You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2007/08/28 16:53:28 UTC

And interesting way to detect spambots

I'm doing some interesting experimenting and discovered and interesting 
way to detect spam bots. It appears that spam bots cache DNS far longer 
than ordinary. And that is detectable.

As you know I use several fake high numbered MX records to fool spam 
bots into hitting the back door and going away. What most people don't 
yet know is that isn't all I do. I actually harvets the spam, return a 
fake reject 550 before the final quit (an Exim feature) and forward the 
spam off to several blacklist for harvesting, including my own blacklist.

What I'm trying now is changing the high fake MX IP addresses to a 
different group of fake IP addresses. My TTL is 5 hours and under normal 
conditions mail server shouldn't be hitting the fake MX at all, but what 
I'm seeing is that even after the fake IPs are replaced with a new set 
that spam bots continue to hit the old fake IP addresses, even several 
days later.

I'm thinking that by using shifting IP patterns that one could harvest 
spam bot IP addresses directly into blacklists with very high confidence 
that good email servers would never go to expired fake high MX records. 
I'm doing it on my blacklist which has grown to about 300,000 entries, 
and I only keep 3 days of data.

Who finds this concept interesting?

Re: And interesting way to detect spambots

Posted by Marc Perkel <ma...@perkel.com>.

continued ....

It appears that spam bots do their own DNS caching. That reduces DNS 
calls and lets them send more spam over the same low bandwidth 
connection. You might have noticed that if you change the MX record for  
domain that the old IP is still hit with spam sometimes weeks later. I 
think once a spam bot looks up an IP that it uses the same one until the 
infected computer is rebooted.

The point here is that only spammers would be attempting to send spam to 
expired hi numbered MX records when low numbered MX records are working. 
If many traps like this were set up we copuld very quickly detect 
millions of spam bots.

I'm watch my system work now and it catches a new one every 2 seconds 
even after 3 days since I changed the IP addresses of my fake MX records.

Re: R: And interesting way to detect spambots

Posted by Jim Maul <jm...@elih.org>.

John D. Hardin wrote:
> On Tue, 28 Aug 2007, Giampaolo Tomassoni wrote:
> 
>>> -----Messaggio originale-----
>>> Da: jm@jmason.org [mailto:jm@jmason.org]
>>>
>>> Marc Perkel writes:
>>>> Who finds this concept interesting?
>>> SPAM-L.  This is OT for this list.
>> Right, Justin, but I see that threads about general anti-spam
>> techniques are tolerated in this list.
> 
> For a lot of people that toleration is wearing thin.
> 

Especially after marcs website...wow.

Re: R: And interesting way to detect spambots

Posted by "John D. Hardin" <jh...@impsec.org>.

On Tue, 28 Aug 2007, Giampaolo Tomassoni wrote:

> > -----Messaggio originale-----
> > Da: jm@jmason.org [mailto:jm@jmason.org]
> > 
> > Marc Perkel writes:
> > > Who finds this concept interesting?
> > 
> > SPAM-L.  This is OT for this list.
> 
> Right, Justin, but I see that threads about general anti-spam
> techniques are tolerated in this list.

For a lot of people that toleration is wearing thin.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Taking my gun away because I *might* shoot someone is like cutting
  my tongue out because I *might* yell "Fire!" in a crowded theater.
                                                  -- Peter Venetoklis
-----------------------------------------------------------------------
 Today: Exercise Your Rights day

R: And interesting way to detect spambots

Posted by Giampaolo Tomassoni <g....@libero.it>.

> -----Messaggio originale-----
> Da: jm@jmason.org [mailto:jm@jmason.org]
> 
> 
> Marc Perkel writes:
> > Who finds this concept interesting?
> 
> SPAM-L.  This is OT for this list.

Right, Justin, but I see that threads about general anti-spam techniques are
tolerated in this list. After all, these talks may be interesting to most of
us. 

Giampaolo

> 
> --j.