I wonder if this idea might be extended in some way, so that if a message from a particular IP is rejected on the basis of the recipient address being non-existent, a badaddress counter is incremented for that ip. If badaddress goes above X in Y seconds then either reject or more likely tempfail for Z seconds. The Z seconds component will hopefully solve the risk of permanently blocking an IP in the case of false positives?
Extending this still further and more generally, how about a general blacklist to which a sending IP gets added if it fails any test other than graylisting more than X times in Y seconds. This will reduce the number of DNS lookups needed to deal with mass spammings from a particular IP. The blacklist could be set to expire an IP after Z seconds. For those people using something like the APF firewall, a simple script would allow the IPs in the blacklist to be added to the firewall to reduce system load still further. I do something like the above manually. If I see loads of DNSRBL-type/non-existent recipient/high spamassassin scores from a particular IP I just add it to the firewall. Quite often I look up the ISP and block their entire IP ranges, especially if they are in certain parts of the world. After a few weeks or months I remove the IPs. In this way I reduce the number of lookups needed and reduce the system load. It would be nice to automate this (obviously SD won't be able to look at SA scores) in some way. I wonder of something like ossec-hids or bfd might be able to help identify IPs that send multiple messages identified as spam by spamassassin? Faris. > -----Original Message----- > From: spamdyke-users-boun...@spamdyke.org [mailto:spamdyke-users- > boun...@spamdyke.org] On Behalf Of Sam Clippinger > Sent: 22 August 2010 2:45 AM > To: spamdyke users > Subject: Re: [spamdyke-users] Does one blacklisted address kill the delivery? > > Recipients are accepted or rejected individually -- in your example, the > blacklisted recipients would be accepted and the others would be accepted > (assuming they passed the other filters as well). > > It wouldn't be hard to add a flag to reject the entire message after seeing a > single blacklisted recipient. The only scenario I can imagine where it would > cause problems is: if the administrator was lazy and used the blacklist to block > mail to former users instead of deleting them (e.g. ex-employees) and an > external user (e.g. a client) sent a message to a group of addresses (e.g. > reply-to-all). The external user would think all of the addresses were bad; > there'd be no way to tell which one caused the bounce. But since enabling > the flag would be optional, I guess the administrator would have only himself > to blame... > > Anyone else have an opinion on this one? > > -- Sam Clippinger _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
