[SLL] Greylisting downsides: Solutions?

Jeremy C. Reed reed at reedmedia.net
Tue Jun 12 15:59:26 PDT 2007 

On Tue, 12 Jun 2007, Glenn Stone wrote:

> What's also funny in a wry sort of way is the sheer number of creative
> different ways spammers try and get through your nets...

Recently I saw a bunch of mail bypassing my greylisting. And then I 
realized that the mail was actually being sent by spammers to my port 2525 
(which I had opened months earlier for an alternative mail server used for 
some testing -- I then changed that port). I guess spammers are looking 
for mail servers on port 2525 also. Anyone else seen that?

> I have seven
> different legitimate accounts on this one server, scattered across four
> domains.  In that same since-May-30 review, they tried *seventy-five*
> different combinations of random.stuff at do.main, some loosely based on
> legitimate accounts, some mashups of other stuff, some just random garbage.
> No idea what or even if they're thinking.  

Might want to do some blacklisting and spam traps based on some of that.
I created spam traps for some emails that spammers were targetting.
I use temporary spam tarpits that expire after 24 hours. (My spamtraps and 
greylisting are distributed over multiple mail servers.) I analyzed my 
logs and debugging and my spamtraps had more IPs than my greylisting 
database and it was about 6% of the size of my whitelist database.

It may be useful to detect random stuff -- maybe some count of repeated 
failures for unknown names within some time frame from same sending host. 
Anyone do anything like that?

Another technique I use is temporarily tarpitting bogus mail senders that 
purposely skip our high priority MX systems and connect to our lowest 
priority DNS MX records first. I can do this because I use distributed 
greylisting data (using OpenBSD's spamd on NetBSD) and I have a valid 
higher priority MX records on same hosts (different IPs). Last time I 
analyzed, this was tarpitting near 60% of all unknown senders. I will need 
to analyze this again -- but it seems like huge spam prevention. I have 
been doing this for a few months.



  Jeremy C. Reed

More information about the linux-list mailing list