New Blocklist Idea -- Feedback Requested

I’m thinking about using Procmail to pipe all incoming email addressed to nonexistent but popular addresses (sales@domain.tld, purchasing@domain.tld, etc.) to a script that would add the IP’s to a dedicated spam blocklist.

As with all my lists, the IP addresses would be removed automatically after a set interval (probably 48 hours for this list, or maybe even less) to allow for rehabilitation in the event a legit server or computer is compromised, and then cleaned.

Any comments? Would this perhaps be overkill, for example?

Thanks,

Richard

Why not use a ‘catchall’?

Your current methodology would not be an overkill, IMHO.

I could offer you access to all the spam hitting caltiger.net.in. I host it today as a disposable mail service but at one time CalTiger was the second largest ISP in India; it went under and I was able to pick up the domain when they let it expire.

It continues to receive legit email for some of its former users and also a lot of spam. Maybe you could parse the spam and add the IPs of the spammers to your blocklist in order to further fortify it?

Agree. but is that easy to set up?
Not sure this is required by all … very much an optional add on.

Thank you.

Well, the idea would be to trap spammers and record their IP addresses; but I’d also want to exclude innocent errors.

For example, if someone types richad@domain.tld instead of richard@domain.tld, they shouldn’t be added to a blocklist because of it.

Another example would be if a legit, subscribed mailing list sends email to an address that no longer exists because the employee has left the company. That’s not spam because it was subscribed to when the address was active.

Mail sent to a commonly-used address (other than the mandatory ones) that doesn’t exist on a given server, however, almost certainly is spam.

Richard

Thanks!

I need to decide whether I’m even going to do this. I’ll keep your offer in mind if I decide to go ahead. It wouldn’t be hard to do.

Richard

Thank you.

I would just be using it myself as an addition to other blocklists that I already maintain, not publicly releasing it as an add-on. It would be useless to most people, too resource-intensive, and too much work for someone to set up and oversee, unless they had a level of hatred for spammers rivaling my own.

This is something I do for free because I detest people who foul the Internet with malice. I actually own domains whose sole reason for existence is to trap hackers, crackers, spammers, and other Internet miscreants. One might call it an obsession.

Also, my Perl sucks. The script(s) will be in PHP or just shell scripts.

I’d share the scripts with anyone else crazy enough to want to do it, however. But they wouldn’t be available as plug-ins, modules, or anything else along those lines.

As for the difficulty of scripting, it wouldn’t be that hard. There are at least two ways. One would be to use Procmail to pipe the incoming spam to a script that would extract and insert the sending IP address into the database. That was my original idea.

The other way would be to alias those addresses to a single email address (for example, spamtrap@domain.tld), which would treat all incoming mail as spam, extract the IP addresses, and add them to the database. That would be easier for people to use if they just want to contribute to the project with minimal effort. All they have to do is set up the aliases. It’s actually the option I’m leaning toward this morning.

As an aside, I set up the rest of the reporting system (that is, the intrusion-detection and Web-based traps) on my home office development server last night; and by this morning, there were more than 300 emails and text messages reporting malicious activity waiting for me. It’s a jungle out there.

Richard

Can you rely on the IP address with any confidence? Just too many Tor and VPN out there to have any confidence you are actually catching a spammer/miscreant.

I add those to the list, too, if they’re used for malicious activity. The owners may be innocent; but if bad actors are using those systems for malicious activity, it doesn’t make any difference to the systems being targeted.

For example, this address belongs to a legit VPN service based in Italy. The server itself is located in Montreal. It’s so frequently used for malicious activity that AbuseIPDB assigns it an abuse confidence rate of 100 percent.

This IP, like those of most VPN’s and TOR nodes, is mainly used to engage in Web-based mischief. People (or bots) log in, navigate to sites, and either send form spam or try to access protected resources (CMS login pages or recently-identified vulnerabilities most of the time).

The owner of the VPN service in Italy is not the one doing the mischief, but his system is being used for malicious purposes. To the machines being targeted, it’s irrelevant. It’s still a malicious attack.

Things like SSH attacks usually come from VPS providers with poor vetting or from compromised systems. Again, the owners aren’t the ones doing the mischief, but it doesn’t make a difference to the targeted systems.

In any case, all of the IP’s drop off my lists in a few days if they stop misbehaving; so there’s no long-term damage to the reputation of the IP of a compromised machine once it’s been rehabilitated. Once the malicious activity ceases, the IP will drop off the list a few days later.

Richard