Possible trigger for mass spams detected by RBL

Possible trigger for mass spams detected by RBL

Postby EKjellquist » Mon Sep 11, 2023 9:40 pm

Lately, we've been seeing situations where a known bad IP (on several RBLs, say), bulk-sends a bunch of emails at the same time, and while AMS will properly flag each of them, it appears to keep allowing them in until you hit the 'max emails per day per IP' circuit breaker if you have that specified. in our server's case, it will flag 100 mails (as that's our per-day trigger)

I think I can create an IPBAN rule that might be able to tune into this w/o lowering the 'per day' limit (because we have some suppliers / contacts that update a lot due to CMS / cloud platform tools), but would it be possible to add a native filter option to RBLs where an IP can be blocked after X triggers by RBL? In this case I'm thinking I'd set it to 5-10 to help reduce load.

Alternatively, if I can use the SPAM-TRAP custom event to, say, trigger the default tarpitting rules, that would also work (e.g. 1 RBL hit = 1 tarpit hit); I haven't done too much with custom events yet, so could use some assistance if that's a possibility. Not the end of the world here either way, but if I could get these 100-per-shot bad mails to get cut down to 5-10 before that IP gets blocked, would be a better scenario.
EKjellquist
 
Posts: 96
Joined: Tue Sep 09, 2014 10:40 pm

Re: Possible trigger for mass spams detected by RBL

Postby Code Crafters » Fri Sep 15, 2023 9:35 am

RBLs and many other SPAM checks are currently done on the RCPT TO (recipient) SMTP command. There are several reasons for this based on other settings that can bypass SPAM when authenticated to relay, white listed IPs etc.

If you get a lot of these attacks, I appreciate that blocking the IP earlier in the connection could be useful but may not be that simple.

As you say, tarpitting is designed to block an IP after several wrongly guessed recipients and in most cases this will also do what you require. Are your attacks using genuine local recipients?
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Possible trigger for mass spams detected by RBL

Postby EKjellquist » Wed Sep 20, 2023 2:52 pm

Mostly these are 'spray and pray' attacks so largely they don't even have legit recipient addresses, it's all <random>@mydomain.com kind of stuff. Can't be 100% sure from log, but it looks like as if someone sent a single email with X recipients on it, so even though it appears as several lines it's actually a single transaction? Here's an anonymized example from SMTP:

Code: Select all
Fri, XX Sep 20XX XX:XX:24 -> 58.150.154.235 -> Success: Action=[Accept Connection], Details=[Port 25]
Fri, XX Sep 20XX XX:XX:26 -> 58.150.154.235 -> Success: Action=[Received Hello], Details=[Host=[58.150.154.235]]
Fri, XX Sep 20XX XX:XX:27 -> 58.150.154.235 -> Success: Action=[Received Sender], Details=[a66hql4mien7a@pkfunix.ru]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[rrdo1uzxv9z98@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[kko@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[rfpbvkzx38r8s@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[kmo@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[thc@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[1haiydxqymejl4i@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[d0pt1b3rzxpgv@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[3nf3w46jkuwo38jc@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[m3y5vzzcpmsv8@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[pmwi8qfi0z5ft3@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[btd@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[qaj@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[neh@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[bki@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[qdb@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[gkq@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[ulk@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[wb1pzxapmd4yvq@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[rbh@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[tlb@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[c58ye7ejf59bbs4@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[fyw@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[bie@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[f6hvv4wbhz65ln@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[cql@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[njrcnohwucvvee@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[ujm248xq94g60r@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[i5s076efsziek@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[j07sc0nbo4aja@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[uof@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[rql@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[tdy@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[zze@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[qnq@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[jgl@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[qrh@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[wot@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[rzs@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[bph@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[9sginz8lvdqe2yjd@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[s49b7zo8ei9n@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[6n1dwf2uqoy7t@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[w3uyloxnln1jra@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[ydz@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[fme@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[ajy@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[ltp@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[yvc@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[4jfibi4gbpxpd@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[9uh2e5estr46je@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[ydy@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[jmitsrv0l111o@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[blb@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[igz@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[49hphatdecww7@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[wzc@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[5b6fofz6wkw8co@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[quf@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[zuq@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[wpy@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[jnn@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[uvi@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[hpg@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[rvuq39y3t17wout@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[qv4w9al6wwtvy7kf@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[5wm4kfocdaryuo@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[spj@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[fj0fjcc6yvrm@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[2rdxdpsov6rz78@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[rnsxwj35l52ar@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[lzz@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[mac4d08timff3@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[qdv@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[wky@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[c2jtf1h1baxm5qmm@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[uzn@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[zn3trtra24g7yb9@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[moz@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[ktvc0nd1bqwr39@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[tnbd4uu5npble@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[rmh@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[dym@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[bjk@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[efq@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[exi@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[bff@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[kuo4gruuvlvc@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[gju@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[hvm@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[wao@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[d58lolmrg7cbksdv@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[gtk@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[yfc@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[oft@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[h6hv0ndl7yxt0ww@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[cxg@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[aju@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[u7b6jtdgwereid1@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[98b0mecj2z3tmp@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:29 -> 58.150.154.235 -> Failed: Action=[Received Recipient], Details=[oglhv5gezyaterd@mydomain.com: SPAM detected by RBL 'Spamhaus (SBL + XBL)'.]
Fri, XX Sep 20XX XX:XX:31 -> 58.150.154.235 -> Success: Action=[Close Connection]


The majority of spammers I see are still the 'one address at a time' variety and all the regular tools work as expected; What I was concerned with for the above was if each one of these single SMTP incoming mails we receive is making X calls to an RBL (Spamhaus in this case), which could cause us to be cut off from their free service (typically if you hit a certain traffic level they make you pay beyond that). If this is all a single transaction as far as SMTP is concerned, it's probably fine, but these definitely consistently hit the 'max recipients' I have set up so I was concerned with DDoS if the above were to start appearing on greater orders of magnitude...

With AMS antispam tools + IPBAN we pretty quickly ban incoming bad IPs pretty quickly after like 5 bad attempts within X seconds, but I will get hit with like 5 of the above to trigger the same tools, so I thought perhaps there was some way I could specify 'x bad recipients' per mail to cut off the above earlier...
EKjellquist
 
Posts: 96
Joined: Tue Sep 09, 2014 10:40 pm

Re: Possible trigger for mass spams detected by RBL

Postby Code Crafters » Wed Sep 27, 2023 7:53 am

We'll consider the IP caching of blocked RBLs to allow blocking IPs sooner but more to reduce unnecessary calls to the RBLs too.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm


Return to Suggestions

Who is online

Users browsing this forum: No registered users and 14 guests

cron