I know this has been discussed before and many people said to use bayes for this but it'd really be nice to have an "Automatic IP Blacklist" for SA.
AWL takes this too far as spammers just use random e-mail address in the from. Bayes takes everything into consideration and does too much for what I want. Both of those are not really suitable in an ISP environment with a site-wide config (5k users) . I started running my own BL by pushing my spam folder into a SQL database. When you look at all the e-mail a paticular IP address sends, it's easy to determine if you should block or not. When you find an open proxy with hundreds of different from's like AOL, Hotmail, Yahoo, and asdlkjasdflakhrefliu.com etc. you know to block it ;) If SA could do this for me, it'd be even nicer ;) One could take the Average score into consideration when blocking an IP Address. Maybe an option to block at a certian score threshold, say 10-15? Also need an option to specify after how many times an address must appear before its listed. Since False postives are a problem for some of us, we don't want to block an IP after being seen once. I use a threshold of 15 times before blocking. I see a way one could mess with this system, if one sent empty messages which scored low, that would offset the average score, maybe one should look at the average of 95 percentile. This defeats the determined who keep sending over and over until they find a way to bypass your filters. If a certian IP has a bad history of sending spam, it's more likely the e-mail you get from them will be spam. Also, if the address is not seen for 30-45 days, it's likely that IP is no longer source of spam and could be disabled from the ABL, but the records saved. The next time they send spam, they are listed again.. Some config elements like trusted_networks would already come in handy for something like this ;) Some people might need a skiphops options, to skip the first x received lines. (internal relays etc.) As for those people who have 10,000 domains to use for sending spam, I bet they don't have that many open relays! Questions, feedback, ideas, and source code are welcome ;) Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
