Re: Botnet spam not being caught

Mon, 15 Jun 2009 00:51:51 -0700 

On 14-Jun-2009, at 22:46, LuKreme wrote:

On Jun 14, 2009, at 18:59, "Chip M." <sa_c...@iowahoneypot.com> wrote:

In all (5) of the hams I found, the IP was in IANA Reserved space
(specifically 192.168.0.0/16).


Most where in reserved space, but by no means all of them.


I checked 2.5 months worth of logs for my most diverse domain, and
found only 5 (out of 21392) hams with Message-IDs containing square
brackets around an IP address (all were as above).



Interesting. I searched only 30 days and about 6,000 emails and  
found 12 spam and 32 ham. Not all were bracketed.  All the ham  
messages were to mailing lists.


Sorry, 60,000, not 6,000. (actually, 57,938 to be exact)


There were a  total of 414 messages that matched having an IP in the  
message-ID having at most two characters between it and the EOL. I did  
not look specifically for square brackets when i did the search, just  
any IP at the end of the line with 0-2 optional characters, accounting  
for ]> or > or simply a bare number.



Of those 414, only 32 were tagged as being below 0 (I misremembered  
this as 'ham'), 12 above zero, and 0 where tagged as spam. The rest  
were not run through SA for one reason or another (mostly because most  
messages are not run through SA. However, looking briefly over those  
other 370 messages or so, they aren't spam, they are almost all  
mailing list messages). I see maybe as many as 20 messages that might  
be spam.


here are some matches:

Message-ID: <25da2352a681b94e1e0f3b2873d4...@66.228.123.6>
Message-Id: <2009040333459.330.483228534.sw...@65.40.129.19>
Message-Id: <6ebe250f5e58282c7cd31111e965...@66.228.123.6>
Message-Id: <p0624040c5fd280af...@[192.168.1.100]>
Message-Id: <p0624040c5fd280af...@[192.168.1.100]>
Message-Id: <p0510030c5fd4b2c2...@[192.168.1.14]>
Message-Id: <p0510030c5fd4b2c2...@[192.168.1.14]>
Message-Id: <c4fb7453e5818b059ff369df18ce...@66.228.123.6>
Message-ID: <c4fb7453e5818b059ff369df18ce...@66.228.123.6>

(I removed a random character from each message-id just in case)


Keep in mind though that my postfix settings are fairly restrictive  
and that I drop zen listed connections during the transaction phase,  
so I tend to have less spam hitting SA than a lot of systems. Also,  
once messages are identified as coming from a mailing list, they are  
not run through SA at all.


--
...when you're no longer searching for beauty or love, just some
        kind of life with the edges taken off. When you can't even
        define what it is that you're frightened of...
























					Reply via email to