[ale] Spam fighting strategies

Bob Toxen transam at verysecurelinux.com
Thu Oct 4 14:50:56 EDT 2007


On Wed, Oct 03, 2007 at 03:53:18PM -0400, Jeff Lightner wrote:
> The other night in the AUUG meeting it was mentioned  by one person that
> they had turned on a "read delay" in email (Postfix I think) and that
> this had eliminated about 80% of the spam because the bots would
> disconnect.   

> Unfortunately I didn't have a chance to follow up then but mentioned it
> to our Exchange admin because they've been fighting an increase seen
> recently in connection attempts.  It sounds as if Exchange can't do this
> natively.

> I'm wondering if anyone has done this on Postfix/Sendmail or some other
> OSS MTA and would be willing to provide details?   

> My coworker found something called "Greeting Delay" that sounds like
> what I heard as "Read Delay" so it may be this but apparently that has a
> problem with people that do call back to check whether email is coming
> from a valid site.
Yes, the person mentioning "read delay" probably means the "Greeting
Delay" technique.  Yes, this is quite effective.  Most spammers will
assume that there is something wrong with the recipient, drop the
connection, and go on to the next as being more efficient.


Most spammers also blast their entire dialog and message, once the TCP/IP
connection is established, without bothering to follow the proper SMTP
protocol of waiting for a response to each phase before going on to
the next.  A spam filter technique is to detect such output before our
side sends its reply and then treating the email as spam (because it's
violating SMTP specifications.)

These two techniques currently are being added to my SpamCracker(tm)
spam filter that I offer.  (It happily will work in front of Exchange
as well as any other mail server.)

> Also he found doing bogus MX records in DNS - the idea being you put
> your first and final MX records to dead IPs as most spam bots only check
> the first or final and not the intervening real ones.   Has anyone tried
> this and if so what results did you have?
This also is quite effective and trivial to implement with no loss of
legitimate email.

> Essentially we're looking at putting in a Linux server as if it were an
> SMTP gateway to the Exchange server which will continue to be the
> primary mail server for the company.   Any other ideas (other than
> getting rid of Exchange which won't happen) would be appreciated.
While those techniques will eliminate a substantial percentage of spam,
they will not solve the problem.  The solution requires a good spam
filter such as ours that has 12 additional filtering steps, including
a number of anti-spoofing steps and steps that detect senders trying
to evade spam filtering techinques.  It blocks about 97% of spam with
a very low false-positive rate.

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
Quality spam and virus filters.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002



More information about the Ale mailing list