[Sussex] Securing Mail Servers

Andy Smith andy at lug.org.uk
Mon Apr 17 07:59:58 UTC 2006 

On Mon, Apr 17, 2006 at 07:01:35AM +0000, Andy Smith wrote:
> Unfortunately I do not have any means in place at this time to
> automatically check emails marked as spam against the p0f log file.

This piqued my interest.

I went through the log file of mail-in-01 again looking for the logs
of any connection dropped because it sent a mail that scored 10.0 or
higher in SpamAssassin.

Bear in mind that the majority of spammers' connections have already
been dropped by this point because they fall foul of other antispam
measures such as HELO checks or DNSBLs.

So what we are left with is around 3000 lines of log of the most
egregious spammers, who score 10 or higher on a content test.

I then extracted the connecting IP from that and ran it through my
p0f logs.  The OS breakdown is as follows:

   1011  Windows 2000 SP4, XP SP1
    806  Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
    442  Windows XP Pro SP1, 2000 SP3
    235  UNKNOWN
    114  Windows 2000 SP4, XP SP 1
    107  Windows XP/2000 (RFC1323, w+, no tstamp)
     85  Windows XP/2000
     57  Windows XP, 2000 SP2+
     40  Windows 98 (15)
     32  Linux 2.5 (sometimes 2.4)
     26  Windows 98
     20  Windows XP SP1, 2000 SP3
     19  Windows 98 (10)
     16  Windows XP SP1, 2000 SP4
     13  Linux 2.4/2.6 <= 2.6.7
     12  Windows XP/2000 (RFC1323)
     10  Windows XP/2000 (RFC1323 no tstamp)
      4  Windows XP (RFC1323, w+)
      4  Windows 95
      3  Windows 98 (11)
      2  Windows SP3
      2  Windows 98 (low TTL)
      2  FreeBSD 4.7
      1  Windows 98 (13)
      1  Windows 98 (12)
      1  Solaris 8
      1  Solaris 2.5
      1  PocketPC 2002
      1  Novell NetWare 5.0
      1  Linux 2.4/2.6 <= 2.6.7 (ECN)
      1  Linux 2.4 (Google crawlbot)
      1  HP

i.e. 2782 Windows variants and 289 everything else.  90.6% of
messages identified by SpamAssassin as scoring 10+ were received
from a Windows host.

The full p0f log of IPs that were rejected due to scoring 10+ in
SpamAssassin is available here:

http://strugglers.net/~andy/spamming_buggers.txt (422KiB)

-- 
http://strugglers.net/wiki/Xen_hosting -- A Xen VPS hosting hobby
Encrypted mail welcome - keyid 0x604DE5DB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20060417/6f3596da/attachment.pgp

More information about the Sussex mailing list