Or think of it as a way of SA saying "when I get twelve spams of
score 10+ from ip 208.23.118.172...I will feed the auto-expiring RBL,
which *SENDMAIL* works off of, thus keeping my *SPAMASSASSIN* load
lower. Thus a spam deluge via a dictionary attack that may take hours
is mitigated in the course of X number of mails.
I already do something similar, but I haven't bothered to take it quite
that far yet.
I use fail2ban to parse my exim logs. If an IP address hits more than 5
invalid accounts in 5 minutes, the IP is banned (fail2ban uses iptables)
for 24 hours. As well if an IP address, which is listed on spamhause,
hits me more than twice in 5 minutes it is banned for 24 hours. Granted
neither of these cases usually end up getting messages as far as
spamassassin.
I've managed to drastically reduce the amount of simultaneous
connections using this method; which was overloading the server. The
next step would be to add the "when I get twelve spams of score 10+ from
[...]" parsing. Though I hadn't thought of trying my hand at a SA
plugin, I may do that.
