On Tue, 9 Oct 2007, Steven Kurylo wrote:
Or think of it as a way of SA saying "when I get twelve spams of score 10+
from ip 208.23.118.172...I will feed the auto-expiring RBL, which
*SENDMAIL* works off of, thus keeping my *SPAMASSASSIN* load lower. Thus a
spam deluge via a dictionary attack that may take hours is mitigated in the
course of X number of mails.
I already do something similar, but I haven't bothered to take it quite that
far yet.
I use fail2ban to parse my exim logs. If an IP address hits more than 5
invalid accounts in 5 minutes, the IP is banned (fail2ban uses iptables) for
24 hours. As well if an IP address, which is listed on spamhause, hits me
more than twice in 5 minutes it is banned for 24 hours. Granted neither of
these cases usually end up getting messages as far as spamassassin.
I've managed to drastically reduce the amount of simultaneous connections
using this method; which was overloading the server. The next step would be
to add the "when I get twelve spams of score 10+ from [...]" parsing. Though
I hadn't thought of trying my hand at a SA plugin, I may do that.
Parsing the SA logs would be easy, but the connecting IP isn't listed
there.
-Dan
--
"Man, this is such a trip"
-Dan Mahoney, October 25, 1997
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
