>________________________________________ >From: Alex <mysqlstud...@gmail.com>
>For some time now I've been cycling URLs and IPs through a mariadb >database gathered from incoming mail on a honeypot I've created. >Surprising how many are received ahead of spamhaus/barracuda. Major RBLs like that keep up with lots of data points for IP reputation over time so that can give a little extra time for normally reputable IPs that happen to have a compromised account -- which happens to us all. But if you don't detect compromised accounts on your system through feedback loops and abuse reports, then a reputable IP can eventually get listed on those major RBLs. >Is anyone else doing this, and are you just rejecting the IPs at the >SMTP level outright? DNS is very effective to block at the MTA level. I setup my own private RBL on the DNS servers my SA boxes point to. Dump your IPs into a rbldnsd formatted zone file and setup your private RBL zone (doesn't have to be a real zone on the Internet) to forward to rbldnsd. Rbldnsd will detect changes to it's zone files and reload them automatically to keep current. Then I have a nightly script that goes through my list of IPs in my private RBL to remove them if they show up in another major RBL that I use. This prevents my list from becoming stale in the event that the IP becomes delisted from the public RBLs. In a related note, I have found that using the senderscore.org score combined with postscreen's weighting is very effective in quickly catching new spammers. postscreen_dnsbl_sites = score.senderscore.com=127.0.4.[60..69]*2 score.senderscore.com=127.0.4.[50..59]*4 score.senderscore.com=127.0.4.[30..49]*6 score.senderscore.com=127.0.4.[0..29]*8 score.senderscore.com=127.0.4.[90..100]*-6 score.senderscore.com=127.0.4.[80..89]*-4 score.senderscore.com=127.0.4.[70..79]*-2 You should monitor your own outbound IPs for their sender score. If your IP goes below 90, it's a good indication that you have been sending spam and that your users are going to start experiencing delivery issues to the Internet. Dave
