[Mimedefang] SNARE spam detection

- kd6lvw at yahoo.com
Wed Jul 29 17:05:05 EDT 2009


--- On Wed, 7/29/09, Kenneth Porter <shiva at sewingwitch.com> wrote:
> 1) They compare the geodesic distance of sender IP address
> from senders of previous spam and from the receiver. Spam
> senders tend to cluster together and be far from the
> recipient.

If a non-spammer happens to be co-located in a spam-friendly environment, I don't see how this assumption can be universally true.  True spammers may cluster, but virtual botnets don't.  Expect false positives here.
 
> 2) They look at how many open ports are on the sender. (Few
> ports indicates a bot-controlled zombie spammer.)

Way WRONG.  Many servers restrict ALL except that which is permitted (at the firewall level).  Therefore, all but a handful of ports should appear open.  Few ports open is indicative of a PROPER FIREWALL that employs no hostile countermeasures.

Conversely, "every port open" can also be a proper firewall, especially if TCP tarpitting is in use, and for other protocols (e.g. UDP), tarpitting via a "recently seen" list (with LRU removal or timeout) is used.  Hit the wrong test port, fall into the tarpit, and KILL the mail session; where does that get you?  Denial of delivery of legitimate mail!

> I'm wondering how hard it would be to implement this inside
> MD, perhaps ...

I would NOT want any such feature.  The philosophy behind its design is flawed.  Also, as it requires "port scanning" (to determine open ports), it is clearly out of band of SMTP (or other mail transports).  Scan the wrong port (one not in use at the target host) and one can cause a firewall block that may shut down legitimate mail(*).

     "Bots, ..., tend to keep open only the e-mail port, ..."

That's yet another assumption.  A properly infected machine that does other things running is bound to have other ports open.

As to IP->location mapping, there are always exceptions.  For any given recipient host, those exceptions will become apparent in short order for frequent messages but require a local whitelist to be maintained.

What happens if a botnet infiltrates your OWN network and the infected machines are your own?  This will bias toward accepting mail from them, which is clearly wrong (as it will be spam).


Footnote:
* - That's what would happen at my server if a host that has an open SMTP session port-scans a forbidden port and falls into one of my tarpits.  Once in a tarpit, the timeout value is in terms of HOURS.


BAD IDEA!



More information about the MIMEDefang mailing list