Whois should definitely not be implemented in automated systems - read ToS of RIPE, ARIN, LACNIC etc. A special-made milter that will dig for details during the connection time is not applicable. A secondary benefit of greylist is IP rotation. That will provide you an insight about some networks , IP ranges and ISPs. Registrars or hosting providers are not behind attacks, but they play a key role in providing resources and delisting - notice the delisting rules of some popular RBLs for IP classes. Now are there, next day are gone despite their own retention policy.
I would go with reputation (mine or a third-party - the decision depends on the messages volume) since some registrars are less tolerable than others, volume and percentage are important too. For example, you don't want to block domains registered with godaddy just because they might have some spamming domains there. You can adjust the scoring in spamassassin for uribl.com if you want to be more aggressive. As a fast doable solution, I would prefer a custom meta rule (uribl.com & bayes_90+ & pyzor - maybe) and a shortcircut rule to reduce resources and time. Plus a script that will collect all those IPs/Domains and put them into postfix or rbldnsd to reject next connections more efficiently. Geographic rules may help reducing spam, but not in all cases. Too many non-existing recipients is also a sign of spam. You can turn some of them into spam traps. Marius. -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of James B. Byrne Sent: Tuesday, May 27, 2014 10:20 PM To: postfix-users-dig...@cloud9.net Subject: Milter to block registrars Without going into a lot of detail and without naming names I wish to know if, at the time of connection to Postfix, there exists any feasible means of determining the registrar used by the connecting domain? As well, I would like to know is there any practical means of determining at the time of smtp connection by direct enquiry of a registrar when the connecting domain was registered and block all connections from all non-whitelisted domains registered within the past N days? I am aware of the 'Day Old Bread' RBL / Greylist is used by SpamAssassin but after some investigation I have come to the belief that a registrar is in fact behind the latest spam attack we have encountered. Our experience is that by the time DOB is updated the domain is no longer generating mail at all. Given the remote possibility that any domain registered with that registrar would ever have a legitimate reason to contact us I wish to simply deny access to our servers from any domain registered with them. Given the equal implausibility of a newly registered domain having any legitimate need I wish also to block these. Does anyone know of any milter projects usable by Postfix that address either of these desires? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
