SMTP landmine feature

Brian
2003-09-23
2004-02-07
  • Brian

    Brian - 2003-09-23

    I have several spammers which I have identified by IP address that are sending mail to an unused domain on my system. They are mailing directly from their system, not via proxies or relays. Even if I block them at the firewall, they still try and connect continously.

    When I receive SMTP session from them, I'd like to reply with SMTP commands which overflow their buffer and hopefully crash their mail software.

    Has anyone considered adding a feature like this?I realize it is potentially dangerous but it is one way to get a spammers attention and stop them from contacting your system.

    Thanks,

    Brian

     
    • Wayne McDougall

      Wayne McDougall - 2003-09-23

      Considered agressive action against spammers? Oh every day. But I don't want to lower myself to their levels.

      The problem is that most spammers are using dedicated spam software which is quite hardened. Actions that are possible are:

      i) tar pit - you accept the connection but respond very very slowly, tying up their system. Problems: spammers have recognised this and their new software will drop the connection when they recognise this response. And it ties up resources on your machine. It might make them go away again.

      ii) Tempfailing. Defer their email forever - clogging up their system with retires and spool queues. Problem: They keep coming back at ya, or else their system doesn't retry. But that migth still get rid of them.

      iii) Redirect. Accept the email and automatically forward it on to someone in a position to do something about it - the registrar for the domain or such like. For a professional spam haus, unlikely to be effective.

      I think you're unlikely to find a flaw in their software.

      If the domain is unnused, what I'd do is set up multiple MX records pointing to each of the offending IPs (and anyone else I could find associated with them), and remopve my own, and let them try sending it all to each other. Once they settle down, redirect my MX record back to my own domain again. They may not be in your power.

      Another option is to have your upstream ISP block those IP addresses. Even less likely.

      Finally live with it. It will pass. Keep on blocking them. I'd run Fluffy so at least they'd know they were getting explicit blacklisting messages, and hopefully they'd give up.

      Still if you wantt to try a logn response, Fluffy allows you to customise your blacklisted SMTP response, so you could experiment. :-( But isn't your time more valuable? As I say their software is likely to be hardened against attack.

       
    • Brian

      Brian - 2003-09-23

      Tarpits are a nice diversion, but without massive deployments they don't do much to slow down a spammer unfortunately.

      Strangely, these spammers don't know when to give up. I have one IP block with six spam servers in it that has been hitting our corporate firewall every 10 minutes for six months, trying to get to one address on an unused domain.

      My experience with spamware is that it is (a) Win32 based (verified by scanning some of their hosts from my home DSL) and (b) usually written very poorly. I doubt very much they check for buffer overflows in SMTP responses.

      I'm very optimistic that feeding back massive buffer overflows to spamware could break it. I'd crack open VB myself and take a shot at it but I'm assuming Fluffy is not written in VB 7, and last time I tried porting VB 6 it was painful.

       
      • Wayne McDougall

        Wayne McDougall - 2003-09-24

        Ok, well I'm happy to equip you with any tool you'd like. I'm guessing you understand the basics of an SMTP conversation. Fluffy lets you configure the 550 response to a RCPT command (and the 450 response when deferrinng mail) when blkaclisting a site. It does send a multi-line SMTP response when the line length exceeds 512 characters as per the SMTP standard.

        Other response are as generated by your local mail server, although Fluffy can be trained to recognise a bad server and generate it's own responses.

        So you tell me what you'd like, and I'll give you a version of Fluffy with that option. But I'll let you drive what's happening - unless you want to redirect your MX records at my server to let me have a look?

        I'll let you dictate what you'd like to try - overflowing 220, EHLO greetings back, or whatever....I wonder if an 1e99 SMTP code response would cause an overflow error if someone tried to convert teh string to a number. Or an SMTP code of 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999

        Your call.

        Are you able to connect back to their SMTP server or is it only sending - not receving?

         
    • Brian

      Brian - 2003-09-24

      I tried getting Fluffy to return a 10k hex string as a response code, but it seemed to cause problems with the config.

      I think the ability to send an oversized line, randomly selected from say 500-10,000 binary characters in length in response to each SMTP prompt from the remote system would be a good test.

      It does appear as if they have port 25 open on the remote host as well, but I'd rather just work on their incoming streams. In this way, I can't be said to be crashing their mailer deliberately, since it is their system connecting to me.

      Here is a typical sequence from one of the spammers. In this example I was killing the session when they provided an invalid RCPT TO:

      T 20030823 215644 3f46a607 Connection from 64.70.49.71

      T 20030823 215644 3f46a607 EHLO outbound61.flipsidenewsletter.com

      T 20030823 215644 3f46a607 MAIL FROM:<r65u7t@searchfordiscounts.com>

      T 20030823 215700 3f46a607 RSET

      Instead of the RSET, I'd like to blast them with some strings at this point...

       
      • Wayne McDougall

        Wayne McDougall - 2003-09-24

        Ok. You are vicious. Glad you are on my side.

        Two points of clarification requested:

        1. Do you want this "attack mode" to apply to IPs you ahev explicitly identified as such (ie a category abover blacklisting), or do you want it to attack on an invalid RCPT TO (a spam trap) or some otehr crirtia, AS WELL?

        2. Do you want your random binary response strings to go back to ANY SMTP command (once the bogey ahs been identified) or only after a RCPT TO? Do we send our 220 Greeting as a massive string, if an attack-listed IP connects?

         
    • Brian

      Brian - 2003-09-24

      1. I think listing by spamtrap address is probably the best way to do it for my requirements. Others may disagree.

      2. I say hit em hard and early...start sending garbage the moment they connect!

       
    • Brian

      Brian - 2004-02-07

      Did this feature ever get added? I didn't see anything in the changelogs.

      Same spammer is still hitting me months later. I'd love to try this out!

       

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks