Hello, We are a network service provider and over time I have seen the customers that we provide network connectivity to many times generate alot of spam from their network.
Many times the business rationale of this is basically it is more profitable to the company to keep these customers. Many times these spam complaints to the customer are not acted upon, so there is a dilemma. We cannot really remove this customer because we will lose money. Yes, I do realize that it may not be worth having a customer that spams constantly, but this is not easy to convince managers in my opinion. And sometimes you are not in a position to influence this decision. So I've been thinking about solutions... In most cases we have access to their network. So what I'm thinking about is setting up an IDS-like machine that can see traffic from/to a customer's network. Ideally this would be a machine on a port-mirror setup, very close to the customer end. Now by being able to see this traffic, we can do some interesting things. If anyone has played with dsniff, there are 2 tools in that package that come to mind: mailsnarf and tcpkill :). For those that do not know, mailsnarf basically dumps out SMTP monitored traffic in mbox format. tcpkill can be used to kill TCP connections by sending RST's to both endpoints. So we have a way of seeing all mail traffic, and a way to kill a connection. By analyzing mail traffic with SpamAssassin, spam can be determined on the fly. We can make a system that tallies these numbers, and when certain thresholds are met, actively penalizes that IP address's SMTP connections for some time or indefinitely until the matter is resolved by the customer. Sort of a very intrusive way to destroy the spammer, like a Snort for SMTP, and forces the spamming site to deal with the problem if they want to continue sending mail. Some questions I have is if anyone in a similar situation that I'm in? And if so, would you think such a system like the above would be useful? I'd appreciate any suggestions. Viraj. _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
