On Wed, 26 Sep 2007 17:26:22 +0200, Peter N. M. Hansteen wrote: > >> Or take advantage of the (by default) 25 minute window to use other >> means to detect that this address is sending spam. Perhaps spamd should >> be extended to look for excessive attempts to send messages from an >> address during that period? (How often do spammers' lists contain only >> one or two addresses from a domain?) > >You could probably use straight rdr instead of rdr pass to feed spamd, >then in the relevant pass rule apply your source tracking options and >overload and some table magic for that
Have you been looking at my ruleset? ;-) I took out the pass on the rdr ages ago because unless I did my personal blacklist could not be used to block things like stormers and some tedious twits like a movie-house chain which keeps on sending to a long gone client of mine even though the address returns a 554 every time. I blacklist those permanently to stop log clutter. Rod/ _____ Depressed? Me? Don't make me laugh! :Spike Milligan:1918-2002:
