From: Michael Elliott
Date: 2005-02-17 17:31:05 -0500
Subject: Re: user account fishing
More information..: http://www.milter.info/#Support
> Blacklisting will not achieve the main goal in this case. The real problem
> scenario is usually like this:
> Spammers begin to attack with thousands of simultaneous mails varying the
> recipient field (most of the recipients not existing).
> The only working solution might be in a short period of time to detect the
> fact of such an attack (with some kind of spamshield script for example) and
> automatically block the connection packets originating from the spammer
> address via iptables on the firewall
> iptables -A FORWARD -p tcp -s <spammer IP> -d <sendmail IP> --dport 25 -m
state --state NEW -j DROP
Good idea, won't work.
That method has already been overcome by the spammers. They have employed
compromised zombies to send their spam. Using about 1,000 machines, they
control them in such a way that each machine sends less than 50 messages
to a single server. I have watched dictonary attacks scroll that use as
little as 5 messages per zombie.
I just did a little grepping. Across 15,000+ IP addresses that connected
to my mail server, only five connected more than 100 times. Only thirteen
connected over 50 times. Nine of those are in the same class C and are a
ROKSO known spam organization.
> Then the spammers which have already opened their connections obtain quickly
> their TEMPFAIL, and more spammers cannot setup new connections. In a few
> minutes sendmail begins to deal with good mails again.
> This iptables rule may be arranged to be removed by another robot in some
> period of time if permanent blocking is not desirable.
> Georgy Salnikov
> NMR Group
> Novosibirsk Institute of Organic Chemistry
> Lavrentjeva, 9, 630090 Novosibirsk, Russia
> Tel. +7-3832-356416 +7-3832-331456
> Fax +7-3832-331456
> Email firstname.lastname@example.org
Copyright 2009, 2012 by SnertSoft. All rights reserved.