spamd rocks

[graudeejs]

Recelnty I had one very annoying spammer, that I noticed and blocked.
Few days ago 5 days ago, I tuned my firewall rules, and instead of blocking this spammer, I made him wast time with spamd (I did however manually blacklist him)

In these 5 days, he wasted 40 hours trying to send me his spam.

# grep '117.102.215.140: disconnected after' spamd.log | awk 'BEGIN {X=0}  { X=X+$9} END {print X/3600}'
39.8236

I feel so good.... I wonder if he received any UNDELIVERED MAIL messages


Here's small part of log:

Dec 25 04:48:55 root spamd[8560]: 117.102.215.140: connected (2/2), lists: my_blacklist
Dec 25 04:48:56 root spamd[8560]: 117.102.215.140: [red]disconnected after 364 seconds[/red]. lists: my_blacklist
Dec 25 04:52:35 root spamd[8560]: (BLACK) 117.102.215.140: <melma@faith-h.net> -> <aldis@bsdroot.lv>
Dec 25 04:54:20 root spamd[8560]: 117.102.215.140: From: =?iso-2022-jp?B?GyRCJVUlJyUkJTlBbTgmISE+LkFSOS0lYSVrJV4lLBsoQg==?=
Dec 25 04:54:20 root spamd[8560]: 117.102.215.140: To: me@example.com
Dec 25 04:54:20 root spamd[8560]: 117.102.215.140: Subject: =?iso-2022-jp?B?GyRCP00kSEFIPyUkTkc6JF8lMyVpJWAbKEIgVm9sLjUwNRskQiFYGyhCIldoZW4geW91IHdpc2ggdXBvbiBhIHN0YXIiIBskQkAxJEs0aiQkJHIhWRsoQg==?=
Dec 25 04:54:56 root spamd[8560]: 117.102.215.140: connected (2/2), lists: my_blacklist
Dec 25 04:54:57 root spamd[8560]: 117.102.215.140: [red]disconnected after 362 seconds[/red]. lists: my_blacklist
Dec 25 04:58:39 root spamd[8560]: (BLACK) 117.102.215.140: <melma@faith-h.net> -> <aldis@bsdroot.lv>
Dec 25 05:00:24 root spamd[8560]: 117.102.215.140: From: =?iso-2022-jp?B?GyRCJVUlJyUkJTlBbTgmISE+LkFSOS0lYSVrJV4lLBsoQg==?=
Dec 25 05:00:24 root spamd[8560]: 117.102.215.140: To: me@example.com
Dec 25 05:00:24 root spamd[8560]: 117.102.215.140: Subject: =?iso-2022-jp?B?GyRCP00kSEFIPyUkTkc6JF8lMyVpJWAbKEIgVm9sLjUwNRskQiFYGyhCIldoZW4geW91IHdpc2ggdXBvbiBhIHN0YXIiIBskQkAxJEs0aiQkJHIhWRsoQg==?=

I replaced my email in these logs


It seams that he removed me from his blacklists. He haven't tried to connect to my mailserver for at about 24h, I'm starting to miss him. (he was making me laugh)

EDIT:
He he he, After 48h of not sending me spam, he's back and wasting his time again

 

[Pushrod]

I have similar problems with script kiddies on my Apache servers. What I do is redirect them to 127.0.0.1, because it makes it look like things are working as normal on their end (well, mostly).

 

[graudeejs]

I have similar problems with script kiddies on my Apache servers. What I do is redirect them to 127.0.0.1, because it makes it look like things are working as normal on their end (well, mostly).

Hmm? Can you explain a little?

 

[wblock@]

I used to see a lot of PHP exploit attempts, enough to make me set up mod_security. Not so many attempts any more, now that each waits ten seconds, then just gives a 404 anyway.

spamd is nice, but the inability to easily whitelist a domain has me sticking with greylist-milter for now. Actually, it has some newish tarpit stuff I need to look at.

 

[quintessence]

Yeah , spamd rules :e

Recently I notifed some network I used in the past tries to relay spam emails through my home mail server .
Fun part is the spammer which uses this network now . Very smart spammer :e

When I used this network I did setup PTR like for example 1-2-3-4.mydomain.com , after I returned the network I removed zone from my DNS , BUT my upstream ISP still gives PTRs I did setup in the past ( actually it is a shame because this ISP is a medium LIR , and has to give absolutely correct information but anyway ... ) .
The spammer saw mydomain.com has 3 MX records , my mail server is with the lowest priority , so may be spammer through "Oh this MX noone carry of it , I can send spam through it"

Whole week he tried and tried to relay through my mail server with no success

( hidden 2nd and 3rd columns )

GREY <caiobnpi@adventuretheatre.org> <lauer@ninewest.com> 1291293470 1291307870 1291307870 1
GREY <plqdtbdvqqsmbf@adityainfotech.org> <pierre-yvesdupuy@saralee.com> 1291293573 1291307973 1291307973 1
GREY <mdnxsspqsb@altaid.org> <pierre@saralee.com> 1291293575 1291307975 1291307975 1
GREY <whweibaycado@abecasis.name> <jh6212@msn.com> 1291293627 1291308027 1291308027 1
GREY <ivgdjbjvrbbgus@americancanoe.org> <jessiez@optonline.com> 1291293761 1291308161 1291308161 1
GREY <pauilwiiv@alharaca.org> <jessinmary@operamail.com> 1291293764 1291308164 1291308164 1
GREY <nylnlwjh@amicineonatologia.org> <jetster2@nyc.com> 1291293871 1291308271 1291308271 1
GREY <yyexyelvkq@academiadecienciasrd.org> <tommyrajv@tommys-bookmarks.com> 1291293872 1291308272 1291308272 1
GREY <7g1f2650n@alphaxidelta.org> <stay@thepassword.com> 1291293985 1291308385 1291308385 1
GREY <smiltlecjwym@adsusa.org> <bill.gravesn@trane.com> 1291293987 1291308387 1291308387 1
GREY <ngbaxcu@afcp.org> <bill.duncan@trane.com> 1291294009 1291308409 1291308409 1
GREY <16jvgfs1f62im@alz-aging-research.org> <csnrdjk@rapidcable.com> 1291294126 1291308526 1291308526 1
GREY <3my2nhdprtukx@agle.org> <jammie@toledo.com> 1291294128 1291308528 1291308528 1
GREY <ihvxndsrc@abrahamfund.org> <covisit@vicusoft.com> 1291294236 1291308636 1291308636 1
GREY <moctkiltnplnk@alqaim.org> <capped@sunik.com> 1291294238 1291308638 1291308638 1
GREY <bqflxyvgp@anokalegion.org> <cappsn@sunflowerseed.com> 1291294238 1291308638 1291308638 1
GREY <lykus@aa00.org> <packnn@seairon.com> 1291294263 1291308663 1291308663 1
GREY <g6fkun@a-klinikka.org> <capps@sunilgoel.com> 1291294266 1291308666 1291308666 1
GREY <esedwvbypvi@ameddcsdl.org> <gardner@treehousecondos.com> 1291294266 1291308666 1291308666 1
GREY <xvwydgehfycnm@afdevinfo.org> <herrera@ultimabank.com> 1291294397 1291308797 1291308797 1
GREY <7rgbss3pc@aemri.org> <haymow@bepositioned.com> 1291295684 1291310084 1291310084 1
GREY <rwwhwadpvykgy@akilidada.org> <ymo@soapsoft.com> 1291295684 1291310084 1291310084 1
GREY <lkaehxuh@akouo.org> <yohana_forte@sedonamg.com> 1291295685 1291310085 1291310085 1
GREY <ikwmhv@am-cath.org> <73700.2317@compuserve.com> 1291295745 1291310145 1291310145 1
GREY <2cm8u10@adabi-ac.org> <felix@blackcat-productions.com> 1291295751 1291310151 1291310151 1
GREY <vu86nfq@agentxchange.org> <mccartyd@autogas.com> 1291295903 1291310303 1291310303 1
GREY <fifip@abraonline.org> <3dnbhilpaw@cisco.com> 1291295991 1291310391 1291310391 1
GREY <tkaeqhnlahhq@abestonline.org> <estes@bladeforums.com> 1291295991 1291310391 1291310391 1
GREY <htkhgtiyjlb@abia.org> <brunobianch@gmail.com> 1291296100 1291310500 1291310500 1
GREY <suwawsj@amstaff.org> <jonelleycybulski@budgetgroup.com> 1291296245 1291310645 1291310645 1
GREY <fwqtkiuodwjxa@abdb.org> <jonelle_do@budgetware.com> 1291296246 1291310646 1291310646 1
GREY <0l246c7m@americanguide.org> <jones@budgetware.com> 1291296247 1291310647 1291310647 1
GREY <ggswgn@aare.org> <361ru9ia@futuresource.com> 1291296271 1291310671 1291310671 1
GREY <igbmkl@alexisbledel.org> <tnwright@brick.com> 1291296352 1291310752 1291310752 1
GREY <qlglekamgi@algosphere.org> <tnxunfavorable@brickform.com> 1291296352 1291310752 1291310752 1
GREY <lb0ifqfds0r1sb@abuselog.org> <mchwviqdx@bottomlinesecrets.com> 1291296353 1291310753 1291310753 1
GREY <boktd@allsaintscatholicschool.org> <mcgvcafkg9mv4l@bounces.amazon.com> 1291296355 1291310755 1291310755 1
GREY <mycsxjphyg@animalpersonalityinstitute.org> <barrett@dod.com> 1291296409 1291310809 1291310809 1
GREY <qstukqm@agentk-12.org> <kgorrell@butlernational.com> 1291296483 1291310883 1291310883 1
GREY <ktyohxqdi@allphaseconstruction.org> <joseosvaldo@globo.com> 1291296486 1291310886 1291310886 1
GREY <6gwlm@aerc.org> <javman70@gmail.com> 1291296631 1291311031 1291311031 1
GREY <rjbflrgn@alzheimerbc.org> <icathedral@dolphinmm.com> 1291296692 1291311092 1291311092 1
GREY <rsjjgcnudgft@ajialouna.org> <thimblingq19@eftprepaidgift.com> 1291296697 1291311097 1291311097 1
GREY <rsjjgcnudgft@ajialouna.org> <thieumacomb@eforcitycorp.com> 1291296697 1291311097 1291311097 1
GREY <chyfhersmsdb@annarborusa.org> <frugsiaypa@danley.com> 1291296987 1291311387 1291311387 1

and a lot a lot more output ...
I thought to complain but why , he will never pass spamd ... and finally he stopped trying :e

 

[qsecofr]

greylisting has been a godsend for me. Though some spammers are either getting wise or are just simply more persistent.

 

[graudeejs]

Check this ratio:

# grep '117.102.215.140: disconnected after' spamd.log | awk 'BEGIN {X=0}  { X=X+$9} END {print X/3600}'
51.2489
# grep ': disconnected after' spamd.log | awk 'BEGIN {X=0}  { X=X+$9} END {print X/3600}'
56.0547

 

[quintessence]

Ah, he started again this morning :e

# grep '[hidden]: disconnected after' daemon | awk 'BEGIN {X=0}  { X=X+$9} END {print X/3600}'                      
255.242

# grep ': disconnected after' daemon | awk 'BEGIN {X=0}  { X=X+$9} END {print X/3600}' 
392.956

EDIT:
For 2 hours and 8 min there is

# spamdb | grep IP| wc -l 
   18039

grey entries from the single IP address from this network

 

[Thorny]

greylisting has been a godsend for me. Though some spammers are either getting wise or are just simply more persistent.

Yeah, but it doesn't make me as happy as i could be. Additionaly i created a little PHP-Script which scans my IMAP-Box and parse new e-Mails. Most of the spam contains links to the same/similar url/domain and the script decides on the found urls if the mail is spam or not.
This is a quite expensive method, but it kills around 2.000 spams a day in my private mailboxes. The only spam which sometimes go through all my filters is stock-spam. Uhm... or chain e-mails.

 

[quintessence]

Btw, I use https://calomel.org/spamd_stats.html

Tarpits         Source IP       Time (s)        Ave Sec/Tarpit  % of Tarpits    % of Time
41236           X.X.208.38      530958          13                      50      54
18780           X.X.214.15      86470           5                       23      9
10456           X.X.213.200     52358           5                       13      5
3279            X.X.208.5       36586           11                      4       4
1344            X.X.214.244     6143            5                       2       1
335             X.X.210.113     1852            6                       0       0
286             X.X.215.102     1860            7                       0       0
30              X.X.209.50      181             6                       0       0
21              X.X.208.70      127             6                       0       0
20              X.X.214.174     124             6                       0       0
3               X.X.209.65      9               3                       0       0
1               X.X.209.45      3               3                       0       0

My spammer wasted 716671 seconds ( ~ 199 hours if I did sum it correct ) :e