On Wed, 18 Apr 2007, Vincent Fleming wrote: ; Here's what I did: I decided to track spam scores (a running total) and ; a timestamp (of the last spam detection). If a ipaddr's spamscore gets ; over a certain number (I picked 20), I reject connections in ; mlfi_connect(). I implemented an auto-delisting by deducting 1 point ; per day, so they won't stay on the blacklist forever, and then track the ; number of times I delist them. I weight their scores thereafter with ; the number of times they've been delisted, so they'll re-list ; automatically if they continue to send spam, and list for longer each ; time. (I multiply the spamcore of all new messages by the number of ; times I've delisted them.)
This is an interesting approach. Do you really mean running total though? That would mean that 10 messages scoring 2 would trigger the blacklist. A normalised total sum(score - 5) would make more sense here. Thanks, Andy
