Reporting Connection Attempts back to originators ISP

Sun, 21 Jun 2009 20:54:46 -0700

I'm sorry if this has already been done to death but I have searched high and low and have found scant discussion of this.
I have been running Postfix for three weeks now and have reduced spam to just one or two messages getting through a day. I have implemented recommended anti spam settings from a number of sites which include HELO, RBL and DNS checks. 

I am running Postfix 2.5.5 with Amavis-New on Ubuntu Server 9.04
My main.cf contains the following;

smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   check_client_access hash:/etc/postfix/mywhitelist,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client dnsbl-1.uceprotect.net,
   reject_rbl_client dnsbl-2.uceprotect.net,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client dnsbl.njabl.org,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   permit

smtpd_data_restrictions =
   reject_unauth_pipelining,
   permit

# Strange Syntax / Strict syntax
smtpd_helo_required     = yes
strict_rfc821_envelopes = yes

#No VRFY command
disable_vrfy_command = yes

content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings


Note: I have the RBL's first to see how effective they are. I'll 
probably drop them down before the permit line at some stage.



While I am more than happy with the reduction in spam I would like to 
use my log files to be proactive in letting ISPs know that they have 
bots in their networks. I am presuming that most of the attempts to 
connect are from bot infected home computers, judging from the FQDN that 
is used in the connection.


I have been trying to find something that will do the following.


Analyse my mail.log file looking for occurances of rejected attempts to 
connect to my mail server.
At some user defined threshold it would then do a whois query looking 
for an abuse@<<originating ISP>> email address.
It would the send a nicely worded message detailing the attempt to use 
my mail server for spamming and request that the connection be 
terminated until the user fixes their compromised machine.


Am I just being wishful here??

Cheers

Justin






















					Reply via email to