Spammers are nasty little pieces of work.
It’s been a constant cat-and-mouse game where we (anti-spammer people!) take a few steps forward, then the spammers hit us back twice as hard.
This time, they’re doing some kind of distributed dictionary attack. So that means that thousands upon thousands of computers across the globe are all trying to send mail to various mailservers (including one I’m responsible for) looking like “joe@domain.com, jack@domain.com, jeb@domain.com, jorge@domain.com…” for several domains that we host.
The problem is – they are slamming the servers so hard that they’re starting to overpower the DNS blacklists we use to block spammers. And they’re not showing up in the blacklists always.
So my idea was to find out when someone fails to send mail to 5 or 10 accounts in a row, and then add them to a blacklist. I wrote a simple PHP script to do that, and it works…eh, okay. Not stellar. I even added in a piece that kill -9’s their smtp process when they get listed, it doesn’t always seem to work right. Maybe they’re coming in 20 times at once, or something.
So I’ve run my little blacklister script for a while – and as of press time I have about 5100 IP’s in my block list. And it doesn’t really seem like it’s getting any better. I finally turn on ‘record entire SMTP conversation’.
So this is what they’re doing –
HELO IMASPAMMER
MAIL FROM:<somelikelyinnocentvictim@somerandomdomain.com>
RCPT TO:<joe@domain.com>
RCPT TO:<jack@domain.com>
RCPT TO:<jeb@domain.com>
RCPT TO:<jorge@domain.com>
To which it gets answers like:
451 No such user 'joe@domain.com'
451 No such user 'jack@domain.com'
etc.
So here’s the clever bit – then they do:
RSET
Which apparently just ‘resets’ the SMTP communication, and start again to do the next five recipients. Ugh.
So now it’s time to dust off the ole C coding, and I’ve rewritten the ‘rset’ command to now say:
502 Just send your mail again, don't pull this RSET garbage.
And disconnect ’em. That seems to have helped a lot – with the spammers having to reconnect, they get a second chance to get looked-up in the blacklists, or checked against on the my own custom blacklist. Load is reduced – though not eliminated. I guess we’ll see how well it works.
My next thing will be to augment this username-check with a counter, and if the counter goes about ‘n’ bad lookups, bounce the connection. That could help as well – but I don’t think by as much as what I’ve done so far.