We have had some success using domain name system lookups to block incoming mail messages that are likely to be junk mail. While many people (including us) use DNS real-time black lists, the checks below are done against values returned by regular forward and reverse lookups on the connecting IP address. We’ve stopped a large amount of traffic based on the name of the connecting host or due to “poorly” configured DNS without many complaints. The number of false positives, while non-zero, have so far been at levels acceptable to us.
The first test is a sanity check of sorts on the name of the connecting host. If no reverse lookup can be done on the IP address of the host, the message is blocked. A forward lookup is then done on the just-returned host name. If the forward and reverse lookups do not match, the message is blocked.
Then the hostname is checked against a regex that tries to match dial-up or home cable/DSL addresses. If it matches that, the message is blocked. The expectation is that this will help block the spam zombies on less than ideally maintained home machines out there.
These checks do generate false positives. There are some domains where outgoing mail comes from hosts with no name in DNS or all hosts of the domain have names of the form ip-NNN-NNN-NNN-NNN.domain. Some smaller companies or individuals are given addresses from their net providers of that form and are unable to change them. Apparently many net providers think it’s a good idea to do a reverse lookup on an IP address but then not have a valid forward lookup for the just returned name. To help with these cases, the SMTP rejection message includes a URL where one can request that their addresses be added to an exception list.
Now to numbers. During the average day last week our SMTP server got 8719 connection requests. The previously mentioned DNS tests resulted in the blocking of 4463 messages, or about 51% of all our incoming traffic. Since this happens before any virus scanning or spam scanning on the content of the messages, it saves quite a bit of CPU and IO time on the server. While this system isn’t perfect, it is so effective as a first pass filter that we put up with the few false positives that have been reported so far.
In this version, the CIRDB has been updated to import XML data from the National Vulnerability Database, and a few bug fixes were made (a library file was missing in the previous distribution to support RSS feeds of the status of each domain over SSL).
I am pleased to announce the availability of the first beta of my_cassandra.php, which can be downloaded from my home page
(change the extension from phps to php after you download it).
Because you get the source code and the custody of your profiles, this version of Cassandra should not generate the privacy concerns that the online version did. As it is under your control you can also run it at the intervals you choose. It is made available under an open source license so you can modify it. It runs under PHP so it should run on almost any platform by changing the path to PHP (from “#!/usr/bin/php -q” for MacOS X).
Enjoy!
P.S.: I already received a patch from Benjamin Lewis from Purdue ITSP, improving robustness while reading a profile. Thanks Ben!
King and Chen (2005) write about their BackTracker software. The idea is interesting: let’s log everything needed to relate a sequence of events leading to an intrusion. Everything in this case is processes, files, and filenames. It can generate dependency graphs, once an anomalous process or event has been identified. That is, something else must raise an alert, and then BackTracker helps find the cause. It’s an interesting representation of an attack.
Taken one step further than they do, perhaps these dependency graphs could be used for intrusion detection?
Suh et al. (2004) propose a wonderful method for tracking taintedness, and denying dangerous operations. It’s elegant, easy to understand, cheap in terms of performance hit, and effective. The only problem is… it would require re-designing the hardware (CPUs) to support it.
I wish it would happen, but I’m not holding my breath. Perhaps virtual machines could help until it happens, and even make it happen?