On Mon, 2009-06-22 at 15:30 +1200, Justin C. Le Grice wrote: > I'm sorry if this has already been done to death but I have searched > high and low and have found scant discussion of this. > > I have been running Postfix for three weeks now and have reduced spam to > just one or two messages getting through a day. > I have implemented recommended anti spam settings from a number of sites > which include HELO, RBL and DNS checks. > > I am running Postfix 2.5.5 with Amavis-New on Ubuntu Server 9.04 > My main.cf contains the following; > > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > check_client_access hash:/etc/postfix/mywhitelist, > reject_rbl_client bl.spamcop.net, > reject_rbl_client dnsbl-1.uceprotect.net, > reject_rbl_client dnsbl-2.uceprotect.net, > reject_rbl_client sbl-xbl.spamhaus.org, > reject_rbl_client dnsbl.njabl.org, > reject_invalid_hostname, > reject_non_fqdn_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_unauth_destination, > permit > > smtpd_data_restrictions = > reject_unauth_pipelining, > permit > > # Strange Syntax / Strict syntax > smtpd_helo_required = yes > strict_rfc821_envelopes = yes > > #No VRFY command > disable_vrfy_command = yes > > content_filter = smtp-amavis:[127.0.0.1]:10024 > receive_override_options = no_address_mappings > > Note: I have the RBL's first to see how effective they are. I'll > probably drop them down before the permit line at some stage. > > While I am more than happy with the reduction in spam I would like to > use my log files to be proactive in letting ISPs know that they have > bots in their networks. I am presuming that most of the attempts to > connect are from bot infected home computers, judging from the FQDN that > is used in the connection. > > I have been trying to find something that will do the following. > > Analyse my mail.log file looking for occurances of rejected attempts to > connect to my mail server. > At some user defined threshold it would then do a whois query looking > for an abuse@<<originating ISP>> email address. > It would the send a nicely worded message detailing the attempt to use > my mail server for spamming and request that the connection be > terminated until the user fixes their compromised machine. > > Am I just being wishful here?? > > Cheers > > Justin Any kind of 'automated' message system is about as welcome as a needle in a Durex factory in spam land so my own advice would be don't do it. Whilst it's not 'backscatter' it has potential for mishaps.
There are plenty of stats programs out there that require differing levels of setting up. I'm told awstats is rather nice but I've never tried it with Postfix. Failing that Perl is your friend and getting a little script working looking at failed connection attempts and tallying the responsible IP(s) is relatively easy going. I'm fiddling with one myself at the moment and when I'm done with it I'm happy to share it.
