A way to block spam "bombers"
Status: Beta
Brought to you by:
waynemcdougall
Menu
▾
▴
#15 A way to block spam "bombers"
Don't worry, I'm not only interested in the appearance of
the wonderful Fluffy, as you can see in the following
enhancement request..
I have been using another RBL blocker (Bcware Nospam)
for the past few months and from time to time I suffered
from very persistant spammers who apparently didn't
take "550 Buzz off" for an answer. On several occasions,
I saw thousands of connection attempts (over a period
of 24 hours) from the same source in the log. Although it
hasn't really caused any serious problems, surely this
behaviour is a potential killer. Occasionally, some
spammers where making several connections in one
second!
I have been thinking about a solution for this problem,
and I would suggest to add some sort of option to Fluffy
that results in the following:
If a duplicate message (same source IP and From/To
address) comes in within 24 hours, then pretend to
accept the message (if this is possible). Alternatively,
would you be able to accept and flag (instead of block)
a message like this?
I realise that this is not completely watertight (since
spammers might also be using different IPs or From
addresses), but at least this should get rid of the
notorious ones that apparently use very ugly spam
software.
I hope you will consider adding this valuable feature to
Fluffy.
Logged In: YES
user_id=660239
Thank you for your kind words.
Do understand that I do want to address this issue for you so
bear with me. I see similar thigns, although not on the scale
you describe, and so far Fluffy deals with that for me.
The solution your propose, as I understand it, is not
acceptable. Consider two people exchangign emails during the
course of a day. Perhaps 5 emails go back and forth in the
same day - same source IP and same From/To address. This
is the evry last sort of email we want to block.
So let's work for a solution, and I'd like to better understand
the problem as you present it. Can you expand in more
details, clearly identifying what is common and what is
different in tems of source IP, sou4rce mail from, intended
recipients, etc. If you can cpature such an attack in a Fluffy
log, that may help my understanding.
Logged In: YES
user_id=898950
OK, here is an example from my old Bcware log (read as:
date, time, IP, blacklist, from, to):
06/20/2003 14:00:04.0278 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:00:13.0011 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:00:20.0872 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:00:33.0881 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:00:47.0500 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:01:03.0503 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:01:15.0320 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:01:23.0492 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:01:31.0584 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:01:39.0525 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:01:46.0876 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:01:57.0121 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:02:09.0649 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:02:26.0082 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:02:38.0220 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:02:51.0078 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:03:03.0796 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:03:14.0532 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:03:25.0908 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:03:38.0837 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
06/20/2003 14:03:50.0664 64.80.22.253 DSBL
Kollman@yahoo.com chohner@anonimyzed.com
This usually goes on for hours. Occasionally I had spammers
that connected several times *per second* for 24 hours,
apparantly using malware that opened several simultaneous
connections.
I actually meant to suggest to handle these connections as
follows:
If a message comes in from a source (IP) that was previously
blocked (e.g. less than 24 hours ago), and the message
From/To are identical to that previous message, then do not
block it again, but continue the SMTP conversation
and "pretend" to accept it. But rather than proxying this
conversation on the internal mail server, drop anything you
receive from this source.
You may even consider handling any new message from an
already blocked source in this way, so that the offending
party can't even try to resend emails with other (fake) From
addresses. This may be a little more tricky, because this way,
legitimate users of a blacklisted SMTP server would not be
informed of the fact that their message was blocked.
If you are thinking of implementing this, please consider
making it a litlle customizable, because I guess some of us
may only want to block exact duplicates, and some might
prefer to go for the second option I suggested.
Perhaps you could even have an option to "drop connections
(without 550) from the following source..." and present us
with a list of recently blocked sources (including From/To) to
choose from.
These are just a few suggestions. I am about to put Fluffy in
production, so as soon as I can capture this behaviour, I will
let you know.
Thanks for thinking along.
Robert