[Dshield] Re: Firewall/Spam defense

Father Peter Darin BDarin at tanaya.net
Wed Oct 22 00:32:35 GMT 2003


Rather then responding to individual messages where there are many over
lapping areas, this message will contain my response to the replies I've

First, thank you to the many people that replied. 

In regards to the RBLs, I have tried and used just about every one of
them out there from spamcop.net to Osirus including open proxies/relays
and the like.  All of which have cause a great deal of grief in the low
percentile of spam filtration versus a comparably high loss of
legitimate mail. 

I have tried SpamAssassin with overall result worse then RBL filtering. 

My common spam collection have similarities like this example;
the subject would contain once of these variants: 

Viagra \/iagra V1agra \/1agra V.i.a.g.r.a Via,gra 

and just about every other combination thereof.  All more recently I
have been receiving spam where the body is completely mimed. 

My postmaster account was overridden with complaints when I tried
SpamAssassin.  Less with the RBL until ligit mail started disappearing. 

I will detail how I collect the information and collect the data here: 

Before the antispam measure is described, I must detail the firewall: My
firewall (now running for 4 years) has created a locally searchable
database of ip addresses with its resolved name.  I now have approx. 20
million entries.  This gave me the basic patterns of some of the dynamic
ip address blocks.  IP address were collected from connection data then
DNS resolved and stored.  The area in which I am my first question
resides is in the patternistic layout of the dynamic address blocks
whereby many ISPs do not provide a reverse lookup. 

Now on to the antispam method: 

First I started with WireHub's PermaBlock list.  From there I overlay-ed
all of my pop3 account with WebMail and created in each user's WebMail
account a Spam folder.  The users were then instructed to move all of
their spam into that folder. 

 From there, I use scripts to extract the "Received: from" line and
acquire the ip address.  After that I use host and dig to determine
further details about the ip address.  Note that I am not working with
ranges of blocking out entire groups based upon one spammer, only the
ip address of that one spammer.  This is a major issue with the DNS based

 From here, if the ip address in in my dynamic ip list AND t is trying to
access port 25, I block it for a period of time starting with 15
minutes.  The time is increments each time that ip address hits port 25
again.  After the time expires, the ip address in unblocked and removed
from the firewall. 

The aspect of having 1.5 million ip addresses blocked at once isn't an
issue since when they expire the memory/space used is freed.  I would
have to be hit with 1.5 million connections within a 15 minute period.
The probability of such an event would Dos the server long before my
resources were affected. 

The final point is the data collection methodology itself.  I avoid
breaking firewalls and other related issues in the data collection by
using only public services designed to facilitate basic internet
operations.  As stated earlier, I use basic DNS services, the host
command, the dig command, the whois command, and traceroutes.  All of
which in done in a listed method that does not send out millions of
requests at once, but rather a timed consistent, load based method where
the local database is queried first. 

Where I have gained my advantage is by being able to "know" which ip
address should never send mail directly, I can block accepting the
connection from the start, thus yielding a higher percentile of
effectiency and a lower spam rate.  It has proven an excellent way for
my users to interact with stopping the spam.  By their contributing to
what spam is, I am able to only block spam. 

I hope this answers all questions.  If not, please let me know. 

--- [ tanaya.net/Exim/Antiviral ] ---
This message has been scanned with ClamScan, Inoculate, RAV and
H+BEDV AntiVir antivirus software and has been determined to be

More information about the list mailing list