Re: [spamdyke-users] Does one blacklisted address kill the delivery?
I wonder if this idea might be extended in some way, so that if a message from a particular IP is rejected on the basis of the recipient address being non-existent, a badaddress counter is incremented for that ip. If badaddress goes above X in Y seconds then either reject or more likely tempfail for Z seconds. The Z seconds component will hopefully solve the risk of permanently blocking an IP in the case of false positives? Extending this still further and more generally, how about a general blacklist to which a sending IP gets added if it fails any test other than graylisting more than X times in Y seconds. This will reduce the number of DNS lookups needed to deal with mass spammings from a particular IP. The blacklist could be set to expire an IP after Z seconds. For those people using something like the APF firewall, a simple script would allow the IPs in the blacklist to be added to the firewall to reduce system load still further. I do something like the above manually. If I see loads of DNSRBL-type/non-existent recipient/high spamassassin scores from a particular IP I just add it to the firewall. Quite often I look up the ISP and block their entire IP ranges, especially if they are in certain parts of the world. After a few weeks or months I remove the IPs. In this way I reduce the number of lookups needed and reduce the system load. It would be nice to automate this (obviously SD won't be able to look at SA scores) in some way. I wonder of something like ossec-hids or bfd might be able to help identify IPs that send multiple messages identified as spam by spamassassin? Faris. -Original Message- From: spamdyke-users-boun...@spamdyke.org [mailto:spamdyke-users- boun...@spamdyke.org] On Behalf Of Sam Clippinger Sent: 22 August 2010 2:45 AM To: spamdyke users Subject: Re: [spamdyke-users] Does one blacklisted address kill the delivery? Recipients are accepted or rejected individually -- in your example, the blacklisted recipients would be accepted and the others would be accepted (assuming they passed the other filters as well). It wouldn't be hard to add a flag to reject the entire message after seeing a single blacklisted recipient. The only scenario I can imagine where it would cause problems is: if the administrator was lazy and used the blacklist to block mail to former users instead of deleting them (e.g. ex-employees) and an external user (e.g. a client) sent a message to a group of addresses (e.g. reply-to-all). The external user would think all of the addresses were bad; there'd be no way to tell which one caused the bounce. But since enabling the flag would be optional, I guess the administrator would have only himself to blame... Anyone else have an opinion on this one? -- Sam Clippinger ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Does one blacklisted address kill the delivery?
Hello Faris, we are doing such with fail2ban in combination with spamdyke. You can take a look at the this procedure in our knowledgebase entry about this (translated by google): http://translate.google.de/translate?u=http%3A%2F%2Fkb.web-vision.de%2Fkb%2Farticle%2F69sl=detl=enhl=ie=UTF-8 If you are interested I can post the settings for fail2ban here. Regards, Boris Am 22.08.2010 um 16:41 schrieb Faris Raouf: I wonder if this idea might be extended in some way, so that if a message from a particular IP is rejected on the basis of the recipient address being non-existent, a badaddress counter is incremented for that ip. If badaddress goes above X in Y seconds then either reject or more likely tempfail for Z seconds. The Z seconds component will hopefully solve the risk of permanently blocking an IP in the case of false positives? Extending this still further and more generally, how about a general blacklist to which a sending IP gets added if it fails any test other than graylisting more than X times in Y seconds. This will reduce the number of DNS lookups needed to deal with mass spammings from a particular IP. The blacklist could be set to expire an IP after Z seconds. For those people using something like the APF firewall, a simple script would allow the IPs in the blacklist to be added to the firewall to reduce system load still further. I do something like the above manually. If I see loads of DNSRBL-type/non-existent recipient/high spamassassin scores from a particular IP I just add it to the firewall. Quite often I look up the ISP and block their entire IP ranges, especially if they are in certain parts of the world. After a few weeks or months I remove the IPs. In this way I reduce the number of lookups needed and reduce the system load. It would be nice to automate this (obviously SD won't be able to look at SA scores) in some way. I wonder of something like ossec-hids or bfd might be able to help identify IPs that send multiple messages identified as spam by spamassassin? Faris. -Original Message- From: spamdyke-users-boun...@spamdyke.org [mailto:spamdyke-users- boun...@spamdyke.org] On Behalf Of Sam Clippinger Sent: 22 August 2010 2:45 AM To: spamdyke users Subject: Re: [spamdyke-users] Does one blacklisted address kill the delivery? Recipients are accepted or rejected individually -- in your example, the blacklisted recipients would be accepted and the others would be accepted (assuming they passed the other filters as well). It wouldn't be hard to add a flag to reject the entire message after seeing a single blacklisted recipient. The only scenario I can imagine where it would cause problems is: if the administrator was lazy and used the blacklist to block mail to former users instead of deleting them (e.g. ex-employees) and an external user (e.g. a client) sent a message to a group of addresses (e.g. reply-to-all). The external user would think all of the addresses were bad; there'd be no way to tell which one caused the bounce. But since enabling the flag would be optional, I guess the administrator would have only himself to blame... Anyone else have an opinion on this one? -- Sam Clippinger ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] What firewalls do you use?
Was wondering what firewall programs you folks use with your OS/qmail/spamdyke setups? For example, for years now I've used FreeBSD/qmail/spamdyke with the ipfw firewall. I'm planning to change from ipfw to pf (which comes from OpenBSD) as the firewall. They work in fundamentally different ways. Anyone have trouble using pf with their qmail/spamdyke setup? Thanks, Bucky ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] What firewalls do you use?
Endian firewall (community) 2010/8/22, BC bc...@purgatoire.org: Was wondering what firewall programs you folks use with your OS/qmail/spamdyke setups? For example, for years now I've used FreeBSD/qmail/spamdyke with the ipfw firewall. I'm planning to change from ipfw to pf (which comes from OpenBSD) as the firewall. They work in fundamentally different ways. Anyone have trouble using pf with their qmail/spamdyke setup? Thanks, Bucky ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Enviado desde mi dispositivo móvil ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] What firewalls do you use?
Good ol iptables managed with fwbuilder. On 2010-08-22, at 11:07 AM, Carlos Herrera Polo carlos.herrerap...@gmail.com wrote: Endian firewall (community) 2010/8/22, BC bc...@purgatoire.org: Was wondering what firewall programs you folks use with your OS/qmail/spamdyke setups? For example, for years now I've used FreeBSD/qmail/spamdyke with the ipfw firewall. I'm planning to change from ipfw to pf (which comes from OpenBSD) as the firewall. They work in fundamentally different ways. Anyone have trouble using pf with their qmail/spamdyke setup? Thanks, Bucky ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Enviado desde mi dispositivo móvil ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Does one blacklisted address kill the delivery?
Thanks Boris. Yes please! Faris. If you are interested I can post the settings for fail2ban here. Regards, Boris ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
