Wandering Thoughts archives

Getting to watch a significant spam campaign recently

One of the interesting side effects of running a sinkhole SMTP server and occasionally looking at the SMTP command logs is that every so often I get to see the signs of what is clearly a significant spam campaign. Recently, for example, I noticed a whole pile of delivery attempts that all had a distinct signature, sufficiently distinct that I'm pretty sure they must have been from the same software and party.

The primary signature was an unusual MAIL FROM, where it was the same as the RCPT TO. A typical session looked like:

EHLO host11.190-230-18.telecom.net.ar
250 [...]
MAIL From:<ADDR@hawkwind.utcs.toronto.edu>
550 [...]
RCPT To:<ADDR@hawkwind.utcs.toronto.edu>
503 Out of sequence command

(My server advertises PIPELINING, so this run-ahead behavior by the client is legitimate. Not all of the connections did it, so I can't be entirely sure that they were going to RCPT TO the same address. It's a good bet, though; spammers seem to almost never attempt a MAIL FROM of my own domain.)

Almost all of the hosts that I saw do this were in the PBL, the XBL, or the CSS. Hosts EHLO'd with either their reverse DNS or with eg '[39.112.245.8]' when they had no rDNS (although not all of the names had forward DNS to go with their rDNS). While this was happening, I often saw a significant number of these connections one after another from all sorts of different IPs.

A few messages of this sort got all the way to DATA and so had their contents logged. Based on that, the campaign seems to have been pushing an offshore pharmacy hosted on an IP that Spamhaus lists as part of 'Yambo Financials' aka 'RxMed pharma spam website hosting' (although the domain name used in the spam is not one that's currently in the SBL listing). That doesn't really surprise me, as I'd expect such a spam campaign to come from one of the larger operations.

There are probably spam campaigns running all the time that my (now) spamtraps get hit by. It's just that usually they don't stand out this much, either by having a distinctive and unusual signature or by hammering on my addresses quite this hard. The latter puzzles me a bit, since it seems inefficient (and I do believe that spammers are generally efficient).

One anti-spam thing I like is per-person (or per-address) blocklists

I've come to feel that one of the powerful anti-spam things that you can do in any environment with a shared mail system is to support some form of individual filtering and blocklists at the SMTP level. Given the SMTP DATA error problem, the conceptually easy options to support here are blocklists based on the sending host and on the MAIL FROM envelope address, since those are easily done at RCPT TO time on a per-recipient basis.

The general case for supporting individual filtering is pretty straightforward. One size does not fit all, since both people's email patterns and their level of caution (and tolerance for spam) vary. Individual blocking empowers people to block things for themselves that you could never get permission or agreement to block on a global basis. In turn this is likely to make them happier with your email system, partly because they will be getting less spam and partly because they'll probably feel more in control of the whole process.

Blocking at SMTP time is harder than the alternatives, especially on a per-user basis, but it's doable. I advocate for doing it despite the difficulty partly because SMTP-time rejection has various technical advantages, partly because I plain like it, and partly because I feel that people in general are likely to be more comfortable with filtering that returns error messages to the sender in cases of false positives, which today requires rejecting at SMTP time.

(Perhaps the last is projecting my feelings on to other people, as we certainly have a fair number of people who automatically discard incoming spam without appearing to ever worry about it.)

A per-address blocklist feature is convenient even on a mail server that's only used by you, because it provides a nice way to start closing down single-purpose addresses when they start getting spammed or abused.

(If you run your own mail server, you really should set up some sort way of having controllable single-purpose addresses.)