- Previous message: Piszcz, Justin: "RE: Who is using policyd-weight?"
- Maybe in reply to: Cami: "Re: Helo greylisting?"
- Next in thread: Jorey Bump: "Re: Helo greylisting?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Cami (no email)
Date: Mon Aug 01 2005 - 09:49:35 EDT
Wietse Venema wrote:
> Cami:
>
>> So its roughly 50/50 spammers and legit hosts who change their
>> helo information and still make it past all the restrictions.
>> Of the legit hosts, none of them appear to use more than 3
>> unique helo's.
>
> That would depend on the size of a site. In your HAM examples, the
> HELO hostnames are in the same domain, and the names shown above
> resolve to the client IP address. This is easy to recognize.
True.
> So it looks like we have a mechanism that can (at least for now)
> recognize spamware by the way it announces itself in HELO commands.
My only worry about allowing this type behaviour to differenciate
between ham/spam is that there will have to be a redesign when/if
spam behaviour mutates.
The following is an example of spam behaviour that has changed.
They have multiple subdomains which recycle/move their ips around eg:
mailn201.bp7.net has address 209.124.86.43
mailn202.bp7.net has address 209.124.86.65
mailn203.bp7.net has address 209.124.86.66
mailn204.bp7.net has address 209.124.86.67
In this case, this spammer has subdomains that resolve to
different ip addresses on the same class C (forward and
reverse). I have been digging for the last few hours trying
to get an example of some spammer hosts which mimic the
same behaviour as legit(/roaming/floating) mail servers
but havent been able to find any. (drat! :P)
> Please keep collecting data in case there are other legitimate
> reasons for multiple MTA identies behind one IP address.
Here is another example/reason of a legitimate MTA's
using different HELO identifies behind one IP address.
+----------------+----------------------+------------+
| _host | _helo | _expire |
+----------------+----------------------+------------+
| 63.251.223.186 | lists.develooper.com | 1122893358 |
| 63.251.223.186 | x6.develooper.com | 1122897803 |
+----------------+----------------------+------------+
lists.develooper.com has address 216.52.237.161
x6.develooper.com has address 63.251.223.186
For example, both of those addresses could be pointing
to the same machine, but they have different restrictions
for each MTA listening on each IP. Each MTA listening
on each IP could send outgoing mail via one dedicated
interface, thus:
MTA 1: -> 63.251.223.186 -> HELO lists.develooper.com
MTA 2: -> 63.251.223.186 -> HELO x6.develooper.com
At least, thats the theory ;) (i know 216.52.237.161
and 63.251.223.186 are no where near other, but that
gave me the idea/example for MTA's using 1 ip with
different HELO identities)
Cami
|
|
|