On 22 Oct 2016, at 14:30, Paul Schmehl wrote:
--On October 22, 2016 at 1:51:12 PM -0400 Bill Cole
<postfixlists-070...@billmail.scconsult.com> wrote:
On 22 Oct 2016, at 12:19, Paul Schmehl wrote:
I would make one suggestion. I would reject the attempt silently.
No
sense in tipping off the spammer to what he needs to do to work
around
it. Just use REJECT with no explanation.
That's a nice hypothesis but it doesn't seem to play out in reality.
I've
been emitting specific (and yes, sometimes snarky) rejection messages
on
a variety of systems for all sorts of access rules, in part so I can
keep
track of what rules are being hit easily. I have never seen any hint
that
spammers behaving in grossly fraudulent ways (like EHLO arguments
that
claim to be the server they're talking to) substantively change their
behavior in response to those messages. Keep in mind that essentially
ANY
idiosyncratically wrong EHLO argument seen only from spammers has
been
configured intentionally by someone who has no idea how cheap,
simple,
and reliable it is to reject spam on that basis. These are
cognitively
impaired spammers, not smart ones. The smart ones try very hard to
look
very normal and legitimate, not to stand out as something starkly
different from any legitimate mail.
And you don't think this spammer fits into the latter category? He's
clearly doing something very clever that is not the usual brute force
cram-it-down-your-throat spam run.
Not so much. Spambots have been doing authenticated port 587 submission
for a dozen years. It's easier to do in volume today because there have
been huge sever-side compromises of auth credentials and uncountable
hordes of PC's infected with information-thief malware of one sort or
another. Finding a working account & password is done by brute force
now, with bots testing known pairs against a server until one matches.
For example, last week I had a bot test auth for a dozen different
"tagged" addresses against my IMAP, POP3, and submission servers on 2
IPs (primary and secondary MX records, both actually on the same host)
within less than 2 minutes. All of those addresses were given in
supposed confidence to exactly one commercial entity each, most of whom
have had publicized breaches in recent years. They've automated
targeted account compromise.
So sure: you could put an unexpressive unique ID into each REJECT rule
instead of a clear(ish) explanation. They would make their catches
trackable in logs but keep the spammer from knowing exactly why a
rejection happened. It's just not clear that it matters. They are doing
something pointless that makes them easy to catch and they have
automated every aspect of their spamming.
