Re: [Asrg] An Anti-Spam Heuristic
Chris Lewis <clewis+ietf@mustelids.ca> Sat, 15 December 2012 03:15 UTC
Return-Path: <clewis+ietf@mustelids.ca>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B65C21F8AE2 for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 19:15:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.086
X-Spam-Level: *
X-Spam-Status: No, score=1.086 tagged_above=-999 required=5 tests=[AWL=-1.466, BAYES_50=0.001, FH_RELAY_NODNS=1.451, GB_PHARMACY=1, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2m50SRnx-9zr for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 19:15:45 -0800 (PST)
Received: from mail.mustelids.ca (unknown [174.35.130.2]) by ietfa.amsl.com (Postfix) with ESMTP id 739D621F8ACA for <asrg@irtf.org>; Fri, 14 Dec 2012 19:15:44 -0800 (PST)
Received: from [192.168.0.8] (otter.mustelids.ca [192.168.0.8]) (authenticated bits=0) by mail.mustelids.ca (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id qBF3Fb5W005214 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT) for <asrg@irtf.org>; Fri, 14 Dec 2012 22:15:38 -0500
Message-ID: <50CBEB59.8080203@mustelids.ca>
Date: Fri, 14 Dec 2012 22:15:37 -0500
From: Chris Lewis <clewis+ietf@mustelids.ca>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: asrg@irtf.org
References: <SNT002-W143FB9A867C92FA80D90E04C54E0@phx.gbl> <DA14FA4D-13CB-4C61-90C4-4E690F0EC745@blighty.com> <SNT002-W1393526B62C0940EF697B2C54E0@phx.gbl> <20682.3413.665708.640636@world.std.com> <50CA0E91.2080304@mtcc.com> <20682.23612.451287.246798@world.std.com> <E26A6D4F-FC05-45B9-80F0-9E6F8A6A9713@blighty.com> <20682.31889.485606.165715@world.std.com> <50CAAD79.8040008@mustelids.ca>
In-Reply-To: <50CAAD79.8040008@mustelids.ca>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] An Anti-Spam Heuristic
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Dec 2012 03:15:46 -0000
On 12-12-13 11:39 PM, Chris Lewis wrote: > I'll have to try this on a few other bots, bigger traps and different > delays. As a FYI, I tried it again. It looks like Kelihos and Festi are also stopped dead in their tracks by a 30 second banner delay. That means that all of the currently high-volume spambots, except Cutwail and Darkmailer (usually Linux) are stopped by a 30 second delay. Kelihos is alternately spewing HUGE quantities of viral infectors and Toronto Pharmacy pillz spam. Festi is trying to spew huge quantities of Canadian Pharmacy Pillz spam. There are many versions of cutwail in the field, under the control of at least a dozen different operators. It's quite possible that a 30 second delay impairs some of them and longer delays will impair yet more. OTOH, cutwail has multiple operating modes (including AUTH cracking) which wouldn't be impacted by banner delays. It looks like the darkmailerish code I have has 60 second timeouts.
- [Asrg] An Anti-Spam Heuristic Adam Sobieski
- Re: [Asrg] An Anti-Spam Heuristic Steve Atkins
- Re: [Asrg] An Anti-Spam Heuristic Barry Shein
- Re: [Asrg] An Anti-Spam Heuristic John Levine
- Re: [Asrg] An Anti-Spam Heuristic Adam Sobieski
- Re: [Asrg] An Anti-Spam Heuristic John Levine
- [Asrg] The Real Problem (was: An Anti-Spam Heuris… Andrew Sullivan
- Re: [Asrg] An Anti-Spam Heuristic Rich Kulawiec
- Re: [Asrg] An Anti-Spam Heuristic Bill Cole
- Re: [Asrg] An Anti-Spam Heuristic Bart Schaefer
- Re: [Asrg] The Real Problem Chris Lewis
- Re: [Asrg] The Real Problem Alessandro Vesely
- Re: [Asrg] An Anti-Spam Heuristic Barry Shein
- Re: [Asrg] An Anti-Spam Heuristic Michael Thomas
- Re: [Asrg] The Real Problem (was: An Anti-Spam He… Barry Shein
- Re: [Asrg] An Anti-Spam Heuristic Barry Shein
- Re: [Asrg] An Anti-Spam Heuristic John Leslie
- Re: [Asrg] An Anti-Spam Heuristic Seth
- Re: [Asrg] An Anti-Spam Heuristic Steve Atkins
- Re: [Asrg] An Anti-Spam Heuristic Barry Shein
- Re: [Asrg] An Anti-Spam Heuristic Steve Atkins
- Re: [Asrg] An Anti-Spam Heuristic Barry Shein
- Re: [Asrg] An Anti-Spam Heuristic Barry Shein
- Re: [Asrg] An Anti-Spam Heuristic Chris Lewis
- Re: [Asrg] An Anti-Spam Heuristic Barry Shein
- Re: [Asrg] An Anti-Spam Heuristic Michael Thomas
- Re: [Asrg] An Anti-Spam Heuristic Chris Lewis
- Re: [Asrg] An Anti-Spam Heuristic Chris Lewis
- [Asrg] Countering Botnets to Reduce Spam Adam Sobieski
- Re: [Asrg] Countering Botnets to Reduce Spam Chris Lewis
- Re: [Asrg] An Anti-Spam Heuristic Martijn Grooten
- Re: [Asrg] An Anti-Spam Heuristic Adam Sobieski
- Re: [Asrg] Countering Botnets to Reduce Spam Rich Kulawiec
- Re: [Asrg] Countering Botnets to Reduce Spam Adam Sobieski
- Re: [Asrg] Countering Botnets to Reduce Spam Chris Lewis
- Re: [Asrg] Countering Botnets to Reduce Spam Rich Kulawiec
- Re: [Asrg] An Anti-Spam Heuristic John Levine
- Re: [Asrg] An Anti-Spam Heuristic John Levine
- Re: [Asrg] Countering Botnets to Reduce Spam John Levine
- Re: [Asrg] An Anti-Spam Heuristic Chris Lewis
- Re: [Asrg] Countering Botnets to Reduce Spam Chris Lewis
- Re: [Asrg] Countering Botnets to Reduce Spam Chris Lewis
- Re: [Asrg] Countering Botnets to Reduce Spam Barry Shein
- Re: [Asrg] Countering Botnets to Reduce Spam Chris Lewis
- Re: [Asrg] An Anti-Spam Heuristic Alessandro Vesely
- Re: [Asrg] An Anti-Spam Heuristic Chris Lewis