Hello Faris, we are doing such with fail2ban in combination with spamdyke.
You can take a look at the this procedure in our knowledgebase entry about this (translated by google): http://translate.google.de/translate?u=http%3A%2F%2Fkb.web-vision.de%2Fkb%2Farticle%2F000069&sl=de&tl=en&hl=&ie=UTF-8 If you are interested I can post the settings for fail2ban here. Regards, Boris Am 22.08.2010 um 16:41 schrieb Faris Raouf: > I wonder if this idea might be extended in some way, so that if a message > from a particular IP is rejected on the basis of the recipient address being > non-existent, a badaddress counter is incremented for that ip. If badaddress > goes above X in Y seconds then either reject or more likely tempfail for Z > seconds. The Z seconds component will hopefully solve the risk of > permanently blocking an IP in the case of false positives? > > Extending this still further and more generally, how about a general > blacklist to which a sending IP gets added if it fails any test other than > graylisting more than X times in Y seconds. This will reduce the number of > DNS lookups needed to deal with mass spammings from a particular IP. The > blacklist could be set to expire an IP after Z seconds. For those people > using something like the APF firewall, a simple script would allow the IPs > in the blacklist to be added to the firewall to reduce system load still > further. > > I do something like the above manually. If I see loads of > DNSRBL-type/non-existent recipient/high spamassassin scores from a > particular IP I just add it to the firewall. Quite often I look up the ISP > and block their entire IP ranges, especially if they are in certain parts of > the world. After a few weeks or months I remove the IPs. > > In this way I reduce the number of lookups needed and reduce the system > load. It would be nice to automate this (obviously SD won't be able to look > at SA scores) in some way. > > I wonder of something like ossec-hids or bfd might be able to help identify > IPs that send multiple messages identified as spam by spamassassin? > > Faris. > > >> -----Original Message----- >> From: [email protected] [mailto:spamdyke-users- >> [email protected]] On Behalf Of Sam Clippinger >> Sent: 22 August 2010 2:45 AM >> To: spamdyke users >> Subject: Re: [spamdyke-users] Does one blacklisted address kill the > delivery? >> >> Recipients are accepted or rejected individually -- in your example, the >> blacklisted recipients would be accepted and the others would be accepted >> (assuming they passed the other filters as well). >> >> It wouldn't be hard to add a flag to reject the entire message after > seeing a >> single blacklisted recipient. The only scenario I can imagine where it > would >> cause problems is: if the administrator was lazy and used the blacklist to > block >> mail to former users instead of deleting them (e.g. ex-employees) and an >> external user (e.g. a client) sent a message to a group of addresses (e.g. >> reply-to-all). The external user would think all of the addresses were > bad; >> there'd be no way to tell which one caused the bounce. But since enabling >> the flag would be optional, I guess the administrator would have only > himself >> to blame... >> >> Anyone else have an opinion on this one? >> >> -- Sam Clippinger > > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
