Markus , I started already doing this ,but the problem here is that when you have a dynamic IP list You can not change it on IMAIL on the fly You have to stop and restart The smtp services Thats Why i am using a firewall here.
Rifat ----- Original Message ----- From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 16, 2003 4:37 PM Subject: RE: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration At the moment we've running hourly a scheduled vb-script that filters out any error lines of the imail logfile and send it via email to the postmaster For example: ====================================== FROM TO [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] ====================================== So we can see which of our customers has forgot to activate the SMTP-Authentication (if outgoing), or which delivery attempts failed (if incomming). But back to the idea of blocking incomming smtp-connections of known spammer-IP's: Wouldn't it be great if someone writes a small tool with the following function: 1.) gathers all Sender-IP's from the declude logfile with a certain weight. (for example 200% of the hold value) 2.) maintains a list of this IP-Adresses and removes them after a certain time that no new spam with the same IP was catched 3.) creates a IP-blocklist for Imail so that it can block any furter smtp-connection attempt from this spamming IP's Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rifat Levis > Sent: Monday, June 16, 2003 2:52 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude > firewall integration integration > > > Hi Bill , > > I wrote a small VB program . > ---------------------------------- > Here is more details about the system. > > I am using the KIWI syslog server software to send the logs > to the SQL You can specify in IMAIL syslogs server ip > address .(IF you run KIWI on the same machine ,you have to > stop IMAIL syslog ) > > I have wrote a small Visual Basic Program which scan the SQL > database for " ERR .... INVALID USER " lines every 2 min. > > And my little program Open a telnet connection to the > firewall ADD the ip address to block . Then the program > remove the ip address after 1 hour. > > On my firewall i wrote a global policie group to deny access > to port 25 So the software add the ip address and specify > that it belong to that group lls. > > I decided also to integrate DECLUDE JUNKMAIL with my > firewall. For weight over 20 i will block for 1 hour For > weight over 30 will block for 2 hour And so on. > > Rifat > > > > > > ----- Original Message ----- > From: "Bill B." <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, June 16, 2003 3:11 PM > Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude > firewall integration integration > > > Rifat, > > What software are you using to do the tarpitting? Are you > running it on the same server as IMail, or on a separate box? > > Bill > > > -----Original Message----- > From: "Rifat Levis" > Sent: Mon, 16 Jun 2003 02:01:45 +0300 > Subject: [Declude.JunkMail] DSN:Tarpitting and declude > firewall integration > > > > People intersted in tarpitting and Declude firewall > integration can read this. > > > > I just finished the tarpitting protection for my IMAIL server > I am sending logs to the kiwi syslog server and forwarding it > to SQL to analyse data > > When in a 2 min period a single ip send mail to more than 5 > unknown account I am blocking the ip address on my netscreen > firewall for 1 hour. > > > The next step of this is to integrate Declude to the firewall > > I have 3 weight > weight 10 warn > weight 15 warn > weight 20 delete > > Instead of deleting weight 20 i will forward it to an account > to send data to SQL analyse it and then block it for 1 hour . > > NOTE : I am sure that KAMI will be interested :) > > Best Regards > Rifat Levis > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the > Declude.JunkMail mailing list. To unsubscribe, just send an > E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > > > --- > [This E-mail was scanned > for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the > Declude.JunkMail mailing list. To unsubscribe, just send an > E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
