OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Spam Deferred Trick
From: Brad Knowles (blkskynet.be)
Date: Wed Oct 11 2000 - 11:46:24 CDT


At 6:40 PM -0700 2000/10/10, Big Brother wrote:

> Is any of this possible? It's a stock setup of postfix, maybe I just
> need some tweaks here and there...

        One of the key things that kept AOL alive during the worst of the
early period of the first waves of junkmail attacks was the
bounce-handling system we developed. If a mail message couldn't be
delivered to an AOL user, the bounce of that message got passed to a
separate system.

        If a particular envelope sender address caused too many bounces
in too short a period of time, then that address was added to the
list that our inbound mail servers would not accept connections from
and then that list was pushed out to the inbound mail servers,
rebuilt on each of them, and then sendmail was stopped and restarted.

        Unfortunately, what this resulted in was that junkmailers would
very frequently change the envelope sender address of the garbage
they were sending out, thus ensuring that they always stayed under
the radar of our automatic bounce handling system.

        Of course, you could adapt the system to handle envelope sender
domains instead of entire envelope sender addresses, but what if they
were claiming to be some garbage string hotmail.com? Would you
really want to block hotmail in that case? It would be more
effective to change the system to block based on the IP address of
the sending relay, but that had not been done as of the time I left.

        I can tell you based on personal experience that you don't want
to block sites such as certain popular sources of customized e-mail
content (e.g., Mercury Mail/Infobeat).

        What you really need for a proper automatic bounce
handling/junkmail detection system is to have a statistical sample
taken over a long period of time that would tell you what the
"normal" traffic pattern is between some particular domain and your
site, what the "normal" growth is over time, and how the current
traffic pattern deviates from that normal pattern.

        Then you only take action if an extreme threshold is exceeded (or
maybe a pair of extreme thresholds, such as x% over normal *plus* a
certain minimum total number of bounced messages).

        Of course, I'm not aware of anyone else ever doing anything like
any of the above, but I'd love to hear about it if you should happen
to run across something.

--
   These are my opinions -- not to be taken as official Skynet policy
======================================================================
Brad Knowles, <blkskynet.be>                || Belgacom Skynet SA/NV
Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124
Phone/Fax: +32-2-706.13.11/12.49             || B-1140 Brussels
http://www.skynet.be                         || Belgium

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.