You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Magnus Holmgren <ho...@lysator.liu.se> on 2005/11/17 19:04:06 UTC
OT: Spammers' reactions to rejection
Spammers need to clean their address lists once in a while, lest they
end up with a very low proportion of valid addresses, right?
Question: Is there any knowledge as to how spammers deal with different
kinds of failure? Does it matter if I reject the RCPT command or the
MAIL command, or even drop the connection right away (e.g. if the remote
host is found in SBL)? Does it matter if the remote host is a zombie or
owned (not pwn3d) by the spammer?
Most spammers don't treat temporary failures specially, so you might
suspect that they wouldn't care much about exactly what went wrong --
just whether their message was accepted or not. Nevertheless, I
currently do all rejection before DATA at RCPT, none upon connection,
HELO or MAIL. At least it's the only way not to hinder the food for the
spamtraps (except having all spamtraps in a separate domain with a
separate MX).
What do you say?
--
Magnus Holmgren
Re: OT: Spammers' reactions to rejection
Posted by Kai Schaetzl <ma...@conactive.com>.
Magnus Holmgren wrote on Thu, 17 Nov 2005 19:04:06 +0100:
> Spammers need to clean their address lists once in a while, lest they
> end up with a very low proportion of valid addresses, right?
They do not care at all, at least not those which make up for the majority
of spam. They don't even care that they can't deliver a single mail for
years to whole domains. I have a customer who got joe-jobbed about two
years ago (= spam mail that was sent with his domain as sender). The
influx of bounces from these was so high we had to take the domain not
only of the mail but also off DNS (by moving his dns records right-away to
the registry which is possible in Germany). When I checked a year later we
were still getting something like 50.000 bounces a day, so I deactivated
him again. I just tried again and have already received nearly 10.000
delivery attempts (spam, not bounces this time) during the last hours. As
Matt says, all of that are dictionary attacks. That domain was pointing to
127.0.0.1 for two years, nevertheless they spam at it in incredible
masses.
What makes me wonder the most is why there are a few domains which so
heavily attract spammers for years and in such big numbers. This domain
doesn't have anything special about it and is not widely known. If other
domains would only get ten per-cent of that spam they would already be
more or less useless.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
Re: OT: Spammers' reactions to rejection
Posted by jdow <jd...@earthlink.net>.
From: "Kelson" <ke...@speed.net>
> Magnus Holmgren wrote:
>> Question: Is there any knowledge as to how spammers deal with different
>> kinds of failure? Does it matter if I reject the RCPT command or the
>> MAIL command, or even drop the connection right away
>
> I'm sure it depends on the spammer, but a while back I started looking
> at the logs for "User unknown" rejections, and found a number of
> accounts that had been dead for *years* were still getting hammered with
> incoming mail. I turned them back on, unsubscribed from everything for
> a few months to weed out any legitimate mailing lists that the old users
> might have subscribed to, and eventually turned them into spam traps to
> collect training data for Bayes, Razor, etc.
>
> So at least some spammers ignore rejections entirely.
I like your style, Kelson.
{^_-}
Re: OT: Spammers' reactions to rejection
Posted by Matt Kettler <mk...@comcast.net>.
At 04:09 PM 11/18/2005, Vivek Khera wrote:
>On Nov 17, 2005, at 2:05 PM, Kelson wrote:
>
>>incoming mail. I turned them back on, unsubscribed from everything
>>for a few months to weed out any legitimate mailing lists that the
>>old users might have subscribed to, and eventually turned them into
>>spam
>
>I would vote that these "ligitimate mailing list" are not so
>ligitimate if they can't clean up bounces after several years of
>getting them.
True, but the difference between legit and "not so legit" is largely
irrelevant.
You can't train the "not so legit" commercial emails as spam or blacklist
the domain without having a user who's pissed off because SA's bayes
training now thinks all mail from (insert major online store here) is spam.
You'd really be surprised how many major names suffer from this.
Re: OT: Spammers' reactions to rejection
Posted by Dave Pooser <da...@pooserville.com>.
> I would vote that these "legitimate mailing list" are not so
> legitimate if they can't clean up bounces after several years of
> getting them.
Legitimate != well-run.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"In our family, happy usually involves gunfire and at least
two patrol cars showing up." --SomethingPositive.net
Re: OT: Spammers' reactions to rejection
Posted by Vivek Khera <vi...@khera.org>.
On Nov 17, 2005, at 2:05 PM, Kelson wrote:
> incoming mail. I turned them back on, unsubscribed from everything
> for a few months to weed out any legitimate mailing lists that the
> old users might have subscribed to, and eventually turned them into
> spam
I would vote that these "ligitimate mailing list" are not so
ligitimate if they can't clean up bounces after several years of
getting them.
Re: OT: Spammers' reactions to rejection
Posted by Kelson <ke...@speed.net>.
Magnus Holmgren wrote:
> Question: Is there any knowledge as to how spammers deal with different
> kinds of failure? Does it matter if I reject the RCPT command or the
> MAIL command, or even drop the connection right away
I'm sure it depends on the spammer, but a while back I started looking
at the logs for "User unknown" rejections, and found a number of
accounts that had been dead for *years* were still getting hammered with
incoming mail. I turned them back on, unsubscribed from everything for
a few months to weed out any legitimate mailing lists that the old users
might have subscribed to, and eventually turned them into spam traps to
collect training data for Bayes, Razor, etc.
So at least some spammers ignore rejections entirely.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: [sa-list] OT: Spammers' reactions to rejection
Posted by Kai Schaetzl <ma...@conactive.com>.
Kris Deugau wrote on Fri, 18 Nov 2005 12:54:54 -0500:
> A nice thought, but absolutely useless in the case where you receive any
> volume of mail from a host running qmail. :(
Doesn't it try to deliver the rest a bit later? After all, it should
recognize that it was able to deliver a few ...
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
Re: [sa-list] Re: OT: Spammers' reactions to rejection
Posted by Kris Deugau <kd...@vianet.ca>.
"Dan Mahoney, System Admin" wrote:
> Three firewall rules I think nobody should live without:
>
> 1) ipfw add 500 allow tcp from any to me 25 limit src-addr 2 setup
>
> Yup, you read that right. Limits tcp connections to no more than two
> per connecting address. You could probably even drop that to one.
A nice thought, but absolutely useless in the case where you receive any
volume of mail from a host running qmail. :(
qmail, in case you don't know already, does not serialize mail delivery
by reusing a single connection (like just about every other MTA in
existence). One message == one recipient == one connection. >:(
-kgd
--
Get your mouse off of there! You don't know where that email has been!
Re: [sa-list] Re: OT: Spammers' reactions to rejection
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Thu, 17 Nov 2005, mouss wrote:
Three firewall rules I think nobody should live without:
1) ipfw add 500 allow tcp from any to me 25 limit src-addr 2 setup
Yup, you read that right. Limits tcp connections to no more than two per
connecting address. You could probably even drop that to one.
2) ipfw add 600 allow tcp from any to any 25 uid root
Yeah, seems simple, allows root to connect to other machines on port 25.
Until you come to this:
3) ipfw add 610 deny log logamount 100 tcp from any to any 25 out
Matches AFTER the above rule. Meaning? User processes can't connect to
send outbound mail anymore. They HAVE TO go through the local MTA (where,
presumably, the UID/PID can be logged).
So the next time a user has a crap phpBB or something that lets exploits
through -- I've got that much less to worry about.
-Dan
> Roger Taranto a écrit :
>
>>
>> If it didn't tie up sockets on our machines, it seems like instead of
>> rejecting the mail, we should just hold on to the mail connection for as
>> long as possible. It wouldn't take too long to tie up all of their
>> outbound connections and back up their mail server. Unfortunately, it
>> punishes our mail servers, too. :(
>>
>
> one way for that would be to "pass the descriptor" to a light process that
> will only keep them connected. for example setting the tcp window to zero.
> now, this would only be safe if you modify the tcp stack to do that without
> keeping too much infos.
>
> On the other hand, they have so much bandwidth/power available via zombies
> that this seems like playing a self-dos game.
>
--
"I wish the Real World would just stop hassling me!"
-Matchbox 20, Real World, off the album "Yourself or Someone Like You"
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: OT: Spammers' reactions to rejection
Posted by Theodore Heise <th...@heise.nu>.
On Thu, 17 Nov 2005, mouss wrote:
> Roger Taranto a écrit :
>
>>
>> If it didn't tie up sockets on our machines, it seems like instead of
>> rejecting the mail, we should just hold on to the mail connection for as
>> long as possible. It wouldn't take too long to tie up all of their
>> outbound connections and back up their mail server. Unfortunately, it
>> punishes our mail servers, too. :(
>
> one way for that would be to "pass the descriptor" to a light process that
> will only keep them connected. for example setting the tcp window to zero.
> now, this would only be safe if you modify the tcp stack to do that without
> keeping too much infos.
>
> On the other hand, they have so much bandwidth/power available via zombies
> that this seems like playing a self-dos game.
Could this approach be effective if the number of such connections
were limited to a manageable number at any individual site, but it
was implemented by a great number of admins?
--
Theodore (Ted) Heise <th...@heise.nu> Bloomington, IN, USA
Re: OT: Spammers' reactions to rejection
Posted by mouss <us...@free.fr>.
Roger Taranto a écrit :
>
>If it didn't tie up sockets on our machines, it seems like instead of
>rejecting the mail, we should just hold on to the mail connection for as
>long as possible. It wouldn't take too long to tie up all of their
>outbound connections and back up their mail server. Unfortunately, it
>punishes our mail servers, too. :(
>
>
one way for that would be to "pass the descriptor" to a light process
that will only keep them connected. for example setting the tcp window
to zero. now, this would only be safe if you modify the tcp stack to do
that without keeping too much infos.
On the other hand, they have so much bandwidth/power available via
zombies that this seems like playing a self-dos game.
Re: OT: Spammers' reactions to rejection
Posted by Matt Kettler <mk...@evi-inc.com>.
Roger Taranto wrote:
> On Thu, 2005-11-17 at 10:17, Matt Kettler wrote:
>
>>Magnus Holmgren wrote:
>>
>>>Spammers need to clean their address lists once in a while, lest they
>>>end up with a very low proportion of valid addresses, right?
>>
>>No, they don't have to clean it.
>
>
> If it didn't tie up sockets on our machines, it seems like instead of
> rejecting the mail, we should just hold on to the mail connection for as
> long as possible. It wouldn't take too long to tie up all of their
> outbound connections and back up their mail server. Unfortunately, it
> punishes our mail servers, too. :(
You mean a Teergrube (tarpit)?
http://de.wikipedia.org/wiki/Teergrube
Re: OT: Spammers' reactions to rejection
Posted by Roger Taranto <ro...@danybrooks.com>.
On Thu, 2005-11-17 at 10:17, Matt Kettler wrote:
> Magnus Holmgren wrote:
> > Spammers need to clean their address lists once in a while, lest they
> > end up with a very low proportion of valid addresses, right?
>
> No, they don't have to clean it.
If it didn't tie up sockets on our machines, it seems like instead of
rejecting the mail, we should just hold on to the mail connection for as
long as possible. It wouldn't take too long to tie up all of their
outbound connections and back up their mail server. Unfortunately, it
punishes our mail servers, too. :(
My aunt tells this story about her father: he used to invite members of
an annoying religious group that goes door-to-door in for hours on
Saturday mornings. My aunt's mother used to get really upset with him
for spending so much time with them. His explanation was that "at least
this way I know where they are."
-Roger
Re: OT: Spammers' reactions to rejection
Posted by Matt Kettler <mk...@evi-inc.com>.
Magnus Holmgren wrote:
> Spammers need to clean their address lists once in a while, lest they
> end up with a very low proportion of valid addresses, right?
No, they don't have to clean it.
Let's face it.. spammers are currently making extensive use of dictionary
attacks to add more addresses to their lists. Therefore you must conclude they
do not care about wasted bandwidth on failed delivery attempts.
Since we know spammers don't care about wasting time with failed delivery, what
motiviation would they have to clean their lists?
> Question: Is there any knowledge as to how spammers deal with different
> kinds of failure?
As far as I can tell, they ignore failures completely. Old accounts from over 7
years ago are still generating dozens of failures on spam every day.
For that matter, a few legitimate commercial mailing lists ignore failures too.
I've got several accounts for users that haven't been undeliverable for multiple
years that are still getting attempts to deliver subscription commercial mail.
Most commercial outfits care about bandwidth, so few fall in this category
except by accident.
Does it matter if I reject the RCPT command or the
> MAIL command, or even drop the connection right away (e.g. if the remote
> host is found in SBL)? Does it matter if the remote host is a zombie or
> owned (not pwn3d) by the spammer?
AFAICT, doesn't matter. They'll still keep trying that address forever.
> Most spammers don't treat temporary failures specially, so you might
> suspect that they wouldn't care much about exactly what went wrong --
> just whether their message was accepted or not.
Nevertheless, I
> currently do all rejection before DATA at RCPT, none upon connection,
> HELO or MAIL. At least it's the only way not to hinder the food for the
> spamtraps (except having all spamtraps in a separate domain with a
> separate MX).
>
> What do you say?
>