On Tue, Jan 31, 2012 at 08:54:33PM -0600, Noel Jones wrote: > On 1/31/2012 8:30 PM, l...@airstreamcomm.net wrote: > > What we were thinking was using RBLs to dynamically block known > > malicious IPs before allowing SMTP Auth to occur, hopefully > > seeing a decrease in spam. Not sure if this would have > > unintended consequences, which is why I am consulting the list. > > That would probably cause a huge number of false positives; a > support desk nightmare. > > Many "consumer" IPs are listed on the popular RBLs. As a > consequence, legit users may be unable to send mail because their > dynamic IP was used by a spambot at some point in the past. > > I don't know of any RBLs that would be useful on incoming > authenticated mail.
Even a locally-maintained private DNSBL is the wrong approach. When spam is detected from an authenticated account, revoke the credentials. You have no other good choice. Even after the user's system is purged of the ratware, you cannot be sure that these credentials were not forwarded to the botnet's control node[s]. Detection of a spamming account is done as Noel suggested, through rate limiting (and possibly behavioral monitoring) policy daemons. Content filtering of user-submitted mail is also important. Most malware will spew mail containing positive URIBL/SURBL hits. SpamAssassin can do this (I recommend using SA from amavisd-new.) > You can test this yourself by inserting "warn_if_reject > reject_rbl_client zen.spamhaus.org" just before > permit_sasl_authenticated. Then watch your logs for > reject_warning: from legit connections. (this is a > logging-only function; the client is not rejected and > sees no additional messages.) Perhaps a slightly less insane ;) test would be to check xbl.spamhaus.org at that point. But hotels and public hotspots are often listed there. You might catch a few bad users, but you will *not* have reasonable protection for clean users. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
