Sendmail - How to stop spreading spam?
Jim Flowers
spreading spam including sendmail anti-relaying options and rbl
lookups (osirusoft and ordb). It passes all the tests on
mail-abuse.com. About 25% of the inbound mail we process is rejected.
Our users still get spam. The technique appears to be to send email
to every common name in the english language (tom, dick &
harry)@our.domain.net in an attempt to spam to everyone. And it
works. Here is a typical header:
From fake...@our.domain.net Wed Jun 26 04:27:11 2002
Return-Path: <fake...@our.domain.net>
Received: from [80.116.104.215] ([80.116.104.215])
by mail.our.domain.net (8.11.6/8.11.6) with SMTP id
g5Q8R8K47512;
Wed, 26 Jun 2002 04:27:08 -0400 (EDT)
(envelope-from fake...@our.domain.net)
X-Authentication-Warning: mail.our.domain.net: [80.116.104.215] didn't
use HELO protocol
Date: Wed, 26 Jun 2002 04:27:42 -0500
Subject: Mortgage Rates Have Never Been Lower
MIME-Version: 1.0
From: fake...@our.domain.net
Content-Type: multipart/alternative;
boundary="----=_NextPart_1300_5011750807656008256114447180244"
Message-Id: <2KDBTW22VO7C7RA26Q3....@ezo.net>
Received: from our.domain.net by 56LO7MUXCA.ezo.net with SMTP for
real...@our.domain.net; Wed, 26 Jun 2002 04:27:42 -0500
Importance: Normal
To: real...@our.domain.net
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Encoding: MIME
Reply-To: real...@our.domain.net
Content-Transfer-Encoding: quoted-printable
My question is how does this work and what can I do to prevent it?
Thanks.
Gerard
jflo...@ezo.net (Jim Flowers) wrote:
> I have done everything I can find to stop our main mail server from
> spreading spam including sendmail anti-relaying options and rbl
> lookups (osirusoft and ordb). It passes all the tests on
> mail-abuse.com. About 25% of the inbound mail we process is rejected.
>
> Our users still get spam. The technique appears to be to send email
> to every common name in the english language (tom, dick &
> harry)@our.domain.net in an attempt to spam to everyone. And it
> works. Here is a typical header:
>
>
> My question is how does this work and what can I do to prevent it?
>
> Thanks.
Most sites seem to have email addresses that are based on names. The
census bureau has a nice list of first names (male and female) and last
names, sorted in order of occourance in a sample population. There are
about 1500 male names and 4600 female. The top 30% or so of names will
get you over half the population. Similar for the 30,000 last names the
list.
I wrote a little script actually that will generate random email
addresses based on this list. things like john[a-z] [a-z]john with dots,
dashes, etc. Then the same for the last names.
With a fake "from" and/or "reply to", one can quickly generate names,
connect to the server and send mail to the names. failures are of course
sent to the fake address, so there is no bandwidth "wasted" by the
sender.
Be sure you haven't allowed sendmail to accept mail from non-existent
domains in the "mail from:" command. (this is only parially useful).
Look in this group for a thread called "Check reverse DNS on connect?".
There is a hack referenced that disallows connections of any type from
sites without a valid PTR record in their DNS for the sending IP.
Be sure your VRFY command and EXPN commands are disabled. These can be
used by spammers to harvest email addresses with a program like the one
I wrote. (In fact I have done this and the program can find literally
thousands of addresses in a few hours on a fast connection). And no, I
don't sell or spam the addresses I find. Some servers I've tested allow
an unlimited number or VRFYs per connection (I've gotten up to 210,000
on one), others slow down after the first few, and disconnect after
about 5-10 VRFY commands. This is of course simple to code around.
Your other options:
keep adding the offending sites to your own access database as DENY. You
will eventually get the most aggregious senders eliminated.
learn to deal with a "small" amount of spam
offer your users a non name-based alternative email address. The name
based searches return many hits, blind character searches "a,aa,ab,ac"
return a relative low percentage of hits, and the time spend searching
is usually not worth it. You'll usually catch the bandwidth usage of a
raw search before they get too far (more than 4 chars).
--
What color is clear?
brad.madison
Try watching your logs (/var/log/maillog or equivalent) to see if there
are events in which someone checks to see which accounts exist on your
system (dictionary atacks). I've seen such recently. These probably
will be followed by spam sent to all names that didn't get rejected.
For years to come, unless things change.
The IP address you identify as the source (80.116.104.215) is in Italy
and may be an open proxy. You might try sending a report to
abus...@telecomitalia.it. If it is an open proxy you will have done
them a favor but unless they find some juicy incriminating evidence in
their proxy logs that can be used against the spammer you probably won't
be doing anything to stop spam by making this report. If you do them in
a timely manner such reports may lead to additional spammer annoyance.
That's not much but it's something.
If yu broaden your goal to stopping all relay spam then the web page in
my sig (sorry about the pop-ups) may be of some interest. See also
http://www.corpit.ru/cgi-bin/h0n5yp0t
This is a working honeypot that has had significant success. Other
honeypots have also had significant success. If you haven't heard about
the sauccesses it is most likely because there currently are so few
honeypots that all their successes put together still don't have an
effect much above the noise level. I very much want to see this low
count increased.
> Thanks.
--
"Our problems are mostly behind us. What we have to do now is
fight the solutions." ---Stult's Report (from
http://www.reznor.com/~aj/quotes/)
See: http://fightrelayspam.homestead.com/ for my honeypot page
Stop relay spam in July <--- I'm serious