[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

zmscanner stopping spam & mail bombing in SMS!!

To: Eugene Crosser <crosser@rol.ru>
Subject: zmscanner stopping spam & mail bombing in SMS!!
From: "Mariano Absatz" <zmailer@lists.com.ar>
Date: Mon, 08 Mar 2004 16:21:29 -0300
CC: ZMailer Mailing list <zmailer@nic.funet.fi>,"Damian Martínez Gelabert" <damian@pert.com.ar>
Organization: Pert Consultores
Original-Recipient: rfc822;zmailer-log@nic.funet.fi
Sender: zmailer-owner@nic.funet.fi

Hi Eugene,

we (*) successfully implemented a rate limiter using zmscanner in a large 
cellular providers here.

A few years ago we implemented a SMTP to SMS gateway using ZMailer to 
protect the internal platform which used an ancient version of Sendmail 
with a tendency to be abused and to bring the platform down. Our gateway 
also did a couple of tricks to clean-up incoming messages and rewrite 
outgoing envelopes and headers.

We've been asked to provide some kind of antispam solution 'cause they 
were having attacks of repetitive (identical) messages sent to large 
blocks of customers... as you may guess, dictionary attacks are VERY 
succesful when mail addresses are phone numbers :-)

We developed a client/server architecture (taking into account that we 
may and do have multiple MX machines) where there's a small client, 
invoked within zmscanner, which processes the mail content, and a "rate 
limiting server" which keeps state of that content's rate (measured in 
"identical messages per second").

It is also prepared to handle rate limiting based on originating IP or 
'mail from', but the later is easily and frequently changing and the 
former requires a lot of tunning to find valid frequent relays and 
whitelist them.

The server is developed in Perl and uses BerkeleyDB to store content rate 
info.

It also has a (manually handled) whitelist of IP addresses of places like 
cnn.com which send identical content to multiple subscribers.

The solution is working quite nicely after some fiddling with the 
configuration, but it's not directly applicable to standard SMTP spam... 
we are counting on SMS being quite short and expecting 'variability' of 
the content only at the start or at the end of the message.

We'll publish the code in a few days, since the programmer is a bit 
ashamed of it getting public 'as is now'... He'll be polishing it a bit 
and then we'll post it here.

Regards.


(*) We is not me :-)
I only wrote the initial idea and a couple of rate-maintenance functions 
that allows us to compactly store a hash of the content and a reasonable 
(for us) estimate of the current rate.

The code (as well as quite a few good ideas that made my original design 
much better) was developed by Damián Martínez Gelabert 
<damian@pert.com.ar> who (unlike me) does know how to code :-)



--
Mariano Absatz
El Baby
----------------------------------------------------------
Pentiums melt in your PC, not in your hand.


-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi

Prev by Date: SPF support diff
Next by Date: spamcop blacklisting servers for misdirected DSN messages
Prev by thread: contact-pointer-message patch (Was: SPF support diff)
Next by thread: spamcop blacklisting servers for misdirected DSN messages
Index(es):
- Date
- Thread