This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] how to detect spambots - SPAMTrusted

Previous message (by thread): AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted
Next message (by thread): [anti-abuse-wg] how to detect spambots - SPAMTrusted

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jan Pieter Cornet johnpc at xs4all.nl
Wed Mar 4 10:42:03 CET 2009

On Wed, Mar 04, 2009 at 09:21:32AM +0100, Frank Gadegast wrote:
> And the following makes me really crazy:
> - preventing spambotted PCs from sending spam is SOOO easy
> 
[...]
> ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!!

This fails in two ways. First, not all spambots send spam to your own
servers, as some specifically target eg hotmail.com or hinet.net. Also
be aware that a lot of spam is specifically targeted not to be detected
by standard scanners, so especially when a spamrun just starts, it will
take at least an hour, even for signature based systems, to see it. (Of
course, monitoring abuse@ will eventually let you catch those)

Second, there are also legitimate reasons people send spammish-looking
mail to your own mailservers. For example, if someone runs their own
mailserver on their DSL line, they point an MX record for some domain to
themselves, and then forwards mail for that domain to one (or a few) of
your mailboxes, using none or only minimal spamfiltering. The result is
spam coming from that node, but all of it is "legit", in the sense that
it is supposed to flow that way.

Another reason would be a badly configured mail server that backscatters
on a DSL line, that happens to touch your incoming servers. Not strictly
spam (yet still unwanted), but it's probably too harsh to completely
disconnect the customer.

I'm not saying you shouldn't monitor your own spamscanner for your own
IPs, just that it isn't as black and white a picture as you make us
believe it is. For example, combining this data with abuse reports will
provide very valuable, and that could even be automated.

What we do is simply volume counting, combined with a whitelist of
known-good massmailers. Also make sure you count bounces and rejected
addresses, and flag anyone that goes over a few % bad addresses. And
there will soon be network filters (user customizable, default on) that
prevent access to other mailservers than our own.

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!

Previous message (by thread): AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted
Next message (by thread): [anti-abuse-wg] how to detect spambots - SPAMTrusted

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]