I was pointed to this interesting writeup describing how spammers are now using a sophisticated “host cloaking” technique to hijack valid IP addresses to send their spam through web tunnels to the outside world, thwarting detection and having their accounts deleted/disabled.
It goes like this:
- The spammer obtains a dedicated server at the victim service provider. The server shares a subnet with other customers.
- The spammer runs a special daemon program on the dedicated server. The daemon places the network interface into “promiscuous mode” so that it will snoop on all network packets, spying on the local subnet.
- The daemon determines which IP addresses on the local subnet are not in use. It also determines the addresses of the network routers. One or more unused IP addresses are commandeered for use by the spammer.
- ARP (Address Resolution Protocol) responses are sent from the daemon to the routers, binding the unused IP addresses to the server. This allows the spammer’s server to “steal” those IP addresses. The daemon does not answer ARP requests from any other source, so the stolen IP addresses remain invisible to all other systems and diagnostic equipment.
- Finally, GRE and IPIP tunneling (a method used to connect two private networks together) is used to connect the stolen IP addresses to the spammer’s real servers hosted elsewhere.
“The end result is that the spammer has created a server at an IP address which not even the owners of the network are aware of.”
I’ve been using dspam for a few years now, with great success, but over the last month I’ve noticed a trend… After 3-4 years of not a single spam slipping through to a mailbox, I am now seeing 10-15 of them per-day getting through. The filters are still reporting a solid accuracy rate (MUCH higher than SpamAssassin), but spam is slipping through.
Overall accuracy (since last reset) 99.590% Spam identification (since last reset) 99.395% Spam ratio (of total processed) 48.265%
I’m also actively blocking IPs of known spammers through the firewall rules:
# iptables-save | grep -c "dport 25" 13165
That’s over 13k unique IPs that have reached our server trying to send spam, malware and other garbage to our users. Normal mail from valid hosts is still flowing in and out, as it should…
I’ll have to see what else I can do to slow it down or stop it again.