> -----Original Message----- > From: Marc Perkel [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 28, 2007 9:53 AM > To: users@spamassassin.apache.org > Subject: And interesting way to detect spambots > > I'm doing some interesting experimenting and discovered and interesting > way to detect spam bots. It appears that spam bots cache DNS far longer > than ordinary. And that is detectable. > > As you know I use several fake high numbered MX records to fool spam > bots into hitting the back door and going away. What most people don't > yet know is that isn't all I do. I actually harvets the spam, return a > fake reject 550 before the final quit (an Exim feature) and forward the > spam off to several blacklist for harvesting, including my own blacklist. > > What I'm trying now is changing the high fake MX IP addresses to a > different group of fake IP addresses. My TTL is 5 hours and under normal > conditions mail server shouldn't be hitting the fake MX at all, but what > I'm seeing is that even after the fake IPs are replaced with a new set > that spam bots continue to hit the old fake IP addresses, even several > days later. > > I'm thinking that by using shifting IP patterns that one could harvest > spam bot IP addresses directly into blacklists with very high confidence > that good email servers would never go to expired fake high MX records. > I'm doing it on my blacklist which has grown to about 300,000 entries, > and I only keep 3 days of data. > > Who finds this concept interesting?
[Tom replied with:] I find it very interesting. You definitely have a mind for analyzing. I'd be interested in finding out more about your setup.
