-------- Original-Nachricht -------- > Datum: Fri, 31 Jul 2009 11:17:24 -0700 > Von: "Michael Watkins" <[email protected]> > An: [email protected] > Betreff: Re: [Dspam-user] RBL Configuration
> On Fri, July 31, 2009 10:32, Steve wrote: > > That Geo-IP patch you are talking about can be easy avoided. Just use > > stock policyd-weight and DNSBL functionality to increase score for them. > > If you are from Europe then you could use lookups to *.countries.nerd.dk > > and all others could use lookups to *.countries.blackholes.us. > > I used to use nerd.dk/blackholes.us; am not completely sure why I stopped > - I didn't log the reason. I have a vague recollection that I was seeing > problems with certain addresses/blocks not being accurately reported by > nerd where geoip was more up to date at the time. > > While I am a bit of an efficiency geek, I doubt I implemented the patch > for that reason, although doing one lookup rather than several is always > appealing to me. > > > So in your case I would use: > > # Give a better score to our Canadian mail servers > > 'ca.countries.nerd.dk', -1.00, 0.00, 'NERD-CA', > > # Set the bar higher for some high-rate spam countries > > 'vn.countries.nerd.dk', 0.00, 2.00, 'NERD-VN', > > Indeed I have always done that regardless of the method of IP location > identification -- very little spam hits me from CA sources; I give US > servers a minor negative score just so they show up in the output. > > > But it does not stop here. Wanting to set the bar high for certain ASN? > No > > problem (just an example): > > 'AS5617.rbl.cluecentral.net', 2.500, 0.00, 'AS5617', # > > Telekomunikacja Polska S.A. > > 'AS4134.rbl.cluecentral.net', 1.606, 0.00, 'AS4134', # > > Aha, now there is a new use I'd not "clued" into - weighting by ASN. > Thanks! > > In addition to the usual offenders in CN, KR, VN, BR I have a particular > hate on for TPNET in Poland. > > /mw goes off to adjust policyd-weight.conf accordingly. > > > But I have as well patched my policyd-weight. Added p0f integration, > > (will I make it through that gauntlet? my firewall blocks such queries!) > > > additional sender based reputation lookups, > > > S25R rules, etc... > > Ok, something new for me - I wasn't aware of that initiative. > > /mw heads for a quick read of: > http://www.gabacho-net.jp/en/anti-spam/paper.html > > I too have extended the regex tests associated with the "seems like > dialup" rejection / test of $revhost. I'll steal some ideas from the rule > sets discussed in the paper. > > > It's kind of hard to not patch since Robert has stopped developing it > any further. > > Agreed. It seems that policyd-weight will live on in various patches and > permutations and that isn't altogether a bad thing. It works, is simple (a > good thing) and is reliable, and for those reasons I don't feel like > diving into the postfix "firewall" alternative. > > Because it works I don't have to muck with policyd-weight very much, but > as I don't do much work in Perl, each time I do open up the script I have > been tempted to rewrite policyd-weight in Python. Of course I'd only do > that if there was some longer term benefit in doing so. I can think of > some integration I'd like to do with spam reporting / feeding / > maintaining my firewall's blocked ip table, some country analysis for > interest sake (and perhaps auto-adjusting the weighting rules) - just to > name a few. > btw: Since you are using Geo-IP... I could extend the Geo-IP patch to allow scoring by distance. I came to that idea after reading about SNARE (http://www.technologyreview.com/communications/23086/). It is actually pretty easy to do the calculation of the distance. Just out of curiosity I coded quickly a Perl script using Geo::IP to extract the latitude and longitude of your host (solutionroute.ca) and the same info for www.sourceforge.net and then display some info (so I just know that I did it right in Geo::IP) and then compute the distance in Kilometers. This is the result: ------- Info for www.sourceforge.net Country Code: US Country Code3: USA Country Name: United States Region: CA Region (Name): California City: Mountain View Postal Code: 94041 Latitude: 37.3885 Longitude: -122.0741 Time Zone: America/Los_Angeles Area Code: 650 Continent Code: NA Continent Name: North America Metro Code: 807 Info for solutionroute.ca Country Code: US Country Code3: USA Country Name: United States Region: MO Region (Name): Missouri City: Kansas City Postal Code: 64106 Latitude: 39.1068 Longitude: -94.5660 Time Zone: America/Chicago Area Code: 816 Continent Code: NA Continent Name: North America Metro Code: 616 Distance in Km: 2400.5724862323 ------- I used the free available GeoLiteCity.dat (http://geolite.maxmind.com/download/geoip/database/) to get the extended data. I have not added that jet to policyd-weight but I am really tempted to add it. What I don't know jet is how to make the lookup table? The problem I see with the lookup table is that I just have the distance and I need to score if a certain distance is reached but look at this example: ---- @distance_score = ( # DISTANCE IN KM, NO MATCH, MATCH, LOG NAME "1000", -0.50, 0.50, "1000_KM", "2000", -0.50, 1.00, "2000_KM", "4000", -0.50, 1.50, "4000_KM", "8000", -0.50, 2.00, "8000_KM", "16000", -0.50, 2.50, "16000_KM", ); ---- What should the score be for a distance of 2500 Km? Probably 1.00? Or should it be 1.50 since it matches the 1000 Km AND it matches 2000 Km? Or should it be 0.00 since it matches the 1000 Km AND it matches 2000 Km but it DOES NOT match the 4000 Km and the 8000 Km and the 16000 Km? How would you expect the matching to work? Since I have as well the continent data I could do a scoring by continent as well. Maybe something like that: @continent_score = ( # CONTINENT, NO MATCH, MATCH, LOG NAME 'AF', 0.00, 0.50, 'Africa', 'AS', 0.00, 2.00, 'Asia', 'EU', -1.00, 0.00, 'Europe', 'NA', 0.00, 1.00, 'North_America', 'OC', 0.00, 0.50, 'Oceania', 'SA', 0.00, 0.50, 'South_America', ); That might be another additional benefit in using the Geo-IP module. What do you think? Could that be something useful? > Cheers > Mike > // Steve -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Dspam-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspam-user
