After playing with Frank's new-and-improved hnbl, I noticed that quite a few hosts were being blocked, and quite quickly. Then they hit over and over again.
Sooo.. to spike the punch a little, I decided that, rather than simply deny hosts that have no reverse DNS, why not tarpit them? Then, if they start talking before I send them an SMTP banner, let check_earlytalker take care of them. It works beautifully. At the very least, it lets me know that I'm not just dropping poor, unsuspecting hosts whose ISP's don't care about revDNS.
The next modification I made to hnbl was to let the dialup/cable/dsl users connect anyway, and pass their HELO/EHLO message to me. Since most of the virus/trojan-laden boxes use their revDNS name as their HELO, I tarpit and eventually drop them in check_spamhelo. This way, people who host their own mail servers on a DSL or cable connection and can't get a custom PTR entry can at least send email.
In order to not completely tie up a qpsmtpd process in tarpitting, it would be nice to be able to pass the socket (via unix fd passing (send_fd/recv_fd)) off to an external long-running process that does nothing but hold open sockets.
Hmm, now there's a nice plugin to show off for my talk on qpsmtpd at OSCon...
Matt.
