Over the last several months I have been noticing a severe increase in the amount of SPAM written ideographic languages, mostly Chinese dialects. The bulk of this spam is coming from sub-domains in the .cn TLD, but not always. The list includes yahoo and various other .com's. Originally these messages were coming from three predominant sub domains, .gov.cn, .com.cn. and .net.cn, which I in turn blocked for reject status after the HELO stage. Within a few days, these emails stopped and were replaced with other less obvious domains, but started containing excel macro attachments. In response to this, I rejected the messages based upon the attachment. Again, within a few days, the messages stopped having attachments. The rapid adaptability of these spammers has been astounding.

I have noticed that > 95% of these SPAM have passed through Grey-listing, are not listed on the RBLs such as Spamhaus and Spamcop, and seem to not even register on the content filters, even though I have been feeding them to the Bayesian filters. I have also noticed that the amount of this type of SPAM in my generic email accounts' junk folders like hotmail and yahoo has been reaching new heights, leading me to believe the issue is fairly wide spread.

Today, I discovered that CCERT has released a set of filters for Spamassassin designed for this type of SPAM (link) While the list/link appears to be somewhat dated, I decided to try it by adding this list to the rules in my /usr/share/spamassassin folder. The rules were designed as a hybrid of space-characteristic a statistical rules. Adding them to spamassassin and then running a test case showed a dramatic increase in spam scoring. Before adding the rules, these SPAM would not even register high enough for header flagging and after applying test cases were showing scores between 3.0 and 5.0.

The next thing I found was that Spamassassin supports Pyzor and Razor email filters. While I admit that I don't fully understand their functions, adding Pyzor to my system, which automatically integrated into Spamassassin, had the effect of more than doubling the detection rates.

In past posts, I have read about taking a more xenophobic approach and black listing entire geographical regions. In this instance, given that in years of running a mail server I have had zero HAM emails from China, but have been getting multiple SPAM messages per day, I had been giving serious consideration to using this approach. The idea of burdening my system by fire-walling all traffic at this level did not sit well, after all the current IP list for China is huge and it changes. With a little more digging, I discovered that Postfix will also filter based upon CIDR notation. One can simply create a database from the CIDR blocks, such as this one and add the word REJECT to the end of each line. Then run Postmap against the list to create a hashed database. Adding the following line to main.cf completes the configuration:
This would have the advantage of only performing a look up against an indexed database when a message is being received rather than all traffic. It also has the advantage of block the SPAM originating domains at the HELO stage with a REJECT code instead of content filtering which both lets them think they successfully delivered their payload and consumes a lot of resources. See this link for references. Of course one would need to write a small script to periodically update the list but that should not be terribly difficult. Simply download the list, add the word REJECT to the end of each line and call Postmap on the file. Put said script into root's crontab and the process should be automatic.

I have also taken to reporting these messages to Spamcop in the hopes of causing some pain for the offending ISPs. Based upon past experience, these spammers will likely adapt and I am guessing that the first sign will be garbage originating from outside of the China IP space. In the mean time, we will how effective these measures are.

I've not yet had to take the drastic step you're describing for a 'net facing service, but it sounds like a lot of effort is going into defending against a very flexible attacker. Might as well put up another hurdle for them, and hopefully block a significant number of the attempts at an earlier stage.

Updating your CIDR block list (e.g. from ipdeny.com) can probably be done fairly infrequently, too. Perhaps try at weekly intervals, and if the changes are minimal from week to week, perhaps change it to monthly.

Keep us posted on how things are going. Sounds like a pain.

1 members found this post helpful.

It is a little bit of a pain, yes, but an interesting challenge too. What was really frustrating me was that Spamassassin seemed to be unwilling or unable to detect this garbage as SPAM, no matter how many times I would try to teach it via the sa-learn function. I am not sure what aspect of the language was throwing it off.

I realized after I made the initial post, that there was a part of this that I had forgotten. On Friday, Arstechnica had posted this article (link) in which Microsoft claims that about 95% of the copies of Windows in use in China are pirated. Lets assume for the sake of discussion that this is true. I am also assuming that illegitimate copies of Windows will not receive security updates which in turn makes them more vulnerable to being PWN'd. By a similar token, how many pirated copies contain Trojan Horse code as part of their install that allows someone to back-door into them? Could it be that this is exacerbating the problem and that a sizable percentage of the country is a bot-net waiting to happen?

3 members found this post helpful.

It certainly seems plausible to me that a high percentage of the copies of Windows in use in China are not legit (95%? don't know about that, but I'd have to guess that it is well over 50%). A few years ago, a colleague used his trip through Hong Kong to pick up a laptop, and it was supplied with a less-well-known version of Linux (and, by less well known, I mean unknown, at the time, to Distrowatch, so, let's say, not in the top 300 distributions, Worldwide). I can't remember him even being offered a version of Windows at the point of sale, though that might have got lost in translation, or they may have only had versions that they didn't think that a Westerner would buy. It seems that the expectation was that he'd put a pirated copy of Windows on it, although he defeated that expectation by going for Ubuntu, with the strange, originally installed, distro serving as just a 'proof of concept'.

Given that you can buy, apparently, just about any program, or even as many as they can fit on a DVD, on the streets of HK for about $5, I think that you have to imagine piracy, with all that implies, is widespread, at least in the major conurbations. Out in the countryside, there may not be the easy availability of DVDs full of stuff, but they probably manage somehow.

I have faced the same problem several months ago. So I can admit that there is a big increase in the amount of SPAMs last months. The amount was grooving maybe 300-400%/day. Most of it I filtered out by dnsbls but the number of successfully delivered SPAMS increased too.
First, I tried to add more dnsbls to my sendmail configuration - it was better but there were still some successful ones and as you noted the spammers are quite adaptive to the changes. Somehow always found out which addresses aren't on my dnsbls (although I didn't include it in my reply).

Since I don't need to get any email from servers in China, Uruguay, Brazil, Ukraine ... I finally add this domains to access database with REJECT. Even yahoo was finally listed here. I know that this is not acceptable solution on production systems but since this is my home server I don't care. Probably I will apply this on the production servers too and wait for the result. My production servers are not that big (maybe several hundreds of accounts) and the users are also quick to understand.

The interesting thing is that the spammers stopped completely. They don't even try. Which makes me suggest that all this traffic came from these countries. It looks like they also understand the kind of REJECTION.

1 members found this post helpful.

To post a follow up to this thread, it looks like Hua was correct. These guys do understand "access denied" Within about 2 days of putting up my own Great Wall, the SPAM stopped.

Here is a slashdot article on a related subject: link. In fact, one of the links in that article, the one to itworld, says that the SPAM are a direct offshoot of this initiative.

I have a subsequent follow up on this thread too, as well as a tip for any Postfix users. Whether or not it is a co-incidence I can't say for certain, but a few days after the previous post, I started receiving a lot of SPAM attempts of a new sort. The emails started coming from domains that have valid A records, but no MX declared and using what appears to be a stream of random letters for the address. For example (from the Postfix log): NOQUEUE: reject: RCPT from 114-41-74-19.dynamic.hinet.net[114.41.74.19]: 554 5.1.8 <zopzxkbhhf@mtmftih.com>: Sender address rejected: Domain not found; from=<zopzxkbhhf@mtmftih.com> to=<me@my_domain> proto=SMTP helo=<mtmftih.com>

I have opted to enable filtering on this type of message in Postfix using the following:
One point about the HELO restrictions is that they are light weight in that you are intercepting the junk before it even gets queued, minimizing system resources. Unfortunately, this type of error is classified as a DNS problem and by default DNS problems use a 400 level error code corresponding to a temporary failure. This means that mail servers will tend to queue up these types of messages and attempt to deliver them multiple times. Consequently, I added the following lines to my Postfix main.cf:
This causes a 500 level (permanent failure) that is akin to the access denied to be sent in response. As I mentioned, these conditions are triggered on the HELO stage and use minimal resources. In this particular case, the attempting sender was our old friend hinet.net of Taiwan. They would have been blocked by the RBL check from Spamhaus but were caught and rejected before they even got that far.

In the last few weeks, one or two of these SPAM have gotten through. My response to this has been to immediately report them to Spamcop.net. Interestingly the reports from Spamcop show that these domains are not on RBL lists, but show strong correlation and nearness to known SPAM IP ranges.

1 members found this post helpful.

This thread is a few months old, but I made a discovery this morning that I thought I would share with the community. In response to getting some marketing spam (from Techtarget), I resorted to blocking the entire domain. While doing some research on reporting them to services like Spamcop, for failure to comply with an unsubscription notification, I came across this link: cn.countries.nerd.dk for an RBL for Chinese Spam. Doing some research on the site, it appears to be an actively maintained RBL that is based upon 2 letter ISO country codes. It does not make a determination as to whether or not the message is a spammer, but will allow you to block mail based upon country of origin. If the list is updated daily, as it claims to be, it represents an alternative to using to blocking based upon zone files with IP addresses of the ISPs in question.

The link the to site's main page with FAQ information is here: http://countries.nerd.dk/more.html

1 members found this post helpful.

Hello,

since I also maintain a mail server (CentOS, Postfix, Amavisd-new/Spamassassin) I would appreciate if someone could please tell me how to implement this kind of CIDR addresses to be blocked in Postfix. Maybe in another post or PM ? I don't want to 'hijack' the thread and nor expose my servers configuration here.

Thanks "Noway2" for a good thread about fighting spam.

Regards.

As a PM only serves one I second another post. That would benefit all of LQ.

There are two techniques that you can use, both are relatively simple. The first is to subscribe to the RBL lists directly. The RBL lists use a standardized format, which allows MTA agents to query them. The format consists of the domain of the RBL prefixed via the IP address in question with the octets in reverse. So for example to check IP 1.2.3.4 against Spamcop, you would do a DNS lookup (nslookup) against 4.3.2.1.bl.spamcop.net. If you get a record returned, it indicates that they are on the list. The returned records will be of a format like 127.0.0.x where x indicates the category of the list that they are on (list specific).

In Postifx, the DNS check is performed automatically. All you need to do to subscribe to the list is add a line like the one that follows to your smtpd_recipient_restrictions:
As a note, theoretically, Postfix is supposed to check the rules in order and when an accept/reject match is found, it stops checking. It was my experience that I needed to place the DNS checks at the top, though theoretically you shouldn't need to.

The second option is to create a text file of your own, consisting of IP addresses or domains that you wish to reject. In fact with this method, you can reject them, silently discard them while making it look like they were accepted, bounce them, etc. In my last post, I mentioned techtarget. The parent domain for the sender is ed10.net. Consquently, I created a text file named sender_access that looks like the following (my block list):

Then, use the command postmap on the file sender_access, which creates a db file that Postfix can understand. Afterwards, place a line in your smtpd_sender_restrictions like this: check_sender_access hash:/etc/postfix/sender_access. Postfix will then reject or discard against the list. I would suggest looking at the postfix documentation as there are a couple of options for this. For example (I had trouble with techtarget), but you could block .ed10.com or ed10.com and the former will block all subdomains of ed10.com. (edit) You can also use CIDR notation in the list.

Edit 2: It has also been my experience that a few "access denied" 550 error responses causes many these organizations to remove you from the list. Even though SPAM is dirt cheap, apparently they don't want to waste their resources when the know that it isn't going to get through.

2 members found this post helpful.

Thanks a lot, I hope I'll find time to try it.

I kept thinking that there was something I meant to add to this discussion but couldn't think of what it was and and it finally occurred to me early this morning.

I mentioned using check_sender_access. If you look closely at at your email logs, you will notice that there are two designations for the sender, the one that appears via DNS lookup and the one that is provided in the envelope and these two aren't necessarily the same. Postifx has the capability of applying checks to various parts of the email, including the envelop (header) information, body, HELO, etc. Here is the link to the UBE Controls section of Postfix. It lists the different controls that are available to work with. One important point to note is this (from the page):
There are two important points to this: 1 - the ability to use information from the various parts of the message, 2 - the need to use the smtpd_delay_reject option. The benefit of this option is that even if Postfix will reject the message based upon early indications, it will wait until the after the RCPT TO has been handled. This helps to capture more information. Another good spot of information is the Postfix page on Relay and Access Control (here). This page lists some of the fine tune 'gotchas' and subtleties that can cause unexpected behavior, such as the need to put HELO restrictions after the reject_unath_destination, least you become too permissive.

Postfix almost suffers from documentation overload and the two items listed above do a good job of condensing a lot of practical stuff and are good reference docs to keep copies of on hand.

Off-topic response.

Hong Kong used to have a place where you could go and get all that sort of stuff from multipule priate stores- 'Golden Shopping Centre/Golden Shopping Arcade'.

http://en.wikipedia.org/wiki/Sham_Sh...hopping_Centre

I remember the 1st time I went there, there were 20+ stores selling nothing but priated 'IBM PC' and 'Apple II' games. All major games listed on blackbloards with the prices next to them, and if it wasnt on the board, it was probably still avaible. I'd heard the golden arcade had been shutdown years ago, but it might have only been a bust and the location could still be going.