>From: Kristian Koehntopp <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Message-ID: <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >Mime-Version: 1.0 >Subject: [SAtalk] Who is spamming me - a bit of statistics >Date: Thu, 25 Sep 2003 13:45:50 +0200 >Status: RO > ---excellent information snipped -- > >Perhaps SpamAssassin should really maintain a list of IP numbers >which have sent detected spam within the last n hours, and I >should build a sendmail access table from that every night. >
Hello Kristian, I've been thinking, there is a transport layer access mechanism in FreeBSD called 'tcpwrappers' ( man 5 hosts_access ).. forgive me, I do not know if this is available in Linux or not ). It takes rules in the format of [daemon] : [host or net FQDN | IP number] : [allow | deny] such as: [ /etc/hosts.allow ] # Sendmail can help protect you against spammers # sendmail : localhost : allow # sendmail : 192.168.0.3 : allow # sendmail : 192.168.4. : deny # sendmail : .nice.guy.example.com : allow # sendmail : .evil.cracker.example.com : deny I've been toying with the idea for a while now that one could use a script similar to your excellent template to generate tcpwrappers entries to deny access in the same fashion. I do not know for sure if, given a choice between your suggested access policy method ( access.db) and tcpwrappers, which would be more efficient; according to the tcpd(8) manpage on a FreeBSD system, inetd actually runs a proxy of sorts (tcpd) for the daemon to determine access policy for it, then hands off to the daemon if the connection is allowed. Maybe there is potential to save some MTA load (and SA processing overhead?) by blocking the entries [generated by your template] before the MTA sees them.... ? Given some spare time, I think I'll exprement a bit. Thanks for the sharing the idea. Guy Boyd VTA Technologies Atlanta, GA. USA >If you repeat that analysis on your corpus, can you reproduce my >results? > >Thought for improvement: > >What happens if you take only the domain names of the above >hosts, resolve their MXes and list their mail servers - will >that result in a better blocking closure? > >Kristian > > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
