Hey, Matt,I've seen a few of these and invariably over time there comes a need to start expiring entries that are no longer being used. It's hard to imagine that most hosts would allow a spammer to take up their IP space for that long, and new customers would end up populating it which might cause problems. I found one class C that was shared between a very well known ROKSO spammer and Excite. I'm guessing that this will start to cause them problems soon enough, but I would prefer to only block verifiable spam blocks and not the whole class C's. SenderBase helps a lot with identifying the the extent of the current addresses being used, but reverse DNS for surrounding IP's can expose more and detect potential problems when you find an unassociated domain sharing the space. This is for the most part too time consumming for me right now. A scanner of some type might make the job much easier though, and I think there are some people here that could make quick work of the tasks with a bit of programming.
I have an IPFILE with about 300 class C addresses in it. It grows a little
bigger every day. It seems that some IPs blocks have basically been ceded
to the spammers which is fine by me. It makes them much easier to filter
out if they keep using the same IP addresses over and over.
I use per-domain spam filtering. My current HOLD weights range from 5 toI misstated that I only wanted to fail these guys, actually I want to push them over my DELETE weight for now so that reviewing is easier, and in the future as traffic to my server grows, I would like to block them with IMail's control list to save bandwidth and processing power.
10. My current DELETE weight is 40. Entries in my IPFILE are given 12
points. My plan is to break the IPs for the "Capital Letter" spammer out
into a separate file with maybe a weight of 24 or so.
Currently I not doing ANY spam filtering based on content. I'm using theThe only shorcoming of that system is that is won't catch some of the crud spammers that are using virus infected machines to send mail from. I'm one of the people that believes that these guys, who are already breaking the law, will grow and grow to become even more problematic over time. Perma-blocking a hacked server or workstation is problematic. Some day I would like to look at a way to refresh my list and remove unused entries automatically. It's nice to know that such a method can be so effective in your environment. If I'm successful in selling gateway services, capacity will become much more of an issue.
default tests for DJM. I have added about 4 IP4R tests which aren't part of
the default. And I have 4 main custom tests. One IPFILE, one FROMFILE, and
2 FILTER files. One FILTER file has common known spamming domains which
show up in the HELO part of the conversation. The other FILTER file has
common known spamming domains which show up in the REVDNS. I assign each
test 12 points. Typically failure of only 2 of these will not push someone
above the DELETE weight. Failure of three typically will.
I found out what a ROKSO spammer is, http://www.spamhaus.org/rokso/. CoolIt was linked from SenderBase :) Honestly, I've just started exploring this area myself, though I think there is a lot of interest among some of us users and I'm kind of amazed that places like SBL lack listings for some very high volume spammers that are known from different IP's. A little automated traffic analysis should expose these guys in a heartbeat.
information. How did you know this particular one was ROKSO based on the
SenderBase entry?
Andy, sorry for burying this, but I assume that this works on Windows also with Dnscmd.exe, or is this just something that you've done with unix? Nice trick nevertheless!
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
