Good answer Brandon. We also use RBLs (our users can opt out) and
this cuts down over 60% of our potential messages delivered (based on
RBL blocks v. delivered messages) based on last week's stats. We use
TrendMicro (was MAPS) and SpamHaus. TrendMicro has a newer QIL which
is designed to be used to tempfail connections, addresses on there
are short lived and they target botnets.
I believe spamhaus is still free for small sites.
DSPAM is great filtering software, and highly effective when
trained. We get pretty good accuracy even when using a shared global
dictionary. But the user burden of checking the quarantine is high
and many users don't do it. We have some giant Spam folders on our
email servers, and the 'cost' of FPs is high. We try to reduce the
acceptance of spam and then filter the remainder (multi-layered
solution).
Also filtering is expensive server-wise, rejecting connections based
on IPs is much cheaper. We process over 5 million connections per day.
gab
On Aug 22, 2007, at 6:49 PM, Brandon Macmillan wrote:
Surely you are joking? So the first time that an AOL user sends you a
single spam email you want to stop receiving email from ALL AOL users?
Talk about swatting a fly with a flamethrower. Or do you want to block
it based upon the sender's original IP address from the message
headers?
You know that spammers usually forge those? You're just going to
end up
blocking the large legitimate email providers and not stop the army of
spam zombies that are out there. You would be better off implementing
something like a DNSBL or DHUL list on your firewall. We (a med/large
ISP) block any email from Dynamic IP addresses, this greatly cuts down
on the spam zombie traffic.
Also remember that with IP tables the longer your table is the more
"hops" that the packets must pass through before hitting your -j
ACCEPT
rule, if you implement it as you suggested below your IP Table will
grow
and grow and grow and your network performance and latency will get
worse and worse and worse.
Brandon
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Raj
Sent: Wednesday, August 22, 2007 12:09 PM
To: [email protected]
Subject: [dspam-users] blocking ips of spam source in firewall
Hi
i want to block the ips of spam sources immediately as soon as dspam
detects them as spam
dspam does a logs these ips correctly into my /var/log/maillog file
so i
know that things are working correctly
on the linux console i use the following command to block an ip
address
/sbin/iptables -I INPUT -s 111.111.111.111 -j DROP
this code snippet below is from the dspam source ie dspam.c file in
the
src directory
the variable called "ip" contains the ip address which is logged to
the
maillog file
i understand that just a single line is required after the last
line to
execute the command but i am not sure of the C syntax
can someone help me ?
###########
int tracksource(DSPAM_CTX *CTX) {
char ip[32];
if (!dspam_getsource (CTX, ip, sizeof (ip)))
{
if (CTX->totals.innocent_learned + CTX-
>totals.innocent_classified >
2500) {
if (CTX->result == DSR_ISSPAM &&
_ds_match_attribute(agent_config, "TrackSources", "spam")) {
FILE *file;
char dropfile[MAX_FILENAME_LENGTH];
LOG (LOG_INFO, "spam detected from %s", ip);
###########
thanks
raj
