[Mimedefang] Blocking IP #

Paul Murphy pmurphy at ionixpharma.com
Thu May 5 13:23:48 EDT 2005 

I've seen 4 copies of Sober.P (one was zipped) in 48 hours, from 740 messages.
The reason its so low is because I use greylisting - all of these were generated
by systems which bounced a message back to us which purported to come from our
domain.  All had invalid addresses as senders, and all were detected as viruses
by Clamav.

On the question of the effectiveness of greylisting, here's some details of the
traffic I've seen through the MySQL implementation of greylisting on our system
(http://www.bl.org/~jpk/md-greylist/) found by querying the database for
everything which has a 'new' entry and then filtering for only those which are
knocking more than 5 times from the same sender/IP pair:

mysql> select ip,sender,
	from_unixtime(created,'%y%m%d') as created,
	from_unixtime(modified,'%y%m%d') as modified,
	count(id) from greylist_data 
where accepted=0 and count=0 
group by
ip,sender,from_unixtime(created,'%y%m%d'),from_unixtime(modified,'%y%m%d') 
having count(id)>5;
+---------------+---------------------------------------+---------+----------+--
---------+
| ip            | sender                                | created | modified |
count(id) |
+---------------+---------------------------------------+---------+----------+--
---------+
| 207.153.112.* | admin at aol.com                         | 050503  | 050503   |
30 |
| 207.153.112.* | dlr_esq at yahoo.com                     | 050505  | 050505   |
30 |
| 207.153.112.* | hostmaster at itsa.ucsf.edu              | 050504  | 050504   |
30 |
| 207.153.112.* | info at duke.edu                         | 050504  | 050504   |
30 |
| 207.153.112.* | info at email.mobil.com                  | 050503  | 050503   |
30 |
| 207.153.112.* | postmaster at aol.com                    | 050505  | 050505   |
30 |
| 207.153.112.* | postmaster at microbia.com               | 050503  | 050503   |
30 |
| 207.153.112.* | robert.berger at lazard.com              | 050503  | 050503   |
30 |
| 207.153.112.* | webmaster at bankofamerica.com           | 050504  | 050504   |
30 |
| 209.61.208.*  | conferencenews at technologynetworks.net | 050429  | 050429   |
6 |
| 68.232.200.*  | service at piona.com                     | 050503  | 050503   |
29 |
+---------------+---------------------------------------+---------+----------+--
---------+
11 rows in set (0.63 sec)

As you'll see, the higher numbers are clearly being spewed from a virus mailer.
Interestingly, it appears that this one tries 30 random recipient addresses per
sender address, and then gives up - the "piona.com" sender also tried "sales",
which we bounced as a banned address rather than as an unknown user.  The other
entry is a scatter-gun spammer who never came back.

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788

_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________

More information about the MIMEDefang mailing list