I'm trying out various DNS blacklist items and am calling on the wisdom here for a little help. For example, if I DNS blacklist malwaresite.example.com to point to an internal "honeypot" machine.
When the user goes to http://www dot malwaresite.example.com site, we have a little web server that gives a 404 error for any page they may attempt to pull down. Immediate feedback that they something is wrong with the site they are attempting to get to. They may not agree that it should be blacklisted, but they know why they are not getting to the site. With email, it's a little harder. The 2 simple examples of this are that someone typos an email address, or someone is on vacation/travel when a bit of spam makes it through the filters. The result is that a message is now sitting in the mail queue attempting to go out to a blacklisted domain. Ultimately, after the various timeouts expire, the message gets bounced back as undeliverable. What I'd like to do is set up a postfix instance on the above honeypot. For any email that is sent to it, I'd like to reject the mail with a reject message like: "The site is DNS Blacklisted, contact cybersec office for details" Again immediate feedback. The message isn't sitting in the mail server queues for long, etc. I also now have a simple log file of people that hit this site and hopefully find possible problems more quickly. No legit mail should be targetting this machine for delivery, and multiple on-site mail servers are all centrally hitting the same delivery spot for this class of responses. Has anyone created such a config they could share? Many Thanks --Gene /~\ The ASCII Gene Rackow email: rac...@anl.gov \ / Ribbon Campaign Cyber Security Office voice: 630-252-7126 X Against HTML Argonne National Lab / \ Email! 9700 S. Cass Ave. / Argonne, IL 60439
