You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Raul Dias <ra...@dias.com.br> on 2007/01/27 04:04:12 UTC
Poor man's high MX spam Trap
Hi,
This is what I did to flag spam that goes to the Highest MX server
without having a secondary MX.
First you need a different valid IP address for you SMTP, lets say
20.43.15.256. ;)
Add this ip as an alias to your network interface.
# /sbin/ip address add 20.43.15.256/24 brd + dev eth0 label eth0:mx2
Give the IP address a valid hostname and register it as MX.
....
@ IN MX 10000 mx2.domain.
mx2 IN A 20.43.15.256
...
Not forgetting the reverse:
---
256 IN PTR mx2.domain.
---
And pumping the serials.
Now add a custom header in the SMTP to find which ip address was used.
In the case of sendmail this will do in a mc file:
-----------
dnl Custom Headers
LOCAL_CONFIG
HX-Name-Your-Header-Here: ${if_addr}
--------
At this point you will have a fake high MX and the messages will be
flagged by the ip used on the connection.
Now write your rule:
-----
header MX_TRAP X-Name-Your-Header-Here =~ /20.43.15.256/
describe MX_TRAP Message sent to the MX trap
score MX_TRAP 4
-----
Of course, adjust the score accordly. After much testing, I never got a
HAM in the high MX.
In case you want to monitor what is being flagged, if you use procmail,
you can try:
------------
# High MX trap
:0 c
* ^X-Name-Your-Header-Here: 20.43.15.256
/path/to/somewhere/mx2.mbox
-----------
This will create a copy of every hit in the high MX even if not using SA
to catch it yet. So you may decide on how to proceed after checking it
out with some MUA, like mutt.
This is not the most elegant solution. As this accomplished what I
needed I stopped here. A better solution would be to write a plugin
that could check the high mx ip via Net::Dns for example (something like
WrongMX does). however after taking all non SA steps, the hand made
rule is faster.
-Raul Dias
Re: Poor man's high MX spam Trap
Posted by Peter Russell <pe...@enitech.com.au>.
John D. Hardin wrote:
> On Mon, 29 Jan 2007, John Rudd wrote:
>
>> John D. Hardin wrote:
>>> Or if you *really* want to be cruel, point it to a box where an SMTP
>>> tarpit is running...
>> Wouldn't that cause legit mail to go to the tarpit?
>
> If you were lax in setting this up, possibly. You'd want to have a few
> *real* backup MX hosts in line before your very-low-priority tarpit.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Liberals love sex ed because it teaches kids to be safe around their
> sex organs. Conservatives love gun education because it teaches kids
> to be safe around guns. However, both believe that the other's
> education goals lead to dangers too terrible to contemplate.
> -----------------------------------------------------------------------
> 3 days until The 4th anniversary of the loss of STS-107 Columbia
>
>
We have 2 MX hosts and the second has 98% spam, buts its all very high
scoring spam and easy to stop. Does it make more sense to have something
like;
mx1 10 non.answering.host
mx2 20 answering host
mx3 30 answering host
mx4 40 non.answering.host
Do spammers look for a specifically weighted mx, eg always weight 20 -
or do they look for the lowest weighted?
Re: Poor man's high MX spam Trap
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 29 Jan 2007, John Rudd wrote:
> John D. Hardin wrote:
> >
> > Or if you *really* want to be cruel, point it to a box where an SMTP
> > tarpit is running...
>
> Wouldn't that cause legit mail to go to the tarpit?
If you were lax in setting this up, possibly. You'd want to have a few
*real* backup MX hosts in line before your very-low-priority tarpit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Liberals love sex ed because it teaches kids to be safe around their
sex organs. Conservatives love gun education because it teaches kids
to be safe around guns. However, both believe that the other's
education goals lead to dangers too terrible to contemplate.
-----------------------------------------------------------------------
3 days until The 4th anniversary of the loss of STS-107 Columbia
Re: Poor man's high MX spam Trap
Posted by John Rudd <jr...@ucsc.edu>.
John D. Hardin wrote:
> Marc Perkel wrote:
>> Michael Scheidell wrote:
>>> Raul Dias wrote:
>>>> On Sun, 2007-01-28 at 22:26 -0500, Michael Scheidell wrote:
>>>>
>>>>> Better yet, just block port 25 TO that ip address and spammers will not
>>>>> even get the chance t send you spam. They just try for the highest mx
>>>>> and give up.
>>>> fake.domain have no ip address
>>>
>>> Watch out for www.rfc-ignorant.org... if 'no ip address', you could
>>> get your domain blacklisted.
>> You might want to point your bogus MX to a real IP with port 25 closed.
>
> Or if you *really* want to be cruel, point it to a box where an SMTP
> tarpit is running...
>
Wouldn't that cause legit mail to go to the tarpit?
Re: Poor man's high MX spam Trap
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 29 Jan 2007, Marc Perkel wrote:
> John D. Hardin wrote:
> >
> > Or if you *really* want to be cruel, point it to a box where an SMTP
> > tarpit is running...
>
> The tarpit would work except for braindead Qmail servers which
> would never try other MX records if the lowest MX responds at all.
> There's a lot of things you can't do with the lowest MX because
> Qmail isn't RFC compatible.
...hence the "cruel".
If enough people did this maybe qmail would become RFC-compliant. >:)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Liberals love sex ed because it teaches kids to be safe around their
sex organs. Conservatives love gun education because it teaches kids
to be safe around guns. However, both believe that the other's
education goals lead to dangers too terrible to contemplate.
-----------------------------------------------------------------------
3 days until The 4th anniversary of the loss of STS-107 Columbia
Re: Poor man's high MX spam Trap
Posted by Marc Perkel <ma...@perkel.com>.
John D. Hardin wrote:
> Marc Perkel wrote:
>
>> Michael Scheidell wrote:
>>
>>> Raul Dias wrote:
>>>
>>>> On Sun, 2007-01-28 at 22:26 -0500, Michael Scheidell wrote:
>>>>
>>>>
>>>>> Better yet, just block port 25 TO that ip address and spammers will not
>>>>> even get the chance t send you spam. They just try for the highest mx
>>>>> and give up.
>>>>>
>>>> fake.domain have no ip address
>>>>
>>>
>>> Watch out for www.rfc-ignorant.org... if 'no ip address', you could
>>> get your domain blacklisted.
>>>
>> You might want to point your bogus MX to a real IP with port 25 closed.
>>
>
> Or if you *really* want to be cruel, point it to a box where an SMTP
> tarpit is running...
>
>
>
The tarpit would work except for braindead Qmail servers which would
never try other MX records if the lowest MX responds at all. There's a
lot of things you can't do with the lowest MX because Qmail isn't RFC
compatible.
Re: Poor man's high MX spam Trap
Posted by "John D. Hardin" <jh...@impsec.org>.
Marc Perkel wrote:
> Michael Scheidell wrote:
>> Raul Dias wrote:
>>> On Sun, 2007-01-28 at 22:26 -0500, Michael Scheidell wrote:
>>>
>>>> Better yet, just block port 25 TO that ip address and spammers will not
>>>> even get the chance t send you spam. They just try for the highest mx
>>>> and give up.
>>>
>>> fake.domain have no ip address
>>
>> Watch out for www.rfc-ignorant.org... if 'no ip address', you could
>> get your domain blacklisted.
>
> You might want to point your bogus MX to a real IP with port 25 closed.
Or if you *really* want to be cruel, point it to a box where an SMTP
tarpit is running...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men by their constitutions are naturally divided in to two parties:
1. Those who fear and distrust the people and wish to draw all
powers from them into the hands of the higher classes. 2. Those who
identify themselves with the people, have confidence in them,
cherish and consider them as the most honest and safe, although not
the most wise, depository of the public interests.
-- Thomas Jefferson
-----------------------------------------------------------------------
3 days until The 4th anniversary of the loss of STS-107 Columbia
Re: Poor man's high MX spam Trap
Posted by Richard Frovarp <Ri...@sendit.nodak.edu>.
Marc Perkel wrote:
>
>
> Michael Scheidell wrote:
>> Raul Dias wrote:
>>> On Sun, 2007-01-28 at 22:26 -0500, Michael Scheidell wrote:
>>>
>>>
>>>> Better yet, just block port 25 TO that ip address and spammers will not
>>>> even get the chance t send you spam. They just try for the highest mx
>>>> and give up.
>>>>
>>>
>>> Because some of them will try a lower MX then.
>>>
>>> Right now, I am experiencing this:
>>>
>>> @ MX 1 fake.domain
>>> @ MX 10 real.domain
>>> @ MX 100 mx2.domain
>>> @ MX 1000 fake.domain
>>>
>>> fake.domain have no ip address
>>>
>> Watch out for www.rfc-ignorant.org... if 'no ip address', you could
>> get your domain blacklisted.
>>
>>
> You might want to point your bogus MX to a real IP with port 25 closed.
>
Or if you have a virtual server with extra horsepower, put a selective
firewall in and let your local SMTPs through. Give them a fast lane for
those times when the normally available MXs are a bit over loaded.
Re: Poor man's high MX spam Trap
Posted by Marc Perkel <ma...@perkel.com>.
Michael Scheidell wrote:
> Raul Dias wrote:
>> On Sun, 2007-01-28 at 22:26 -0500, Michael Scheidell wrote:
>>
>>
>>> Better yet, just block port 25 TO that ip address and spammers will not
>>> even get the chance t send you spam. They just try for the highest mx
>>> and give up.
>>>
>>
>> Because some of them will try a lower MX then.
>>
>> Right now, I am experiencing this:
>>
>> @ MX 1 fake.domain
>> @ MX 10 real.domain
>> @ MX 100 mx2.domain
>> @ MX 1000 fake.domain
>>
>> fake.domain have no ip address
>>
> Watch out for www.rfc-ignorant.org... if 'no ip address', you could
> get your domain blacklisted.
>
>
You might want to point your bogus MX to a real IP with port 25 closed.
Re: Poor man's high MX spam Trap
Posted by Michael Scheidell <sc...@secnap.net>.
Raul Dias wrote:
> On Sun, 2007-01-28 at 22:26 -0500, Michael Scheidell wrote:
>
>
>> Better yet, just block port 25 TO that ip address and spammers will not
>> even get the chance t send you spam. They just try for the highest mx
>> and give up.
>>
>
> Because some of them will try a lower MX then.
>
> Right now, I am experiencing this:
>
> @ MX 1 fake.domain
> @ MX 10 real.domain
> @ MX 100 mx2.domain
> @ MX 1000 fake.domain
>
> fake.domain have no ip address
>
Watch out for www.rfc-ignorant.org... if 'no ip address', you could get
your domain blacklisted.
> mx2.domain is the fake mx that points to real.domain.
>
> Good results so far.
>
> -Raul Dias
>
>
--
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
scheidell@secnap.net / 1+561-999-5000, x 1131
-----------------------------------------------------------------
This email has been scanned and certified safe by SpammerTrap(tm)
For Information please see http://www.spammertrap.com
-----------------------------------------------------------------
RE: Poor man's high MX spam Trap
Posted by Raul Dias <ra...@dias.com.br>.
On Sun, 2007-01-28 at 22:26 -0500, Michael Scheidell wrote:
> Better yet, just block port 25 TO that ip address and spammers will not
> even get the chance t send you spam. They just try for the highest mx
> and give up.
Because some of them will try a lower MX then.
Right now, I am experiencing this:
@ MX 1 fake.domain
@ MX 10 real.domain
@ MX 100 mx2.domain
@ MX 1000 fake.domain
fake.domain have no ip address
mx2.domain is the fake mx that points to real.domain.
Good results so far.
-Raul Dias
RE: Poor man's high MX spam Trap
Posted by Michael Scheidell <sc...@secnap.net>.
> -----Original Message-----
> From: Raul Dias [mailto:raul@dias.com.br]
> Sent: Friday, January 26, 2007 10:04 PM
> To: users@spamassassin.apache.org
> Subject: Poor man's high MX spam Trap
>
> Hi,
>
> This is what I did to flag spam that goes to the Highest MX
> server without having a secondary MX.
>
> First you need a different valid IP address for you SMTP,
> lets say 20.43.15.256. ;)
Better yet, just block port 25 TO that ip address and spammers will not
even get the chance t send you spam. They just try for the highest mx
and give up.
-----------------------------------------------------------------
This email has been scanned and certified safe by SpammerTrap(tm)
For Information please see http://www.spammertrap.com
-----------------------------------------------------------------
RE: Poor man's high MX spam Trap
Posted by Raul Dias <ra...@dias.com.br>.
On Sat, 2007-01-27 at 08:01 -0500, Dan Barker wrote:
> I don't understand the use of an invalid IP address. Additionally, my
> version of the "ip" command requires syntactically correct dotted decimal ip
> numbers (Well, who'd a thunk it - it DOES accept the .256 octet. Of course,
> it goes in as .0)
Sub that for an aliases ip address in your server that can be reach from
the outside.
-Raul Dias
Re: Poor man's high MX spam Trap
Posted by Yves Goergen <no...@unclassified.de>.
On 27.01.2007 14:01 CE(S)T, Dan Barker wrote:
> I don't understand the use of an invalid IP address.
Wasn't that just a funny example? Use "1.2.3.4" instead if you feel
better then. :) Though it could be that 1.2.3.4 must resolve to your
machine then, I'm not sure.
--
Yves Goergen "LonelyPixel" <no...@unclassified.de>
Visit my web laboratory at http://beta.unclassified.de
RE: Poor man's high MX spam Trap
Posted by Dan Barker <db...@visioncomm.net>.
I don't understand the use of an invalid IP address. Additionally, my
version of the "ip" command requires syntactically correct dotted decimal ip
numbers (Well, who'd a thunk it - it DOES accept the .256 octet. Of course,
it goes in as .0)
Dan
# ip address add 20.43.15.256/24 brd + dev eth0 label eth0:mx2
# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:e0:4c:90:05:8d brd ff:ff:ff:ff:ff:ff
inet 74.254.46.138/27 brd 74.254.46.159 scope global eth0
inet 20.43.15.0/24 brd 20.43.15.255 scope global eth0:mx2th1
# ip addr del 20.43.15.0 dev eth0
#
-----Original Message-----
From: Raul Dias [mailto:raul@dias.com.br]
Sent: Friday, January 26, 2007 10:04 PM
To: users@spamassassin.apache.org
Subject: Poor man's high MX spam Trap
Hi,
This is what I did to flag spam that goes to the Highest MX server
without having a secondary MX.
First you need a different valid IP address for you SMTP, lets say
20.43.15.256. ;)
Add this ip as an alias to your network interface.
# /sbin/ip address add 20.43.15.256/24 brd + dev eth0 label eth0:mx2
Give the IP address a valid hostname and register it as MX.
....
@ IN MX 10000 mx2.domain.
mx2 IN A 20.43.15.256
...
Not forgetting the reverse:
---
256 IN PTR mx2.domain.
---
And pumping the serials.
Now add a custom header in the SMTP to find which ip address was used.
In the case of sendmail this will do in a mc file:
-----------
dnl Custom Headers
LOCAL_CONFIG
HX-Name-Your-Header-Here: ${if_addr}
--------
At this point you will have a fake high MX and the messages will be
flagged by the ip used on the connection.
Now write your rule:
-----
header MX_TRAP X-Name-Your-Header-Here =~ /20.43.15.256/
describe MX_TRAP Message sent to the MX trap
score MX_TRAP 4
-----
Of course, adjust the score accordly. After much testing, I never got a
HAM in the high MX.
In case you want to monitor what is being flagged, if you use procmail,
you can try:
------------
# High MX trap
:0 c
* ^X-Name-Your-Header-Here: 20.43.15.256
/path/to/somewhere/mx2.mbox
-----------
This will create a copy of every hit in the high MX even if not using SA
to catch it yet. So you may decide on how to proceed after checking it
out with some MUA, like mutt.
This is not the most elegant solution. As this accomplished what I
needed I stopped here. A better solution would be to write a plugin
that could check the high mx ip via Net::Dns for example (something like
WrongMX does). however after taking all non SA steps, the hand made
rule is faster.
-Raul Dias