Front page | perl.qpsmtpd |
Postings from March 2006
>>>>> "Charles" == Charles Butcher <charlesb@ncc.com.au> writes:
Charles> What I am thinking of doing now is to invert the sense of the
Charles> greylist mechanism. So previously unknown sources start on the
Charles> whitelist, and only get held off if they misbehave. Any source that
Charles> is rejected for any reason gets noted in the database. Then if they
Charles> keep retrying too hard they get nowhere, if its a legit MTA then
Charles> sooner or later it will get another chance.
That's more or less what I'm doing with my high-MX spamtrap, and it snags
about half of my incoming spam. They're on a full port 25 blocklist for an
hour, and then the wall comes back down. I also watch for high SpamAssassin
scores, mail to bogus addresses (dictionary attack), and a few ancient
procmail recipes that still trap things (mostly any message that has a chinese
subject line or body, which I block on the principal that I can't read the
darn thing anyway).
I have one continual collateral-damage host with this system... seems the
university that handles our open-enrollment Perl classes has some stupid host
somewhere within that spews mail to me to trigger the hour-long block. Of
course, that's blocking the mail gateway for the entire university. {sigh}
So, that particular host goes into the blacklist, then comes out of the
blacklist, then goes into the blacklist... etc. If I had a few more tuits,
I'd whitelist the host and capture the triggering email so I could get them to
turn the beasty off. Darn tuit shortage!
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Thread Previous
|
Thread Next