[anti-abuse-wg] how to detect spambots - SPAMTrusted
Jan Pieter Cornet johnpc at xs4all.nl
Wed Mar 4 10:42:03 CET 2009
On Wed, Mar 04, 2009 at 09:21:32AM +0100, Frank Gadegast wrote: > And the following makes me really crazy: > - preventing spambotted PCs from sending spam is SOOO easy > [...] > ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!! This fails in two ways. First, not all spambots send spam to your own servers, as some specifically target eg hotmail.com or hinet.net. Also be aware that a lot of spam is specifically targeted not to be detected by standard scanners, so especially when a spamrun just starts, it will take at least an hour, even for signature based systems, to see it. (Of course, monitoring abuse@ will eventually let you catch those) Second, there are also legitimate reasons people send spammish-looking mail to your own mailservers. For example, if someone runs their own mailserver on their DSL line, they point an MX record for some domain to themselves, and then forwards mail for that domain to one (or a few) of your mailboxes, using none or only minimal spamfiltering. The result is spam coming from that node, but all of it is "legit", in the sense that it is supposed to flow that way. Another reason would be a badly configured mail server that backscatters on a DSL line, that happens to touch your incoming servers. Not strictly spam (yet still unwanted), but it's probably too harsh to completely disconnect the customer. I'm not saying you shouldn't monitor your own spamscanner for your own IPs, just that it isn't as black and white a picture as you make us believe it is. For example, combining this data with abuse reports will provide very valuable, and that could even be automated. What we do is simply volume counting, combined with a whitelist of known-good massmailers. Also make sure you count bounces and rejected addresses, and flag anyone that goes over a few % bad addresses. And there will soon be network filters (user customizable, default on) that prevent access to other mailservers than our own. -- Jan-Pieter Cornet <johnpc at xs4all.nl> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !!