I have a site with a small but heavily-spammed domain. I was relaying
through a remote MX, but recently I set it up to be its own MX. I put
in place all the usual strategies which used to take out 95% of the
spam. I also set up amavisd-new with SA.
With all that, the spam kept coming. Perfect FCrDNS, in agreement with
the HELO and sender domain. (In fact usually the HELO is the rDNS
name.) Usually no suspicious patterns in rDNS, like too many numbers.
These spammers came up mostly clean in RBL checks: maybe a spamcop or
tqmcube or fivetensg hit, but never Spamhaus or DSBL or NJABL.
Even the content inspection missed these, because the URL's used were
not yet in URIBL or SURBL.
I stopped the spam eventually, by check_client_access blocking the
networks of the recidivists. (49 entries in a CIDR table.)
I also started using the Joewein.de spam domain list in
check_{client,helo,sender}_access[1], which didn't help much with the
clean gang, but as time goes on it's catching more.
The interesting thing here is that rDNS/HELO/sender match can at times
be an indication of spam! That has important implications for
policyd-weight and the antispam world in general.
I have a theory, however, on how these might be caught, and testing
shows partially that I may be right.
I put Joewein.de in warn_if_reject check_{helo,sender}_{mx,ns}_access
lookups, and occasionally I see only the warnings, and not the
rejections.
That of course is not the same as a lookup of the IP address, which is
why I say, partially. I've asked /dev/wife to write me a Perl script
using Net::DNS to grab NS names from Joe's list, look up the IP
addresses, and store the whole mess in a pgsql database. I don't know
when that will be done. I might even dig into the Net::DNS and DBI
documentation and try to code it myself.
Then ... the theory is that rDNS/HELO/sender match with the domain NS
found in that list would be strong evidence, perhaps even proof, of
spam. Working hypotheses are that the list of NS IP addresses will be
very small, and that the overlap will be very high.
About the secrecy thing: I believe Joe Wein has already done some
research along these lines, so I figured it doesn't matter. Also,
despite being an open and archived list, we're low-profile here. I
doubt the few clueful meta-spammers out there even know we exist.
[1] If anyone is interested in pulling this list from me, let me know.
I've got 2 scripts which do the job, one as non-root to retrieve the
file, and another as root to install and postmap(1) it.
--
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header
Policyd-weight Mailinglist - http://www.policyd-weight.org/
