Milter-greylist

Hello everybody,

I would like to make another suggestion ...

I know that most spammers use now relays on dynamic IP addresses.
I know also that it is difficult to clearly identify dynamic IP addresses.
Even if we can identify these dynamic IP addresses, some of them can 
nevertheless host "legitimate" (i.e. not used for spamming) MTA engines.

But we can make an assumption with a something like 95 - 99% certainty that 
a given address is dynamic : for example by just looking at the digits 
groups inside its reverse DNS name. I we can find four (maybe even only 
three) different digits groups with any separators, and if none of them fall 
outside the range 0 - 255, I think that there is a lot of chances that the 
corresponding IP address is dynamic.

(we could also try to match these numbers with the numbers inside the 
sending IP address, either in direct or in reverse order)

It could be certainly dangerous to completely block them because some of 
them can send legitimate emails.

But why not trying to detect them and, for any address assumed as being 
dynamic, assign a specific greylisting delay (assumed longer than the normal 
one) to emails coming from these addresses ?

If an assumed dynamic address receives a delay of, say, one or two hours 
instead of 5 minutes for other addresses, the corresponding mailer, even if 
it tries to be RFC compliant, will have to retry more times, will consume 
more resources, and there are even some chances that it will give up before 
the end of this longer delay.

Spammers may have also decided that it is not interesting for them to retry, 
retry and retry for a time that could eventually lasts for as long as five 
days, because they can't necessarily know if their message is rejected 
because of greylisting or if it will be permanently rejected as many times 
as they will retry, for any other reason ....... and also, if the delay is 
long enough, there is a possibility that the infected sending computer could 
be powered down by its owner during that time.

If the assumption is bad and if it is a legitimate mailer, this won't be so 
bad because the message should end by reaching its destination anyway.

This would be a mean to more hardly greylist some more suspicious addresses, 
that's why I used in the subject line the (more or less joking) expression 
"dark-greylisting".

By the way, we should also decide what to do with those addresses that do 
not resolve at all when asking for their reverse DNS host name.
In that case, we could assume that it is either a static IP address, either 
a dynamic IP address, or better, class them in a third category with a third 
specific delay, leaving the user deciding how to manage them.

What do you think about that ?

Gingko
(France)

> I know that most spammers use now relays on dynamic IP addresses.
> I know also that it is difficult to clearly identify dynamic IP addresses.
> Even if we can identify these dynamic IP addresses, some of them can 
> nevertheless host "legitimate" (i.e. not used for spamming) MTA engines.
> 
> But we can make an assumption with a something like 95 - 99% certainty that
> a given address is dynamic : for example by just looking at the digits
> groups inside its reverse DNS name. I we can find four (maybe even only
> three) different digits groups with any separators, and if none of them fall
> outside the range 0 - 255, I think that there is a lot of chances that the
> corresponding IP address is dynamic.

I just realized that the reverse DNS is something out of control of the
botnet spammer. 

Filtering on reverse DNS name with three 0-255 numbers sounds therefore
a good idea. The drawback is that you will catch power users that send
from their home machines, and SME using SMTP appliances.

You could send a permanent error with an URL on which you'd tell that
you are okay to whitelist the IP on request. You can even do it
automatically by a web form with a challenge to check the visitor is not
a bot.

That looks efficient. I'll try it.
 
-- 
Emmanuel Dreyfus
Le cahier de l'admin BSD 2eme ed. est dans toutes les bonnes librairies
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@...

manu@... wrote:
>> I know that most spammers use now relays on dynamic IP addresses.
>> I know also that it is difficult to clearly identify dynamic IP addresses.
>> Even if we can identify these dynamic IP addresses, some of them can 
>> nevertheless host "legitimate" (i.e. not used for spamming) MTA engines.
>>
>> But we can make an assumption with a something like 95 - 99% certainty that
>> a given address is dynamic : for example by just looking at the digits
>> groups inside its reverse DNS name. I we can find four (maybe even only
>> three) different digits groups with any separators, and if none of them fall
>> outside the range 0 - 255, I think that there is a lot of chances that the
>> corresponding IP address is dynamic.
> 
> I just realized that the reverse DNS is something out of control of the
> botnet spammer. 
> 
> Filtering on reverse DNS name with three 0-255 numbers sounds therefore
> a good idea. The drawback is that you will catch power users that send
> from their home machines, and SME using SMTP appliances.
> 
> You could send a permanent error with an URL on which you'd tell that
> you are okay to whitelist the IP on request. You can even do it
> automatically by a web form with a challenge to check the visitor is not
> a bot.
> 
> That looks efficient. I'll try it.

I use a similar tactic, but with the twist that I ONLY greylist dynamic hosts,
and whitelist everything else. However, it would be nice to "deep grey" some
ranges and only "grey" others.

If you want to check them out, I have a LOT of regexes that check for hosts with
no RDNS and hosts with dynamic-looking RDNS, along with some other things.

Most of the rest of you could substitute deep-grey for most of my greylist
entries, and regular grey for my default whitelist entry.

A more-or-less full copy of my config is at:

http://www.evi-inc.com/greylist.conf.censored

I've xxx'ed out some data as it references business contacts, spamtrap
addresses, etc.

However, everything from the line:

## Greylisted hosts

Down should be useful and relevant to the deep-grey methodology.

Another feature that might be useful would be to deep-grey on various RBLs that
would be too over-zealous to use as blacklists. (spews level 2 comes to mind).

That is really cool!

I'd be interested in combining the extendedregex with variable  
greylisting times.

say... 1 hr for some hosts that are more likely to be spam
and    1 min for some hosts that are more likely to be ham.

Someone suggested keeping track of the amount of spam/ham from a  
host, and then
adjusting the time based on that. That also sounds interesting but  
will the db get
unwieldy after awhile?

In the past spammers used to only use one acct/ip for a short time,  
then snag another one.
So in this case the tracking may only have to last a week.

Bill

On Apr 5, 2006, at 3:09 PM, Matt Kettler wrote:

>
> If you want to check them out, I have a LOT of regexes that check  
> for hosts with
> no RDNS and hosts with dynamic-looking RDNS, along with some other  
> things.
>
> Most of the rest of you could substitute deep-grey for most of my  
> greylist
> entries, and regular grey for my default whitelist entry.
>
> A more-or-less full copy of my config is at:
>
> http://www.evi-inc.com/greylist.conf.censored
>
> However, everything from the line:
>
> ## Greylisted hosts
>
> Down should be useful and relevant to the deep-grey methodology.
>
> Another feature that might be useful would be to deep-grey on  
> various RBLs that
> would be too over-zealous to use as blacklists. (spews level 2  
> comes to mind).
>
>
>
>
>
>
>
>
> Yahoo! Groups Links
>
>
>
>
>
>

wrote on Wed, 5 Apr 2006 23:58:27 +0200:

> Filtering on reverse DNS name with three 0-255 numbers sounds therefore 
> a good idea.

Very shortly you will see that there is *lots* of dynamic IP space which 
will not fit that scheme at all. Or they don't have PTR records at all.  
Also, there are already very good RBLs which contain dynamic IP space, 
f.i. SORBS has a lot of them and they are very reliable.

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

--- In milter-greylist@yahoogroups.com, manu@... wrote:
>
> I just realized that the reverse DNS is something out of control of the
> botnet spammer. 
> 
> Filtering on reverse DNS name with three 0-255 numbers sounds therefore
> a good idea. The drawback is that you will catch power users that send
> from their home machines, and SME using SMTP appliances.
> 
> You could send a permanent error with an URL on which you'd tell that
> you are okay to whitelist the IP on request. You can even do it
> automatically by a web form with a challenge to check the visitor is not
> a bot.
> 
> That looks efficient. I'll try it.

Instead of trying to parse all the formats used in reverse DNS
yourself, how about querying a blackhole list. There are several that
 specificly list dialup and broadband users IPs.

If we could query one or more blackhole lists and allow the results to
help decide if an IP is going to be greylisted and maybe modify the
length of time it's greylisted I think it'd help alot.

----- Original Message ----- 

From: "Kai Schaetzl" <maillists@...>
To: <milter-greylist@yahoogroups.com>
Sent: Thursday, April 06, 2006 2:31 AM
Subject: Re: [milter-greylist] "Dark-grey"listing dynamic IP address


> wrote on Wed, 5 Apr 2006 23:58:27 +0200:
>
>> Filtering on reverse DNS name with three 0-255 numbers sounds therefore
>> a good idea.
>
> Very shortly you will see that there is *lots* of dynamic IP space which
> will not fit that scheme at all. Or they don't have PTR records at all.

If they don't use this scheme, they should certainly use another one (more 
or less recognizable), as I can't imagine them inventing a nice name for 
every address of their dynamic address space.

Unless they don't have any reverse DNS at all, but this is by itself another 
reason to make them suspicious ...

Maybe just trying to locate the less significant byte of the IP address 
inside the reverse DNS name, in either decimal or hexadecimal format could 
give better results ...

Some more or less difficult examples that I can found in my logs :

212.17.81.39    -> chello212017081039.8.15.vie.surfer.at
87.3.233.113    -> host113-233.pool873.interbusiness.it
201.50.35.165   -> 20150035165.user.veloxzone.com.br
80.140.214.127  -> p508CD67F.dip.t-dialin.net                  (hexadecimal 
IP !)
87.49.199.251   -> 0x5731c7fb.sgnxx4.adsl-dhcp.tele.dk         (hexadecimal 
IP !)
83.24.252.112   -> dto112.neoplus.adsl.tpnet.pl                (only last 
number included)

84.24.250.62    -> cp530967-a.tilbu1.nb.home.nl                (this one 
maybe difficult to recognize ...)
142.166.231.113 -> nwcsts11c108.nbnet.nb.ca                    (same thing 
here)

Anyway, even if lots of dynamic IP spaces don't fit the scheme, it looks 
like that a vast majority of them does ... this is still a way to narrow 
down their identification ...

(and maybe, in the future, this will encourage some ISP to decide to rename 
their dynamic pools that way, so they can be more easily detected by 
greylisting machines ?)

> Also, there are already very good RBLs which contain dynamic IP space,
> f.i. SORBS has a lot of them and they are very reliable.

Of course, alternately these published lists of dynamic addresses can be 
also used for taking the same decisions.
Why not implementing both techniques altogether ?

Gingko

>>> Filtering on reverse DNS name with three 0-255 numbers sounds therefore
>>> a good idea.
>> Very shortly you will see that there is *lots* of dynamic IP space which
>> will not fit that scheme at all. Or they don't have PTR records at all.
G> If they don't use this scheme, they should certainly use another one (more
G> or less recognizable), as I can't imagine them inventing a nice name for 
G> every address of their dynamic address space.

It  would  be  just  great,  if  greylisting software supports different
settings  for  different  servers.  For  example,  we will be able to do
things such as

acl mylist domain /.*\.client\.comcast\.net/

and  then describe the basic settings (greylist, autowhite, timeout) for
all matched servers in "mylist" acl.

By  the  way,  I would also appreciate "blacklist" possibility to reject
sender completely, it will allow to use only one milter software to both
greylisting and filtering. milter-regex is pretty nice, but actually all
its users I khow mainly do rejects by hosts. In contrast to user-defined
acls,  I  believe  that  milter-greylist  is  almost  ready to introduce
"blacklist" acl. The syntax may be quite similar:
acl blacklist addr X.X.X.X
or  even  "acl blacklist default"  if we are going to receive mails only
from several servers.

Best regards,
Denis Solovyov

Gingko wrote:
> ----- Original Message ----- 
> From: "Kai Schaetzl" <maillists@...>
> To: <milter-greylist@yahoogroups.com>
> Sent: Thursday, April 06, 2006 2:31 AM
> Subject: Re: [milter-greylist] "Dark-grey"listing dynamic IP address
> 
> 
>> wrote on Wed, 5 Apr 2006 23:58:27 +0200:
>>
>>> Filtering on reverse DNS name with three 0-255 numbers sounds therefore
>>> a good idea.
>> Very shortly you will see that there is *lots* of dynamic IP space which
>> will not fit that scheme at all. Or they don't have PTR records at all.
> 
> If they don't use this scheme, they should certainly use another one (more 
> or less recognizable), as I can't imagine them inventing a nice name for 
> every address of their dynamic address space.
> 
> Unless they don't have any reverse DNS at all, but this is by itself another 
> reason to make them suspicious ...

And you can easily match the lack of RDNS with a milter-greylist ACL, provided
you use extendedregex:

acl greylist domain /\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/

When there's no RDNS, sendmail passes a bracketed IP as the RDNS domain to the
milter. Otherwise it passes the RDNS domain only.