continuing ....
This project is targeted mostly at harvesting the IP addresses of virus
infected spambots. First - some background.
I virus infected spambot sends email differently than SMTP servers and
there is enough difference that they can usually be detected on the
first attempt to send spam. Some of the things that give them away are.
1) Attempting to send spam to the highest numbered MX records.
2) Failing to close the connection wit a QUIT.
3) Trying to spoof HELO pretending to be pary of the recipients domain.
4) Sending from dynamic IP ranges.
5) Listed on several other blacklists.
6) Many other helo type sins.
What I propose is that a perl server be written to be an SMTP daemon. It
wouldn't acxtually receive any email. It would return a 451 error after
the data command. There would also be a few delays added so that legit
servers would honor the delays but spambot won't. The idea here is to
detect spambots based on their behavior.
A spambot wants to spam as many people as possible. So if the spambot
has to keep the connection open to send a QUIT that's more work. If the
spambot has to do more work in order to close a connection nicely that's
going to make them less efficient. In order to same time and bandwith
the spambot moves on to the next victim as soon as possible. Closing the
connection takes time and bandwidth.
Our spambot detector will need to monitor the connection after the 451
looking for a quit or a timeout. The idea being that if the high
numbered MX is hit, it sends everything up to thouogh the DATA command.
A 451 is returned, and the sender fails to send a QUIT, and the sender
has some other spambot related sin(s), then it is a spambot and can be
blacklisted.
Once we have a set of rules for spambot detection and a network of these
detectors in place the detectors can send one line UDP messages to a
central collector that will create real time blacklists out of the data.
I will describe this more in my next message.
