Blocking of International Spam Botnets
This article contains an analysis and solution for blocking of international SPAM botnets using postfix firewall postfwd.
Anti-Spam plugin is located on GitHub.
Why Spammers are Dangerous for Mail Server Operators?
One of the most important and hardest tasks of every company that provides mail services is staying out of the mail blacklists.
If a mail server appears in one of the mail server blacklists, other mail servers will stop accepting and relaying its e-mails. This can practically ban the domain from the majority of mail providers and prohibit provider’s customers to send e-mails. There is only one thing that a mail provider can do at that point; ask the blacklist providers for removal from the list or change the IP addresses and domain names of its mail servers.
Getting into mail blacklist is very easy when a mail provider does not have a protection against spammers. Just one compromised customer mail account from which a hacker will start sending spam is needed for a mail server to appear in a blacklist.
There are several ways of how hackers send spam from compromised mail accounts. In this article, I would like to show you how to completely mitigate international botnet spammers, who are characterized by logging into mail accounts from multiple IP addresses located in multiple countries worldwide.
How the Spam Botnet Works?
Hackers who use an international botnet for spamming operate very efficient and are not easy to track. I started to analyze the behavior of such international spam botnet in the October of 2016 and implemented a plugin for postfix firewall — postfwd, which was able to recognize members of botnet and block compromised mail account.
The first step was an analysis of behavior of an international spam botnet done by tracking of one compromised mail account. I created a simple bash one-liner to select sasl login IP addresses of the compromised mail account from the postfwd mail logs.
Excerpt of data (Full list) in the following table is dumped 90 minutes after compromise of one mail account and contains these attributes:
- IP addresses from which hacker logged into account (ip_address).
- Corresponding country codes of IP addresses from GeoIP database (state_code).
- Number of sasl logins which hacker did from one IP address (login_count).
After a small transformation, we can see an excerpt of distribution of countries (Full list):
We made multiple conclusions based on the tables above and used them in design of our plugin:
- Spam was spread from a botnet. This is indicated by logins from a huge amount of client IP addresses.
- Spam was spread with a low cadence of messages in order to avoid rate limits.
- Spam was spread from IP addresses from multiple countries (more than 30 countries after few minutes) which indicates an international botnet.
Here are basic statistics about logins from tables above after 90 minutes:
- Total number of logins 7531.
- Total number of IP addresses used 342.
- Total number of unique countries 41.
How to Defend?
Solution to this kind of spam behavior was to make a plugin for the open-source mail firewall postfwd, which our company used. Postfwd is a program that can be used to block mail users by rate limiting, using mail blacklists and by other means.
We designed and implemented a plugin that counts the number of unique countries and number of unique IP addresses from which a user has logged into his account using sasl authentication. Then in the postfwd configuration, we set limits to this number of unique countries to 5. Last important thing was, that plugin flushes all records after 1 day.
The result was, that any mail account, to which somebody tried to login from more than 5 countries identified by GeoIP location during one day, was blocked from sending e-mails and notified after trying to send message.
This also meant, that if the real user logged in to his account and tried to send mail, he received message that he was compromised and that he had to change his password to use his e-mail account.
Why flushing records? If we didn’t flush records in some time interval and a person would travel to more than 5 countries in let’s say 1 month, he will be falsely blocked. Therefore with the lifespan of records of 1 day, users are allowed to log into their mail accounts from 5 different countries every day.
You might be thinking about our decision to use the magical number of 5 unique countries. When we looked at the map, we couldn’t find a place where there are 6 countries located so closely, that somebody would be able to travel to all of them in one day. Another possibility of false blocking could be when person is traveling by plane. But there is also small chance, that a person will be able to fly to 6 countries in one day.
If this isn’t enough for you and you still think that there may be false positives, the plugin also stores number of unique IP addresses from which user has logged into his account and it is available to use as rule in combination with number of unique countries or other postfwd rules.
After using this plugin in a medium sized internet provider company with around 3,000 users for 6 months, we caught over 30 compromised users without any intervention from administrator’s side. And this number is still growing.
Another interesting fact after 6 months of usage is that after finding a spam account and returning SMTP code 544 to it (sent directly from postfwd), botnet stopped trying to log into this account and send spam.
It looks like the botnet has at least some intelligence and doesn’t want to waste its resources. Additionally sending other SMTP codes did not stop botnet from trying.
I Want to Try It!
If you have similar problems as mentioned above and use postfix or already use postfwd, look at plugin’s GitHub repository for more technical information and instructions for use.
If you are interested in analysis about how users got their email passwords compromised, check out pitrh blog about slow distributed brute force attack on SSH passwords Hail Mary Cloud (also applies to pop3/imap logins).