[EMAIL PROTECTED] wrote:
Is there any way to set courier to automagically blacklist an IP that has tried to contact multiple IDs to see if they are valid after a few attempts? I'm trying to save cycles from dealing with these attacks.
Presumably Courier's teergrube should be effective against these kinds of attacks. There's not much documentation on it, but basically with each successive delivery failure from the same IP address Courier responds slower and slower to the sending machine (up to some maximum slowness). I've never seen the teergrube in action though; does it look like it's not working for you?
Much more often, though, what you see is a boatload of zombies from different IP addresses trying to get through. In that case you're going to be better off using the DNSBLs as Scott mentioned.
In a pinch, I've found that the SpamHaus XBL-RBL is almost as good. Add: BLACKLISTS='-block=sbl-xbl.spamhaus.org,BLOCK'
I suppose this is straying a little bit from the original question, but since the topic of blacklists came up, it's worth sharing: I've found that using the following five blacklists, coupled with a clamav filter, will virtually eliminate junk mail:
sbl-xbl.spamhaus.org
dnsbl.sorbs.net
bl.spamcop.net
cn-kr.blackholes.us
list.dsbl.orgHere are some stats from one day last week:
SPAM: 5119 [Total caught by blacklists and clamav] spamhaus: 2568 (50%) [Total caught by spamhaus] sorbs: 1097 (21%) [...] spamcop: 591 (12%) blackholes: 818 (16%) dsbl: 45 (1%) VIRUSES: 44 [What clamav caught that blacklists missed] NON-SPAM: 999 (16%) [Mail that actually got through]
These stats are for a few locally hosted domains. My personal domain (karmak.org) had 1266 messages blocked that day: 137 were to me ([EMAIL PROTECTED]), and the other 1129 were to random addresses, suggesting dictionary attacks. This is pretty typical, and I usually see 2-5 spams per day actually get through to me. This is a 97-99% block rate just based on spam that I would have received. If you look at it against the 1266 total (where you include the blocks to random addresses that would have been delivery failures anyway), it's more like a 99.5-99.9% block rate.
In my experience, despite what I heard about blacklists, the false positive rate has been very low. And since the block occurs at the SMTP transaction, the sender is immediately notified if there is a problem (unlike with client-side statistical filters). I've only known three people over the past several months to have trouble contacting me:
- #1 was a guy who actually spams people, and he got himself on a blacklist. No sympathy there.
- #2 was a girl who was trying to mail me from her work address, which was running an insecure mail server (open proxy). I told her what the problem was, she told someone at work, and would you believe it - they went and fixed their mail server.
- #3 was my father who was trying to send mail from an Exchange server that was sitting on a dynamic IP address. I had him send his mail out the ISPs mail server instead. (Really I believe this was the cable company's fault for apparently allocating a business-class static IP address from a dynamic block, but I didn't feel like spending hours on the phone with the cable company trying to fix the problem.)
I've also found that once you politely explain to people why they are blacklisted, they do not get angry or blame you. People generally understand that if they are blacklisted, then it's a problem on thier end, not yours. But then I don't use blacklists run by crazy people who block entire networks based on one bad IP address either (won't mention any names here...)
YMMV, but IMO using a few good blacklists is going to be waaaay simpler and more effective than a home-grown IP logging script or trying to block individual IP addresses on your own.
m.
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
