More Spam

Ugh.

So my clever hack about RSET apparently triggers problems in feeble, horrible, nasty mail clients like Eudora – which one of my client’s clients actually uses. So I had to back out my change. It was funny to hear someone read me my ‘garbage’ message right back to me, though.

So in the process of poking around, I found that there was already a feature in the qmail chkuser patch which allows you to set a number of bad recipients before which you are over your limit. So I enabled that. And it did not at all stem the flood, because it simply just rejected all subsequent attempts with 400-series messages – not disconnecting the sender.

So once again, I jumped in to the code. And I made it so that it actually disconnects you instead of just marking subsequent connection attempts as automatically-failing.

This seems like it’s working. I have 6500 IP’s in my self-written blacklist, and the smtp server-load has dropped to half. It’s still there, though, so I’ll have to keep an eye on it.

All in all, not a fun day…

Spam

Spammers are nasty little pieces of work.

It’s been a constant cat-and-mouse game where we (anti-spammer people!) take a few steps forward, then the spammers hit us back twice as hard.

This time, they’re doing some kind of distributed dictionary attack. So that means that thousands upon thousands of computers across the globe are all trying to send mail to various mailservers (including one I’m responsible for) looking like “joe@domain.com, jack@domain.com, jeb@domain.com, jorge@domain.com…” for several domains that we host.

The problem is – they are slamming the servers so hard that they’re starting to overpower the DNS blacklists we use to block spammers. And they’re not showing up in the blacklists always.

So my idea was to find out when someone fails to send mail to 5 or 10 accounts in a row, and then add them to a blacklist. I wrote a simple PHP script to do that, and it works…eh, okay. Not stellar. I even added in a piece that kill -9’s their smtp process when they get listed, it doesn’t always seem to work right. Maybe they’re coming in 20 times at once, or something.

So I’ve run my little blacklister script for a while – and as of press time I have about 5100 IP’s in my block list. And it doesn’t really seem like it’s getting any better. I finally turn on ‘record entire SMTP conversation’.

So this is what they’re doing –


HELO IMASPAMMER
MAIL FROM:<somelikelyinnocentvictim@somerandomdomain.com>
RCPT TO:<joe@domain.com>
RCPT TO:<jack@domain.com>
RCPT TO:<jeb@domain.com>
RCPT TO:<jorge@domain.com>

To which it gets answers like:


451 No such user 'joe@domain.com'
451 No such user 'jack@domain.com'

etc.

So here’s the clever bit – then they do:


RSET

Which apparently just ‘resets’ the SMTP communication, and start again to do the next five recipients. Ugh.

So now it’s time to dust off the ole C coding, and I’ve rewritten the ‘rset’ command to now say:


502 Just send your mail again, don't pull this RSET garbage.


And disconnect ’em. That seems to have helped a lot – with the spammers having to reconnect, they get a second chance to get looked-up in the blacklists, or checked against on the my own custom blacklist. Load is reduced – though not eliminated. I guess we’ll see how well it works.

My next thing will be to augment this username-check with a counter, and if the counter goes about ‘n’ bad lookups, bounce the connection. That could help as well – but I don’t think by as much as what I’ve done so far.