural behaviour" of people).

Re: Enumerating the robots?

[Dennis Davis <D....@bath.ac.uk>]

On Mon, 21 Aug 2006, Loren Wilton wrote:

> From: Loren Wilton <lw...@earthlink.net>
> Resent-From:  D.H.Davis@bath.ac.uk
> To: SpamAssassin Users List <us...@spamassassin.apache.org>
> Resent-To:  ccsdhd@bahamontes.bath.ac.uk
> Date: Mon, 21 Aug 2006 01:09:37 -0700
> Resent-Date:  Mon, 21 Aug 2006 09:11:20 +0100 (BST)
> Subject: Enumerating the robots?
> X-Spam-Score: -2.0 (--)
> 
> It was mentioned that several people are getting hammered
> by world-wide robot attacks.  I see from the little spam I
> get that there is a new spam sending tool for robots that is
> running a stock spam.  I suspect the traffic is a combination of
> distributing the new spam tool and sending out the new spam.
>
> With all this traffic from robots, lots of people here must be
> getting quite a lot of information in their logs about connections
> from robots.  I wonder if there would be value in a central
> database that attempts to enumerater the robots?


I reject a lot of connections using simple HELO tests etc.
For example:

2006-08-22 14:47:33 H=(138.38.32.20) [85.95.65.33] I=[138.38.32.20]:25 F=<cu...@bankofscotland.co.uk> rejected RCPT <XX...@bath.ac.uk>: Imposters are persona non grata.

In this case the connecting IP [85.95.65.33] announced itself as the
IP address [138.38.32.20] of the server to which it was connecting.
The envelope sender <cu...@bankofscotland.co.uk>
almost certainly means this was an attempt to send a phishing scam.

Other tricks used include connecting IPs announcing themselves as
as one of the email domains handled by the server to which they're
connecting:

2006-08-22 15:00:08 H=(bath.ac.uk) [201.217.19.209] I=[138.38.32.20]:25 F=<gi...@hotmail.com> rejected RCPT <XX...@bath.ac.uk>: Charlatan, how can you be bath.ac.uk ?

And there seems to be a lot of machines out there that think they're
called "friend".

I'm more than happy to reject stuff using such simple tests[1].  But
placing the connecting IPs in a database is a different matter.  You
might wish to set standards for inclusion.  My "kill 'em all, let
God decide" attitude might not be acceptable to some.

[1] Many such hosts may well be in some of the RBLs I use.  I don't
    know.  These cheap test are run before examining any of the RBLs
    I use.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@bath.ac.uk               Phone: +44 1225 386101

Re: Enumerating the robots?

[John Andersen <js...@pen.homeip.net>]

On Monday 21 August 2006 00:09, Loren Wilton wrote:
> The database might also be usable in front door spam blocking.  Most people
> probably shouldn't be accepting direct connections from dynamic ips on
> someone else's network, especially if that ip has a recent history of
> sending spam (say in the last 6 hours or so).  It might be possible to make
> a server that could provide yes/no answers on whether the IP has sent spam
> in the last minute/hour/6 hours/day or so.
>
> I'd think that such a database could be built almost automatically.  For
> instance, if you log the IPs of connection attempts that you reject for
> various problems, you could just harvest those IPs once an hour or so to
> some central site, no human judgement calls required.  If the mail is
> accepted and gets a high SA score, and you can still determine the sending
> IP, then that might be automatically harvested also.

It sounds a lot more reasonable that arbitrarily blocking all dynamic IPs.
(Group punishment seems to be politically incorrect everywhere except among
mail nazis.)

It would be cool if it could be set up like Razor where it was easy to 
report .  (come to think of it, you could do it thru Razor by just contriving 
a mail containing ONLY the DNS, and reporting that to Razor).




Side Note:
Dynamic IPs are not all that dynamic any more with the increasing penetration
of broadband.  I've had the same IP for over a year now on some of my cable 
modems.  Even if I shell out for a static, I can't buy the reverse as my ISP
does not offer that, so I get tagged as a dynamic IP and can't send to
some people.  I have to forward a lot of it thru my un-reliable ISPs over
worked mail server. 

-- 
_____________________________________
John Andersen