hello I have not explained the full details on the list in my previous email. The point is that I noted that spam source ips keep repeating 4-5 times immediately one after another and there are 100s of such instances. i wish to block those only and not all ips. So it will require some coding using a mysql database.
secondly you say "We (a med/large ISP) block any email from Dynamic IP addresses," my question is how do you determine whether an ip is in an Dynamic IP address pool. rajesh ---------- Original Message ---------------------------------- From: "Brandon Macmillan" <[EMAIL PROTECTED]> Date: Wed, 22 Aug 2007 15:49:44 -0700 >Surely you are joking? So the first time that an AOL user sends you a >single spam email you want to stop receiving email from ALL AOL users? >Talk about swatting a fly with a flamethrower. Or do you want to block >it based upon the sender's original IP address from the message headers? >You know that spammers usually forge those? You're just going to end up >blocking the large legitimate email providers and not stop the army of >spam zombies that are out there. You would be better off implementing >something like a DNSBL or DHUL list on your firewall. We (a med/large >ISP) block any email from Dynamic IP addresses, this greatly cuts down >on the spam zombie traffic. > >Also remember that with IP tables the longer your table is the more >"hops" that the packets must pass through before hitting your -j ACCEPT >rule, if you implement it as you suggested below your IP Table will grow >and grow and grow and your network performance and latency will get >worse and worse and worse. > >Brandon > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Raj >Sent: Wednesday, August 22, 2007 12:09 PM >To: [email protected] >Subject: [dspam-users] blocking ips of spam source in firewall > >Hi > >i want to block the ips of spam sources immediately as soon as dspam >detects them as spam > >dspam does a logs these ips correctly into my /var/log/maillog file so i >know that things are working correctly > >on the linux console i use the following command to block an ip address > >/sbin/iptables -I INPUT -s 111.111.111.111 -j DROP > >this code snippet below is from the dspam source ie dspam.c file in the >src directory > >the variable called "ip" contains the ip address which is logged to the >maillog file > >i understand that just a single line is required after the last line to >execute the command but i am not sure of the C syntax > >can someone help me ? > >########### > >int tracksource(DSPAM_CTX *CTX) { > char ip[32]; > > if (!dspam_getsource (CTX, ip, sizeof (ip))) > { > if (CTX->totals.innocent_learned + CTX->totals.innocent_classified > >2500) { > if (CTX->result == DSR_ISSPAM && > _ds_match_attribute(agent_config, "TrackSources", "spam")) { > FILE *file; > char dropfile[MAX_FILENAME_LENGTH]; > LOG (LOG_INFO, "spam detected from %s", ip); > > >########### > >thanks >raj > >!DSPAM:30,46cc84d5155591285519399! > >
