[SLL] Greylisting downsides: Solutions?
johnbaxterlists at mac.com
johnbaxterlists at mac.com
Tue Jun 12 17:27:55 PDT 2007
On Jun 12, 2007, at 3:43 PM, Glenn Stone wrote:
> What's also funny in a wry sort of way is the sheer number of creative
> different ways spammers try and get through your nets... I have seven
> different legitimate accounts on this one server, scattered across
> four
> domains.
What I'm seeing a lot of lately is a spammer (that is to say, one or
more spam engines) with a /24 subnet, who sends from various domains
and hosts (with generated garbage local parts). When faced with a
greylisting temporary failure, the engine seems to randomly try
another of the hosts, with a new sending address. And so on. Even
when it returns to the original sending host, it generates a
different local part.
Our monitor notifies me of a (somewhat misnamed) "dictionary attack",
I see the pattern, and block the /24 (that's a MySQL table row, whose
comment field describes the reason for the block--I include the name
of the owner of the block as retrieved from ARIN (usually these come
from ARIN territory, not RIPE, APNIC, or the new one for South
America)). Their technique keeps their spam out of our system very
effectively (even if I don't get to react because it starts in late
evening).
By "block" I mean reject at RCPT TO: time, with text which offers a
URL to a form on our site in which they can request access. Spammers
don't use the form--many real people do (although not all see the
message, since version combinations of Exchange and Outlook conspire
to change the report to "unknown user" no matter what the rejecting
server says).
(I've had one spammer--and he seemed to be sort of marginal as to
whether the term applies--fill in the form in the four or so years
the system has been in place.)
--John
More information about the linux-list
mailing list