Discussion:
rule idea for catching 'zombie spam relays' and question of my logic
(too old to reply)
Shane Metler
2004-09-17 17:00:09 UTC
Permalink
I found this type of rule to be very helpful in catching 'zombie spam
relay' emails from specific 'problem' networks.

The problem I faced with an all inclusive ban on these networks was that
our customer's connect to our SMTP servers from all around the world.
Banning Dynamic, DSL, Cable, or Dialup connections at the SMTP level was
not an option, because that would prevent our customers from
establishing a valid SMTP connection to us.

Luckily, our Spam Assassin configuration is set up to bypass Spam
Assassin processing when a customer has authenticated themselves for the
SMTP connection. So 'local to local' and 'local to remote' deliveries
are not scanned, and are not affected by these rules. I can safely
assume any mail running through Spam Assassin is from a remote sender
intended for a local customer.

When Spam Assassin receives an email (at least under my setup), the
first line of that email is always the Received line added by our SMTP
server.

With this in mind, I created a number of rules like this, which are
based on the dynamic / cable / dialup / DSL hosts names of large ISPs:

describe SKM_SPAM_HOST_3 Received via Insecure Networks -
*.user.veloxzone.com.br
full SKM_SPAM_HOST_3
/^[^\n]+\.user\.veloxzone\.com\.br\b/i
score SKM_SPAM_HOST_3 0.1

describe SKM_SPAM_HOST_25 Received via Insecure
Networks - *.pool*.interbusiness.it
full SKM_SPAM_HOST_25
/^[^\n]+\.pool\d+\.interbusiness\.it\b/i
score SKM_SPAM_HOST_25 0.1

This rule will match hosts like
123-123-123-123.pool54321.interbusiness.it in the first line of the
email (which is our SMTP Received line).

In my logic, there is no valid reason that a remote sender would connect
directly to our SMTP server from their dynamic/DSL/cable IP to send our
customer's an email ... I think ? Valid 'remote to local' emails being
sent from these DSL/cable/dialup IP would normally be relayed via their
own network's SMTP server, which would then be delved to us by a host
that didn't match the dynamic/DSL/cable custom rule. Right?

It would either be a 'zombie' spam relay', or some one who setup a SMTP
server on a dynamic IP (which just isn't what valid businesses do ... )?

So far I have had 100% spam, 0% ham marked by these rules.

Does anyone see any error in this logic? I would like to begin
automatically deleting emails that match these rules, but I am curious
if there are obscure cases where a non-authenticated SMTP connection
(remote to local), delivering a valid email, would be connecting from
these dynamic/DSL/cable IPs?

Thanks in advance,
Shane

P.S. If there isn't some sort of error in this logic, I will be happy to
post the full set of rules which match the 20-30 major 'zombie relay'
networks that we receive Spam from.
Loren Wilton
2004-09-17 22:17:13 UTC
Permalink
Post by Shane Metler
In my logic, there is no valid reason that a remote sender would connect
directly to our SMTP server from their dynamic/DSL/cable IP to send our
customer's an email ... I think ? Valid 'remote to local' emails being
sent from these DSL/cable/dialup IP would normally be relayed via their
own network's SMTP server, which would then be delved to us by a host
that didn't match the dynamic/DSL/cable custom rule. Right?
It would either be a 'zombie' spam relay', or some one who setup a SMTP
server on a dynamic IP (which just isn't what valid businesses do ... )?
I think your reasoning is generally sound. I think though that it is
probably possible for someone to have a 'valid business' with a small server
(or maybe even single machine) on a DSL or the like connection. I would
hope though that it wouldn't be dynamic IP. Although I suppose it might be
if their telco has problems giving out fixed IP addresses. I'm not sure how
DNS would manage to resolve foobar.com down to them if the ip address keeps
changing though.

My guess is that you could potentially be locking out some few mom-n-pop
businesses from your network. I think I'd balance that against locking out
the zombies and plain stupid spammers, and probably come down on the side of
doing it anyway.

Loren
John Rudd
2004-09-17 22:43:35 UTC
Permalink
Post by Loren Wilton
Post by Shane Metler
In my logic, there is no valid reason that a remote sender would connect
directly to our SMTP server from their dynamic/DSL/cable IP to send our
customer's an email ... I think ? Valid 'remote to local' emails being
sent from these DSL/cable/dialup IP would normally be relayed via their
own network's SMTP server, which would then be delved to us by a host
that didn't match the dynamic/DSL/cable custom rule. Right?
It would either be a 'zombie' spam relay', or some one who setup a SMTP
server on a dynamic IP (which just isn't what valid businesses do ... )?
I think your reasoning is generally sound. I think though that it is
probably possible for someone to have a 'valid business' with a small server
(or maybe even single machine) on a DSL or the like connection. I would
hope though that it wouldn't be dynamic IP. Although I suppose it might be
if their telco has problems giving out fixed IP addresses. I'm not sure how
DNS would manage to resolve foobar.com down to them if the ip address keeps
changing though.
My guess is that you could potentially be locking out some few mom-n-pop
businesses from your network. I think I'd balance that against locking out
the zombies and plain stupid spammers, and probably come down on the side of
doing it anyway.
On the plus side, any legitimate service run on those addresses can
_still_ send its outgoing email through the ISP's mail servers (even if
they have their own local mail server, it can still be configured to
send outgoing email through their ISP instead of direct to the target
mail servers). So, the mom'n'pop businesses have no excuse, except
maybe their own ineptitude, which is not (in my book) an acceptable
excuse. They'll also have to remember to factor their ISP into their
SPF plan, too.

On the minus side, for the general case (which may not apply to the
original poster): you might have some of your own employees set up to
send their email straight from home to work (esp. if it's a laptop,
where one SMTP server set up is easier for roaming than having 1 account
with multiple SMTP servers based upon where the user happens to be
sitting at that point in time). There are ways to dealing with those
people (SMTP-AUTH, message submission port, 2nd server, VPN, etc.), but
you still have to factor them into your plan if they exist in your set
up.

Otherwise ... you're right: there's no good reason to accept messages
sent from dynamic IP address blocks. Even if they are a mom'n'pop type
legit business, they can send it through their ISP's SMTP server instead
of connecting directly to you.
Sherwood Botsford
2004-09-20 15:25:49 UTC
Permalink
Post by Shane Metler
In my logic, there is no valid reason that a remote
sender would connect directly to our SMTP server from
their dynamic/DSL/cable IP to send our customer's an
email ... I think ? Valid 'remote to local' emails
being sent from these DSL/cable/dialup IP would
normally be relayed via their own network's SMTP
server, which would then be delved to us by a host that
didn't match the dynamic/DSL/cable custom rule. Right?
It would either be a 'zombie' spam relay', or some one
who setup a SMTP server on a dynamic IP (which just
isn't what valid businesses do ... )?
The school I work at is some 20 km from the nearest phone
exchange. DSL, ADSL, Cable are all non-starters here. We
connect through DirecPC oneway. So our outbound connection
is thorugh Telus, our local phone company. They refuse to
give out a static IP.

Ok, so run your smtp through their server: Fine, except
they lose messages, or refuse to deliver them. (Remember
one end is a satellite link, so the outbound packets have
our direcpc address as the 'from' IP. Their server thinks
we're asking them to relay.)

So I use smtp directly to most destinations. The ones that
won't accept our call because we have a dynamic address get
sent to Telus, where eventually they get handled. (Why
some get bounced, and others not still escapes me.)

This is an example of one business/institution that relies
on a dynamic IP.
--
Sherwood Botsford
St. John's School of Alberta
Dan Mahoney, System Admin
2004-09-20 15:18:25 UTC
Permalink
On Mon, 20 Sep 2004, Sherwood Botsford wrote:

In this case, you should get a "smart host" on some other mail server, and
authenticate against that. You are still an endpoint, and should not be
directly talking to mail servers. Only mail servers should talk to mail
servers.

-Dan
Post by Sherwood Botsford
Post by Shane Metler
In my logic, there is no valid reason that a remote
sender would connect directly to our SMTP server from
their dynamic/DSL/cable IP to send our customer's an
email ... I think ? Valid 'remote to local' emails
being sent from these DSL/cable/dialup IP would
normally be relayed via their own network's SMTP
server, which would then be delved to us by a host that
didn't match the dynamic/DSL/cable custom rule. Right?
It would either be a 'zombie' spam relay', or some one
who setup a SMTP server on a dynamic IP (which just
isn't what valid businesses do ... )?
The school I work at is some 20 km from the nearest phone
exchange. DSL, ADSL, Cable are all non-starters here. We
connect through DirecPC oneway. So our outbound connection
is thorugh Telus, our local phone company. They refuse to
give out a static IP.
Ok, so run your smtp through their server: Fine, except
they lose messages, or refuse to deliver them. (Remember
one end is a satellite link, so the outbound packets have
our direcpc address as the 'from' IP. Their server thinks
we're asking them to relay.)
So I use smtp directly to most destinations. The ones that
won't accept our call because we have a dynamic address get
sent to Telus, where eventually they get handled. (Why
some get bounced, and others not still escapes me.)
This is an example of one business/institution that relies
on a dynamic IP.
--
Sherwood Botsford
St. John's School of Alberta
--

"Tonite on reboot! People misspelling as many words with sexual
connotations as possible..."

-Keyo-Chan, February 10th 1999, Undernet #reboot

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Jack L. Stone
2004-09-20 15:50:10 UTC
Permalink
Post by Sherwood Botsford
Post by Shane Metler
In my logic, there is no valid reason that a remote
sender would connect directly to our SMTP server from
their dynamic/DSL/cable IP to send our customer's an
email ... I think ? Valid 'remote to local' emails
being sent from these DSL/cable/dialup IP would
normally be relayed via their own network's SMTP
server, which would then be delved to us by a host that
didn't match the dynamic/DSL/cable custom rule. Right?
It would either be a 'zombie' spam relay', or some one
who setup a SMTP server on a dynamic IP (which just
isn't what valid businesses do ... )?
The school I work at is some 20 km from the nearest phone
exchange. DSL, ADSL, Cable are all non-starters here. We
connect through DirecPC oneway. So our outbound connection
is thorugh Telus, our local phone company. They refuse to
give out a static IP.
Ok, so run your smtp through their server: Fine, except
they lose messages, or refuse to deliver them. (Remember
one end is a satellite link, so the outbound packets have
our direcpc address as the 'from' IP. Their server thinks
we're asking them to relay.)
So I use smtp directly to most destinations. The ones that
won't accept our call because we have a dynamic address get
sent to Telus, where eventually they get handled. (Why
some get bounced, and others not still escapes me.)
This is an example of one business/institution that relies
on a dynamic IP.
--
Sherwood Botsford
St. John's School of Alberta
Just take a look at zoneedit.com which, among other DNS services make it
possible for use of legit dynamic IPs. There are other that do this too.

It would be terribly wrong to just latch in on adsl as a spammer.....

Best regards,
Jack L. Stone,
Administrator

Sage American
http://www.sage-american.com
***@sage-american.com
Stewart Nelson
2004-09-20 16:08:31 UTC
Permalink
Post by Sherwood Botsford
The school I work at is some 20 km from the nearest phone
exchange. DSL, ADSL, Cable are all non-starters here. We
connect through DirecPC oneway. So our outbound connection
is thorugh Telus, our local phone company. They refuse to
give out a static IP.
Ok, so run your smtp through their server: Fine, except
they lose messages, or refuse to deliver them. (Remember
one end is a satellite link, so the outbound packets have
our direcpc address as the 'from' IP. Their server thinks
we're asking them to relay.)
The folks that host your web site (worldgate / incentre ?)
should have a reliable mail server and allow you to send
mail through it. That's pretty much standard with most
hosting packages. You connect with ASMTP or SSL, so they
don't treat you as relaying.

Check if there are any wireless ISP's serving your area.
My home near Reno, Nevada is also beyond the reach of
ADSL and cable, but there are now no less than four wireless
providers to choose from!

If not, is there line-of-sight from your school's rooftop
to some organization with a fast connection? You could
set up a wireless bridge to share it. If the bridge is
outside your respective firewalls, there should be no
security problem.

If a terrestrial connection is not feasible, you should be
able to get a static IP with two-way satellite.

--Stewart
Bob Apthorpe
2004-09-20 18:54:38 UTC
Permalink
Hi,
Post by Sherwood Botsford
Post by Shane Metler
In my logic, there is no valid reason that a remote
sender would connect directly to our SMTP server from
their dynamic/DSL/cable IP to send our customer's an
email ... I think ? Valid 'remote to local' emails
being sent from these DSL/cable/dialup IP would
normally be relayed via their own network's SMTP
server, which would then be delved to us by a host that
didn't match the dynamic/DSL/cable custom rule. Right?
It would either be a 'zombie' spam relay', or some one
who setup a SMTP server on a dynamic IP (which just
isn't what valid businesses do ... )?
The school I work at is some 20 km from the nearest phone
exchange. DSL, ADSL, Cable are all non-starters here. We
connect through DirecPC oneway. So our outbound connection
is thorugh Telus, our local phone company. They refuse to
give out a static IP.
Ok, so run your smtp through their server: Fine, except
they lose messages, or refuse to deliver them. (Remember
one end is a satellite link, so the outbound packets have
our direcpc address as the 'from' IP. Their server thinks
we're asking them to relay.)
So I use smtp directly to most destinations. The ones that
won't accept our call because we have a dynamic address get
sent to Telus, where eventually they get handled. (Why
some get bounced, and others not still escapes me.)
This is an example of one business/institution that relies
on a dynamic IP.
I suspect that you're not alone in this situation. Do you have any
contacts with other schools or related organizations in cities with better
connectivity (e.g. Edmonton, Calgary[1]) who might smarthost for you? Is
it possible to partner with other local groups (schools, businesses) to
co-operatively lease a server on a static IP address for outbound mail?

Having a techie friend on the other end of the continent beats trying to
convince the only-game-in-town telco to provide custom (or even basic)
service. If you have low traffic and keep your local network secure, you
shouldn't have to spend more money to get the service you need.

Otherwise, selectively smarthosting through your ISP is probably the best
tactic. I've had to do that before, I don't like it at all, but it worked
as long as I needed it to.

Hopefully this is more helpful than patronizing - I wish you luck,

-- Bob

[1] When in Calgary, visit the Loose Moose Theatre for fantabulous
improvisation!

Continue reading on narkive:
Loading...