[Gross] Spammers adapt

Jesse Thompson jesse.thompson at doit.wisc.edu
Thu Feb 28 22:25:27 EET 2008 

Eino Tuominen wrote:
> Hi,
> 
> I just noticed that our match rate is much higher now than it has been 
> before. I did some log analysis and found lots of patterns like this:

Hmm.  Ours is still around 3-4%.  Overall volumes are up though.


> Feb 28 19:39:32 smtp01 grossd: [ID 702911 mail.info] #a78: greylist: 
> 190.48.141.76 jr.tolerd at kecoindustries.com our-user
> Feb 28 19:39:36 smtp01 grossd: [ID 702911 mail.info] #a79: greylist: 
> 190.48.141.76 jr.tolerd at kecoindustries.com our-user
> Feb 28 19:39:47 smtp01 grossd: [ID 702911 mail.info] #a24: match: 
> 190.48.141.76 jr.tolerd at kecoindustries.com our-user

Here is an idea that you might want to try.  You can customize the SJSMS 
mapping response to include the $D flag which will cause the MTA to wait 
X milliseconds before responding.

sjsms_response_grey = $X4.4.3|$N$D1000|Please$ try$ again$ later
sjsms_response_match = $D$Y1000

We haven't tried this technique in production.


> That is, retries go now beyond 10 seconds delay I've been using. I just 
> resized our filter_bits to 26 and set grey_delay=120.

we still have grey_delay=10

we raised filter_bits to 25 a while ago after experiencing significant 
false positives in the bloom filters.  Now, we're starting to see that 
again, so we might need to raise it again.

One additional note, the bloom filter false positives tend to occur when 
there is a lot of repetition in the from/to values.  You should 
doublecheck that your match percentage is not actually due to these 
false positives.


> Next I've decided to implement weights on checks and implement that 
> block_threshold so grossd can reject obvious spammers with permanent 
> errors. I've been pondering this kind of setup:
> 
> dnsbl = bl.spamcop.net;2
> dnsbl = dnsbl.njabl.org;1
> dnsbl = dnsbl.sorbs.net;1
> dnsbl = zen.spamhaus.org;3
> dnsbl = rbl-plus.mail-abuse.org;3
> block_threshold = 4
> 
> That is, no one match will lead to a permanent rejection, but two will 
> be enough if one of them is highly trusted (spamhaus or rbl-plus).

That would be awesome.

I think we discussed similar ideas here:
http://code.google.com/p/gross/issues/detail?id=42

Don't forget to allow for a weight to be assigned to sophos blocker matches.

Jesse


-- 
   Jesse Thompson
   Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.utu.fi/pipermail/gross/attachments/20080228/84f5ccb5/attachment.bin>

More information about the Gross mailing list