Dummy SMTP - Opinions required - New feature?
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6323
Printed Date: 05 February 2025 at 5:02pm
Topic: Dummy SMTP - Opinions required - New feature?
Posted By: ImInAfrica
Subject: Dummy SMTP - Opinions required - New feature?
Date Posted: 08 December 2007 at 5:14pm
|
Hi all, We've been experimenting with a dummy smtp server. A dummy smtp server is software which accepts SMTP connections, but never completes the communication. Ours drops the connection after the DATA command. basically, i setup a MX 99 on some of our domains (same server as SF different IP address), and started running the program. Within minutes I started getting connections on it. so much so that within 24 hours we've had over 4000 connections (all verified as spam) to just 8 domains. that's an average of 500 messages per domain. The software we have is somewhat buggy, probably slow, and isn't as resource considerate as SF. I'd like to know what the people around here think about this as a spam 'fighting' technique, and maybe Roberto can release a stripped down version of SF purely for dummy smtp connections? Regards Amir |
Replies:
Posted By: LogSat
Date Posted: 08 December 2007 at 5:53pm
|
Amir, You could configure another SpamFilter with a keyword filter containing a wildcard or just one letter (with the ::NULL option so that emails are not processed and just dropped), so that all incoming emails are spam. The IP would be reported to the SFDB, and wold thus contribute in assigning it a negative rank (one single report is not enough to mark it as blacklisted, but it may help). You could also add a honepot email with a wildcard (ex. *@mydomain.com) so that all attempts would cause the IP to fall in the honeypot and you cold build yourself a list of IPs to locally blacklist. Licensing-wise, if you install the second instance of SpamFilter on the same server running your primary SpamFilter, you will be within the licensing terms, as we only require a license for the server where you install SpamFilter. You can run as many instances as you wish on it (by "server" in a virtual (VMWARE..) environment, we then mean a virtual guest server). We require ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: dcook
Date Posted: 11 December 2007 at 11:31am
|
OK, this may be a dumb question ... If one configures the honeypot as described, how would you get a list of the IP's captured. Are they in a file or do I have to get them from the log?
Thanks! ------------- Dwight www.vividmix.com |
Posted By: jerbo128
Date Posted: 11 December 2007 at 11:54am
|
Dcook- The ip's are saved to a text file that you specify in SpamFilter.
I setup my dummy instance so that almost all filters are not running such as maps, surbl, bayes, etc to save resources. I added a * to allowed domains and to the honeypot email address list. So essentially, it is acting like an open relay (by accepting mail for all domains) but since it never completes the transaction - it is not a security risk.
I was amazed at how fast spammers started sending mail. Nothing like harvesting spammer ips. Roberto -
Do you see a benefit either way to using keyword filter as you described above versus using the honeypot like I am doing? If one is using the keyword filter - will a *::null:honeypot setup work?
Jeremy
|
Posted By: LogSat
Date Posted: 11 December 2007 at 10:02pm
|
Jeremy, The issue we see is a potential waste of bandwidth. If you have a * in the Allowed Domains, SpamFilter will accept *all* emails and will behave as an open relay. While it's true that the "null" option will cause all emails to be sent to la-la land, to the remote sender the email will appear as having been sent successfully. But this also means that the sender is actually sending the entire content of the email, and will continue to send multiple emails, as to them they are all being delivered. But if you have bandwidth to spare, it's not an issue (actually, you're doing the world a favor as spammers think you're a good open relay when in fact, no emails are being delivered....!) ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: WebGuyz
Date Posted: 12 December 2007 at 12:49am
|
Roberto,
What if your adding all the IP's to the blacklist of the machine your using for the spam trap. Eventually, as more and more IP's are harvested and added to that local SF copy, less and less traffic will get thru as the entire will no longer be sent. Or am I missing something in this scenario? ------------- http://www.webguyz.net |
Posted By: dcook
Date Posted: 12 December 2007 at 10:28am
|
In my setup the IP's are not being saved to a file although the file is specified. Is there an ini variable I must set?
I have been parsing the logs to get the IP's -- it's an effort.
------------- Dwight www.vividmix.com |
Posted By: dcook
Date Posted: 12 December 2007 at 10:31am
|
I just set the BL_HoneypotBlockedIPsFileName varible in the filters.ini -- I'll give that a whirl. ------------- Dwight www.vividmix.com |
Posted By: ImInAfrica
Date Posted: 12 December 2007 at 5:21pm
|
Roberto,
your suggestion to use SF as it is at the moment is good, however a few problems may come up.
We've discovered that some list servers actually send 'good' emails to the high number mx record (i think this is by design but am not 100% sure).
if we run this with your suggestion then the email is lost, to 'la la land' where as with my original suggestion, the dummy smtp actually drops the connection a couple of seconds after the DATA command is issued. in other words the SMTP conversation is never completed.
the bottom line effect is:
- Spammer don't care, as they don't monitor the conversation.
- Real SMTP servers will try to resend, and will eventually give up this MX record and try another. at least they should.
we are only testing this on 8 of our domains out of over 500.
it's working really nicely so far. of course we don't have any of the functionality of SF which we've become so used to like the connection lists, blacklisting of the ip's etc.
by the way, we don't have any allowed/disallowed lists. we accept ALL connections, and drop them after the data command.
Amir
|
Posted By: dcook
Date Posted: 12 December 2007 at 5:29pm
|
I am testing a spamfilter running WITHOUT any MX records. The spammers found it in minutes. Also I have placed a wildcard in the honeypot field, allowed domains and recipients.
I am using the IP's colected from the honeypot to populate the BL_IPs on the production spamfilter, and locally on the honeypot SF to kill future connections quickly.
Any comments appreciated. Still testing here. ------------- Dwight www.vividmix.com |
Posted By: WebGuyz
Date Posted: 12 December 2007 at 6:50pm
|
dcook,
Do you have an A record named mail for each of these domains? How do they (spammers) know which IP to send mail to without an MX record? ------------- http://www.webguyz.net |
Posted By: jerbo128
Date Posted: 12 December 2007 at 9:45pm
|
I added 10 domains to my dummy smtp. Now, 24 hours later, I have 30,000 ip's in my honeypot list.
I feel like I am taking candy from a baby. Those stupid idiots :-)
I love it
Jeremy
|
Posted By: WebGuyz
Date Posted: 12 December 2007 at 10:10pm
How can you be sure that they are all spammers IP?
Do the RFC's specify that all servers look for the lowest MX record first and keep incrementing if they can't find them? I keep thinking there has to be a gotcha in doing this. Sounds too simple ;-)
Anyone out there able to definitively say that valid mail traffic always trys the lowest MX record and then next highest?
Thanks! ------------- http://www.webguyz.net |
jerbo128 wrote:Posted By: jerbo128
Date Posted: 12 December 2007 at 11:04pm
|
I believe you are looking for RFC 2821:
"Multiple MX records contain a preference indication that MUST be used
in sorting (see below). Lower numbers are more preferred than higher ones. If there are multiple destinations with the same preference and there is no clear reason to favor one (e.g., by recognition of an easily-reached address), then the sender-SMTP MUST randomize them to spread the load across multiple mail exchangers for a specific organization." So I read that lower number must be tried first, working up the list. Anyone else?
As for knowing that they are all spammers... I have been keeping a very close eye on them for any false ip's. So far - None.
Jeremy
|
Posted By: LogSat
Date Posted: 12 December 2007 at 11:13pm
|
jerbo128 is absolutely correct. The RFC2821 does not *suggest* that lower preference MX records *should* be used. It is instead very clear and *requires* that the lowest MX records be used first (if they are online...). Any application that does not follow this rule is in violation of the RFCs. If there's a listserver that doesn't follow the standard, it has a bug :-) and it should be reported. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: Desperado
Date Posted: 13 December 2007 at 1:29pm
|
OK Guys ... I joined the bandwagon and set up a test with allowed domains "*" and HoneyPotEmails as "*" . 10 min after adding an MX record I had a list of 150 IP's. I am seeing the additions in the SFDB. My only worry is if valid mail violates the RFC, the SFDB may become polluted. Also, and this is VERY IMPORTANT, this will only work well if there is no chance that all the lower numbered MX servers are down at the same time. If this happens then external mail servers should send to the "trap" server. Many mail servers (mine included) cache the last server used for outbound mail and this could cause false additions to the IP black list and the SFDB if the primary servers are busy.
THOUGHTS? ------------- The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
Posted By: dcook
Date Posted: 13 December 2007 at 2:34pm
|
Dan,
You may want to try the setup with no MX records pointing to the honeypot spamfilter. I did and still get email.
------------- Dwight www.vividmix.com |
Posted By: WebGuyz
Date Posted: 13 December 2007 at 5:11pm
Still trying to understand how that can be. If you had a domain name acme.com and put in on the spam trap, how would a spammer know to send email to user mailto:xxx@acme.com - xxx@acme.com at your ip address.
Thanks! ------------- http://www.webguyz.net |
Posted By: Stupid
Date Posted: 13 December 2007 at 5:16pm
| is it possible for you guys to share the list of the IPs? |
Posted By: jerbo128
Date Posted: 13 December 2007 at 5:28pm
|
Stupid - I can share my list. email me - jerbo128 - hotmail
Webguyz - I have found that spammers will try to send to almost every host that they can find. www, mail, ns0, etc.
In the 2nd 24 hours of running this, I have collected another 40K ip's.
Jeremy
|
Posted By: WebGuyz
Date Posted: 13 December 2007 at 5:36pm
Aha, so they are just trying all the A records.
I would be interested in your list but since I'm doing per domain filtering and have close to 400 domains and even if I did script it that would be 160 million new entries in my DB.
Roberto,
We really need some way to share common blacklists for those doing SFE with per domain filtering. This idea looks good, howerver the duplication of all that data in SFE really stinks
------------- http://www.webguyz.net |
Posted By: dcook
Date Posted: 13 December 2007 at 5:41pm
|
No MX records -- that's the whole point to me. Spammers are constantly fishing. If you take an unused IP and use that to install your spamfilter with NO MX records. The spammers will scan or probe your network and start sending email to the IP. I had 150 emails sent to my install in 30 minutes.
I believe that no good email should go to an IP without an MX record!! So to me it's a great lure. ------------- Dwight www.vividmix.com |
Posted By: WebGuyz
Date Posted: 13 December 2007 at 5:58pm
I agree. Maybe I can script something for my firewall and add all these spammer IP's on port 25 there. Unless of course, Roberto finds a way to share common blacklists in SFE and then I won't have to.  ------------- http://www.webguyz.net |
Posted By: Desperado
Date Posted: 14 December 2007 at 12:10pm
|
My 2 cents AGAIN. The SFDB is sorta sharing black-lists depending on how aggressive your settings are. Also, one of us could set up a dnsbl with IP security on access but when I did that, it became too much work to maintain accurately and ended up worse than SORBS. So ... I have no answer except that I am willing to host a "registered user only" dnsbl if someone else wants to maintain it. ------------- The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
Posted By: dcook
Date Posted: 14 December 2007 at 12:20pm
|
I also went through the process of setting up a local dnsrbl but it was a handful. I understand your concern about the task of managing it.
I also am concerned about polution of the spamfilter SFDB shared list. We all need to be careful with our configurations and experiments. Like you Dan we host many clients with different kinds of businesses. I walk a bleeding edge of keeping the filters catching most of the spam but still allowing good email through. It's hard to walk the line.  ------------- Dwight www.vividmix.com |
Posted By: jerbo128
Date Posted: 14 December 2007 at 12:28pm
|
I too would be happy to host a copy of a dnsbl zone. But I do not have the time to manage it either. Seems to be the running word of the day!
Jeremy
|
Posted By: LogSat
Date Posted: 15 December 2007 at 9:52am
|
We're following this thread to see if we're needed, but so far everyone is doing great in experimenting :-) As a side-note, the SFDB is very resilient to false positives. We only blacklist IPs if we receive multiple reports about an IP, all made from different SpamFilter installations. If some of you incorrectly report an IP due to an incorrect honeypot entry, this practically will not influence the SFDB, as it's just a single report. Now if many of you make the same mistake by reporting the same IP that is being blocked by a honeypot entry, chances are that, since all of you then received the same emails from that IP within a few minutes, again chances are that the email is actually indeed spam as you all received. If it's a newsletter or an email notification with large scopes (for example the Microsoft Updates Security notifications), the IP addresses of these legitimate senders should be already listed in a whitelist of approved senders we use within the SFDB, so the risk of causing false positives should be very low. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: WebGuyz
Date Posted: 15 December 2007 at 10:41am
This worried me as well. I'm going to implement a spamtrap and will write a asp script to ping my 2 valid SFE's (both MX 10) once a minute and if both are down then shutdown the spamtrap SF service. Would cause havoc to have valid traffic start hitting the spamtrap. ------------- http://www.webguyz.net |
Posted By: WebGuyz
Date Posted: 15 December 2007 at 11:15am
I'm thinking a shared RBL would skew the SFDB. I like the idea of a large number of us SFE users who have a lot of email traffic/spam implementing this and feeding it back to the SFDB. That way you could harvest the IP's for use locally, but also have a more robust SFDB because every one of us would only be harvesting ip's destined for our domains.
Roberto, maybe you could consider this as a future option in SFE where you have a spamtrap filter choice in SFE using a unique IP (different then valid traffic) which we could use to setup our DNS records with a high MX value. Would save me the trouble of having to write a script to ping my SFE's to see if they were up. ------------- http://www.webguyz.net |
Posted By: dcook
Date Posted: 26 December 2007 at 9:15am
|
I wanted to touch base and see how the dummy smtp with MX value of 99 faired over the Christmas holiday. This looks very promising and I'd like to keep us talking.
We tried publishing the MX record of our dummy smtp as MX 99 on a few domains that get the most spam. I determined our spam by domain ranking with an sql query on the quarantine. The amount of single IP blacklists really grew over the holiday. I am sorting the list by IP and converting some of the entries to a whole class C if waranted, but it is a heap of addresses.
How are your tests running? ------------- Dwight www.vividmix.com |
Posted By: jerbo128
Date Posted: 26 December 2007 at 5:09pm
|
I have over 200K from the harvest alone. That is less than a week's worth. I too need to go through and remove a lot of singles and replace them with Class C entries.
I have shut down my "harvester" for the time being so that I can watch the new beta. In case the beta screws up bad, I don't want a lot of good mail going to the harvester. Let me know if you want to swap IP blacklists.
Jeremy
|
Posted By: ImInAfrica
Date Posted: 26 December 2007 at 5:43pm
|
Dwight, > I determined our spam by domain ranking with an sql query on the quarantine. Can you post or PM me your sql query you refer to? Thanks Amir |
Posted By: Desperado
Date Posted: 27 December 2007 at 1:17pm
|
Dwight, I actually took mine off-line due to the following: I am testing using the Greylist option and many servers initially see the greylisting action (disconnect) as a non-responsive server and pushed up the "food chain" until they hit my dummy SMTP server and then got black-listed. This was compounded by the scripting I wrote to auto-add the IP's to my dnsbl server. This caused a huge amount of good servers to suddenly be black-listed by our own server and that just ended up s%*king ... big time. Up to that point, I had nearly 500,000 IP in my dnsbl with no false positives. I need to re-think how to utilize the "spam ip harvester" as I have been calling it. ------------- The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
Posted By: dcook
Date Posted: 27 December 2007 at 1:26pm
|
Thanksfor the reply. I was afraid of my MX (99) being pushed up the chain. I was also concerned about the number of individual IP addresses captured. I also have taken mine off line and have remove all MX records pointing to the dummy install.
I do have an A record for the dummy server so that it has a reverse address. I will see how many people fish for a port 25 server and capture those IP's. There are still a lot of fishermen searching networks for mail servers.
But let'keep thinking and discussing the issue on this thread.
------------- Dwight www.vividmix.com |
Posted By: ImInAfrica
Date Posted: 31 December 2007 at 5:35am
|
To all that have been using some sort of harvesting method using SF. I think you may have missed the original point (and in the process made a very good one as well). The original idea was to create a high number MX record, point it to a dummy smtp that will disconnect the session before it is completed. Spammer WILL NOT try to resend the message, while 'real' smtp servers will retry based on their setup. This way, even if your spamfilters are down, real emails will not be lost. I quite like the idea of harvesting the ip's although my initial main concern was to reduce the load on the secondary MX record. Happy New Year to everyone! |
Posted By: IKILLSPAM1
Date Posted: 03 January 2008 at 11:37am
|
I setup my dummy smtp with the * in local domains and in honeypots. I also have had the other honeypot setup on my primary mailserver which has email addresses that when emailed, the senders ip gets added to a file.
So I let my dummy smtp run for awhile. Then after around 4000 ips harvested, I took those and the 65,000 that were in the other honeypot and combined them. Brought them into MS Access table and then ran some queries to grab the highest offending Class Cs. I ended up taking any Class Cs with more than 11 IPs in my file, and exporting them to a new txt file. I then took those and added them to the local ip blacklist. I ended up added 90 Class Cs.
|
Posted By: WebGuyz
Date Posted: 06 January 2008 at 9:36pm
|
Stopped using my spamtrap because of the greylisting in the new beta.
Very impressive 1st day numbers using the beta where 90% of the traffic I would normally have had to filter was stopped by the greylisting. My SFE's are not working anywhere as hard as they were before which is a great improvement.  ------------- http://www.webguyz.net |
Posted By: dcook
Date Posted: 07 January 2008 at 9:44am
|
I am running the latest pre-release version, "SF3.5.4.730." I have seen the discussions about greylisting but have not seen that feature offered as of yet in the registered downloads area. ------------- Dwight www.vividmix.com |
Posted By: WebGuyz
Date Posted: 07 January 2008 at 2:51pm
|
Shoot an email to mailto:support@logsat.com - support@logsat.com and Roberto will give you the link. ------------- http://www.webguyz.net |