I recently decided to try out greylisting using spamd on OpenBSD and it has cut my spam load down considerably.
I have the logging set to verbose and when checking /ver/log/daemon, I'm seeing some interesting traffic. The first type of traffic happens quite often to many different e-mail addresses. In this case, we see multiple attempts over a short period of time from a number of different zombies to send e-mail to a single e-mail address using the same "mail from:". For example, from 05:38:37 to 05:39:46, (I replaced the e-mail address with <[EMAIL PROTECTED]>.) Jan 29 05:38:37 mailboxen spamd[25715]: (GREY) 58.100.45.126: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Jan 29 05:38:52 mailboxen spamd[25715]: (GREY) 82.238.25.115: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Jan 29 05:39:13 mailboxen spamd[25715]: (GREY) 218.29.229.171: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Jan 29 05:39:31 mailboxen spamd[25715]: (GREY) 221.210.71.180: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Jan 29 05:39:46 mailboxen spamd[25715]: (GREY) 222.45.109.87: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> So, in one minute and nine seconds, five different zombies connected to the server to send e-mail to a single e-mail address from the same return address of <[EMAIL PROTECTED]>. This suggests that the zombies are being controlled in real time, not just being given a list of e-mail addresses to try at their own pace. If we would automagically identify this behaviour in real-time, we could automagically add the source addresses to our own internal blacklists or submit them to other blacklists. Of course, we would need to take care to properly handle traffic coming from legitimate services that use a large number outgoing servers, any of which may attempt to deliver an e-mail for which an earlier attempt was made by a sister server. The second traffic was one spam zombie making enormous numbers of attempts to deliver e-mail to a single e-mail address. Here are the first few of a run of 50 attempts starting at 5:11:39 am and ending at 5:21:37 am Sunday morning. Jan 29 05:11:39 mailboxen spamd[25715]: (GREY) 212.34.61.8: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Jan 29 05:11:51 mailboxen spamd[25715]: (GREY) 212.34.61.8: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Jan 29 05:12:03 mailboxen spamd[25715]: (GREY) 212.34.61.8: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Jan 29 05:12:14 mailboxen spamd[25715]: (GREY) 212.34.61.8: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> I think that the spam zombie is attempting to connect and, when it gets the response message, it tries again with another random e-mail address until it gives up after a few minutes. There are fewer of these then the first case, but not all that much fewer. Even as I'm writing this, I checked the log and can see one in progress from [213.8.43.214] (I have no idea where that is from) that started about 10 minutes ago. I added it to the blacklist, but I think I got it added about 15 seconds after the spam zombie gave up. I also see a number of connection attempts where an individual spam zombie tries to connect two or three times with either an obviously bogus "mail from" or a source that doesn't even begin to match the "mail from" domain. The attempts are spread over the course of a minute or two and then gives up to find an easier target. The second is within seconds after the first attempt fails. I haven't seen them try again after two or three attempts. Has anyone else tried greylisting and noticed this behavior? Has anyone noticed this behavior without greylisting? Are my interpretations correct? Eric Johnson
