BLTT :: spam/070907102830.html

New Techniques

Fri, 07 Sep 2007

I've been fairly content for the past two years with Spamhaus's RBLs. Of the total mail blocked by my RBLs, Spamhaus accounts for nearly all of it:

sbl-xbl => 28883
    zen => 14384
 dsbl.org =>   798

This data is for the past week, but is reflective of history.

However, the past several months, in fact, nearly a year, I've seen more and more spam get past these otherwise excellent DNS lists. I can't explain it, other than they're not being very vigilant or they're being bought off. I'm sure there's a better reason than I'm understanding for this blatant spam operation to not get caught.

At any rate, I finally got fed up enough to do something on my own again. I highly recommend rbldnsd, if you can run it. I am not able to run it on my VPS because of a locally bound copy of BIND running, which acts as my caching name server.

I decided to use a tcpwrapper-based tarpitting solution which gives me great satisfaction and costs the spammer dearly. It was also easy to set up.

Twice daily, I parse my spam mailbox (which is made from hand-chosen spams that got past my other RBLs) with this utility and create a 'spammers' file, which contains the IP addresses of all the connecting spam relay (the last server before reaching my server).

I then scp the spammers file to my mail server, and point tcpwrappers to it:

sendmail : /path/to/spammers : spawn /bin/sleep 300 : deny

This has a beautiful effect: the spammer's connection is held open as long as they can stand it, or 5 minutes (whichever comes first), after which time I drop their connection :)

The reason tarpitting is a good solution is that it puts the cost of the spam on the sender. If a spammer gets paid by the number of messages per day or hour he can send, then I've just cut into his productivity significantly by chewing up 5 minutes. I could just as easily take his whole hour, if he's not paying attention: it's just one little 'sleep' process and one TCP socket on my server.

I'll post some histospam output in a week or so. The current histospam doesn't look as good as it should because after implementing this, I added in about 50 spam messages that were being trapped in other ways that I wanted to consolidate.

[ category: /spam | link: 070907102830 ]

Better Living Through Thinking	home \| blog
New Techniques Fri, 07 Sep 2007 I've been fairly content for the past two years with Spamhaus's RBLs. Of the total mail blocked by my RBLs, Spamhaus accounts for nearly all of it: sbl-xbl => 28883 zen => 14384 dsbl.org => 798 This data is for the past week, but is reflective of history. However, the past several months, in fact, nearly a year, I've seen more and more spam get past these otherwise excellent DNS lists. I can't explain it, other than they're not being very vigilant or they're being bought off. I'm sure there's a better reason than I'm understanding for this blatant spam operation to not get caught. At any rate, I finally got fed up enough to do something on my own again. I highly recommend rbldnsd, if you can run it. I am not able to run it on my VPS because of a locally bound copy of BIND running, which acts as my caching name server. I decided to use a tcpwrapper-based tarpitting solution which gives me great satisfaction and costs the spammer dearly. It was also easy to set up. Twice daily, I parse my spam mailbox (which is made from hand-chosen spams that got past my other RBLs) with this utility and create a 'spammers' file, which contains the IP addresses of all the connecting spam relay (the last server before reaching my server). I then scp the spammers file to my mail server, and point tcpwrappers to it: sendmail : /path/to/spammers : spawn /bin/sleep 300 : deny This has a beautiful effect: the spammer's connection is held open as long as they can stand it, or 5 minutes (whichever comes first), after which time I drop their connection :) The reason tarpitting is a good solution is that it puts the cost of the spam on the sender. If a spammer gets paid by the number of messages per day or hour he can send, then I've just cut into his productivity significantly by chewing up 5 minutes. I could just as easily take his whole hour, if he's not paying attention: it's just one little 'sleep' process and one TCP socket on my server. I'll post some histospam output in a week or so. The current histospam doesn't look as good as it should because after implementing this, I added in about 50 spam messages that were being trapped in other ways that I wanted to consolidate. [ category: /spam \| link: 070907102830 ] Home \| Blog Home \| About BLTT Copyright 2005, Scott Wiersdorf	Audio Broadcast (standby) Moon Status Phase: 37.40% Illuminated: 85.12% Age (days): 11.04 Fri Feb 3 21:56:29 MST 2012

Better Living Through Thinking

New Techniques

Fri, 07 Sep 2007

Audio Broadcast

Moon Status