WhiteSites Blog
Implimenting the Nuclear option to Fighting Spam

Implimenting the Nuclear option to Fighting Spam

Posted on Dec 6, 2015 by Paul White

As mail servers get more advanced ways to detecting spam, spammers are getting more advanced ways to get through.  I finally broke down and decided that enough was enough, and implimented my own nuclear option to fighting spam.  Thus far its been extremely effective.  This is not something most mail servers support, so if you want to do this, you will need to be prepared to write your own code.

The old way to fight spam

It used to be that most spam was coming from compromised mail servers, or spam servers in which the spammers knew that it was only a matter of time before their connection was cut.  Their goal was to deliver as many messages as possible before they were shutdown.  This meant not letting messages pile up in the queue taking up valuable memory and disk space.  If a message was no delivered on the first try, they often did not try again.  This is when grey listing proved very effective, and it used to be that greylisting would eliminate 95% of spam.  For those of you who don't under stand what greylisting is here is how it works.

  1. sending server connects to receiving server
  2. receiving server asks who are you?
  3. Sending server says I am Dave?
  4. receiving server asks who is your message for?
  5. Sender server says its for Jim.
  6. receiving server says come back in 300 seconds ( a 5 minute greylist )

The assumption is that if this is a legitmate email, they sending server will try again in a few minutes, and then the next time ( as long as its been longer than the greylist time)  they will be allowed to deliver.

However spammers are no longer depending on compromised boxes to do their dirty work.  They are quickly setting up legit mail servers, with RDNS, domainkeys, DKIM, SPF records, and everything else modern servers like to see in order to authenticate them.  They are also buying up hundreds of domains, and they creating hundreds of subdomains on each one in order to seperate their blasts accross many IPs.  But they are making a mistake in the process.

ICANN introduced a bunch of new top level domains, and now there are companies selling their domains to anyone will to pay for them.  However most people still use the original top level domains (.COM, .NET, .ORG, .GOV, .EDU).  However the prices for these top level domains are not cheap, usually running at least $10 / year.  But these new Top Level domains (.SPACE, .DEMOCRAT, .WORK and others ) are being sold for much less, allowing spammers to snatch them up and in more keyword friendly formats.  

Thus far the pattern I have seen is that 99.9% of emails coming from a non original Top Level Domains is spam.

My Nuclear Anti Spam Solution

Running SmarterMail 14.4 ( latest version as of today )  I have my greylist set to 5 minutes.  This forces every connection that has not been whitelisted in smartermail to be greylisted for a minimum of 5 minutes.  This results in an entry being written into my SMTP logs documenting the sending email address, and sending IP.

I have written a scheduled task that will execute an ASP.NET script I have written every 3 minutes.  This ensures that my script is able to process the logs before the sending spam server is able to return delivering the email after the 5 minute greylist has expired.

The script I wrote first loads up a list of Badwords from MySQL, and a list of Goodwords from MySQL, as well as a list of currently blocked IPs.

The script them reads each line of the SMTP logs and searches for one of the bad words.  If it finds a match it then looks for a good words, if it finds the good word then the line is ignored.  Else it continues to parse out the IP address from the line and sees if we already have a previous entry in the blocked list.  If we do then it ignores it, if we don't it adds that IP to the block list and adds the IP address to the firewall of the server.  

An additional improvement I made was to check if the IP being blocked was part of a Class C that had previous spam activity.  If it is, then I firewall the entire Class C.

The reason I do this is because I found that most spam comes from a limited number of IPs.  all within a /28 or even /26.  Adding the entire /24 to the firewall is a sure fire wall to limit its impact, and reduce the number of rules being added to the firewall.

Before I started blocking Class C, within 5 days this script had submitted almost 3000 rules to my firewall.  A thicker firewall is going to slow down over all server performance, so I try to keep this to a minimum.

After about a week of running this setup. I have only received 2 false positives. Of which I added these domains directly into my goodwords list ot prevent them from being firewalled again.

Suggested Top Level Domains used for Spam

These are some of the more popular Top Level Domains that Spammers seem to be buying to do their dirty work.  Of course any IP sending on behalf of one of these domains is instantly added to my firewall.

  • .eu
  • .work
  • .click
  • .space
  • .in
  • .info
  • .us ( Note many government entities use .us, so you will need to make some exceptions for this )
  • .biz
  • .in.net
  • .uy
  • .democrat
  • .xyz
  • .science
  • .ninja
  • .link
  • .co
  • .review
  • .top
  • .webcam

Summary

Thus far the script is racking up a good 20+ IPs each day, and the number of spam emails getting through to me and my clients has dropped to around 1 or 2 per week.  If you sick of spam, I highly recommend you setup something similar.  However in order to do this you will need to be running your own server ( Dedicted, Colocated, or Cloud )Very unlikely your Shared Hosting Provider would be willing to help you impliment something like this.


Permalink
2900 Visitors
2900 Views

Categories associated with Implimenting the Nuclear option to Fighting Spam

Discussion

No Comments have been submitted
name
Email Needed to confirm comment, but not made public.
Website
 
 
When you Post your Comment, you'll be sent a confirmation link. Once you click this link your thoughts will be made public.. Posts that are considered spam will be deleted, Please keep your thoughts and links relavent to this Article