Sooo.. to spike the punch a little, I decided that, rather than simply deny hosts that have no reverse DNS, why not tarpit them? Then, if they start talking before I send them an SMTP banner, let check_earlytalker take care of them. It works beautifully. At the very least, it lets me know that I'm not just dropping poor, unsuspecting hosts whose ISP's don't care about revDNS.
The next modification I made to hnbl was to let the dialup/cable/dsl users connect anyway, and pass their HELO/EHLO message to me. Since most of the virus/trojan-laden boxes use their revDNS name as their HELO, I tarpit and eventually drop them in check_spamhelo. This way, people who host their own mail servers on a DSL or cable connection and can't get a custom PTR entry can at least send email.
In order to not completely tie up a qpsmtpd process in tarpitting, it would be nice to be able to pass the socket (via unix fd passing (send_fd/recv_fd)) off to an external long-running process that does nothing but hold open sockets.
I was thinking of that same idea, actually. But my plan would be a little more elaborate/cumbersome. :)
I have an SQL database of IP addresses that have violated obvious rules (invalid mailbox, infected cable/dsl user, hit spam trap). The thought was to originally use iptables and simply block those IP addresses. Well, the list got pretty out of hand for iptables on the mailserver, so I put the IP's into tcpserver's database with a "deny" rule.
Instead of just blocking them, with this idea, I would stick a linux router/firewall in front of the mail server, set up iptables rules for the violating IP addresses, and let the "good guys" on through. Violators would be redirected to a local socket holder on the router/firewall that just sits there and plays with the remote server. You could probably let it go through the whole session.... Fun stuff.
-- Bryan
