PDA

View Full Version : Strategies to eliminate same spam sent to many users/spam traps



marciohumpris
02-05-2011, 09:43 AM
Hi, everyone!

Ive seen many people question about a way to avoid that same spam email being sent to hundreds of users. Intrusion prevention does help with that, but seems not always.

The other day a customer received a message (attached) that I found really interesting. The system seems to have setup a bunch of spam trap addresses and if mail is sent to one of those addresses, it automatically blocks future emails from that IP AND also informs the owner of IP space/domain about it.

We did something similar with filters, but I found content filters that scan text files cause big performance issues. Basically we did a filter that, when someone sends to a spam trap, it would write person's IP in a text file and then it would check this text file for auditing reasons, so I know what is being blocked.

The thing is, my mechanism as I said caused much delays in content filter and it doesnt have the WHOIS part of informing owner of IP block of spammer/sender. I even thought of 1 way, Id delete this list of IPs from time to time, as DNSBLs do. But I cant use this filter due to performance (at least the part that checks the IP's in the text file).

But it did work... Also worried about very legit messages, after all even a trusted mail server can be exploited, so it wouldn't be fair to block at least the major ones. Maybe I can use this technique combined with an SPF check or something.

Anyone have any ideas?

Right now I guess what we can do natively is the option in Icewarp to create several spam baits (or use a content filter) and do an intrusion prevention block on them for x minutes. Only thing is, this option doesnt bring us much in terms of statistics, to know the overall result, we would need to possibly audit all mail sent to spam traps somehow. If I ask for statistics on the spam bait address, I get 0 messages, since I beleive it rejects before it can add to stats :(

Thanks!

marciohumpris
02-19-2011, 10:23 AM
Details

http://www.chiark.greenend.org.uk/~ian/sauce/

ICEWARP_BRAZIL
06-20-2011, 10:35 AM
Hi,

We've used the spam bait accounts (set account to state "spam trap"). We find out which inexistant acounts users are sending mail to via a filter:

Where Recipient remote
and ! Where Sender's IP address is trusted
and ! Where SMTP AUTH
Stop processing more rules
and Forward to cf-find-traps@mydomain.com
and Add %%Current_Recipient%% to a file

We then paste resulting txt file to a spreadsheet and see the ones that have more occurances and setup accounts as spam bait.

But I agree, there isn't a way to get good statistics on results. And since it shares the same block time as intrusion prevention, we don't have much flexibility, we found that its a bit risky to set intrusion too high, so we set just for 30 min.

All the best,
Flávio

flaviozluca
09-02-2012, 04:48 PM
See http://forum.icewarp.com/forum/showthread.php?1210-Using-intrusion-prevention-with-spamtrap-accounts&p=3916#post3916