Re: [Asrg] An Anti-Spam Heuristic

Chris Lewis <clewis+ietf@mustelids.ca> Sat, 15 December 2012 03:15 UTC

Return-Path: <clewis+ietf@mustelids.ca>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B65C21F8AE2 for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 19:15:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.086
X-Spam-Level: *
X-Spam-Status: No, score=1.086 tagged_above=-999 required=5 tests=[AWL=-1.466, BAYES_50=0.001, FH_RELAY_NODNS=1.451, GB_PHARMACY=1, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2m50SRnx-9zr for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 19:15:45 -0800 (PST)
Received: from mail.mustelids.ca (unknown [174.35.130.2]) by ietfa.amsl.com (Postfix) with ESMTP id 739D621F8ACA for <asrg@irtf.org>; Fri, 14 Dec 2012 19:15:44 -0800 (PST)
Received: from [192.168.0.8] (otter.mustelids.ca [192.168.0.8]) (authenticated bits=0) by mail.mustelids.ca (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id qBF3Fb5W005214 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT) for <asrg@irtf.org>; Fri, 14 Dec 2012 22:15:38 -0500
Message-ID: <50CBEB59.8080203@mustelids.ca>
Date: Fri, 14 Dec 2012 22:15:37 -0500
From: Chris Lewis <clewis+ietf@mustelids.ca>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: asrg@irtf.org
References: <SNT002-W143FB9A867C92FA80D90E04C54E0@phx.gbl> <DA14FA4D-13CB-4C61-90C4-4E690F0EC745@blighty.com> <SNT002-W1393526B62C0940EF697B2C54E0@phx.gbl> <20682.3413.665708.640636@world.std.com> <50CA0E91.2080304@mtcc.com> <20682.23612.451287.246798@world.std.com> <E26A6D4F-FC05-45B9-80F0-9E6F8A6A9713@blighty.com> <20682.31889.485606.165715@world.std.com> <50CAAD79.8040008@mustelids.ca>
In-Reply-To: <50CAAD79.8040008@mustelids.ca>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] An Anti-Spam Heuristic
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Dec 2012 03:15:46 -0000

On 12-12-13 11:39 PM, Chris Lewis wrote:

> I'll have to try this on a few other bots, bigger traps and different
> delays.

As a FYI, I tried it again.

It looks like Kelihos and Festi are also stopped dead in their tracks by
a 30 second banner delay.

That means that all of the currently high-volume spambots, except
Cutwail and Darkmailer (usually Linux) are stopped by a 30 second delay.

Kelihos is alternately spewing HUGE quantities of viral infectors and
Toronto Pharmacy pillz spam.

Festi is trying to spew huge quantities of Canadian Pharmacy Pillz spam.

There are many versions of cutwail in the field, under the control of at
least a dozen different operators.  It's quite possible that a 30 second
delay impairs some of them and longer delays will impair yet more.
OTOH, cutwail has multiple operating modes (including AUTH cracking)
which wouldn't be impacted by banner delays.

It looks like the darkmailerish code I have has 60 second timeouts.