We use the SORBS Dynamic User and Host List (DUHL) http://www.au.sorbs.net/faq/dul.shtml
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raj Sent: Wednesday, August 22, 2007 10:34 PM To: [email protected] Subject: RE: [dspam-users] blocking ips of spam source in firewall hello I have not explained the full details on the list in my previous email. The point is that I noted that spam source ips keep repeating 4-5 times immediately one after another and there are 100s of such instances. i wish to block those only and not all ips. So it will require some coding using a mysql database. secondly you say "We (a med/large ISP) block any email from Dynamic IP addresses," my question is how do you determine whether an ip is in an Dynamic IP address pool. rajesh ---------- Original Message ---------------------------------- From: "Brandon Macmillan" <[EMAIL PROTECTED]> Date: Wed, 22 Aug 2007 15:49:44 -0700 >Surely you are joking? So the first time that an AOL user sends you a >single spam email you want to stop receiving email from ALL AOL users? >Talk about swatting a fly with a flamethrower. Or do you want to block >it based upon the sender's original IP address from the message headers? >You know that spammers usually forge those? You're just going to end up >blocking the large legitimate email providers and not stop the army of >spam zombies that are out there. You would be better off implementing >something like a DNSBL or DHUL list on your firewall. We (a med/large >ISP) block any email from Dynamic IP addresses, this greatly cuts down >on the spam zombie traffic. > >Also remember that with IP tables the longer your table is the more >"hops" that the packets must pass through before hitting your -j ACCEPT >rule, if you implement it as you suggested below your IP Table will >grow and grow and grow and your network performance and latency will >get worse and worse and worse. > >Brandon > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Raj >Sent: Wednesday, August 22, 2007 12:09 PM >To: [email protected] >Subject: [dspam-users] blocking ips of spam source in firewall > >Hi > >i want to block the ips of spam sources immediately as soon as dspam >detects them as spam > >dspam does a logs these ips correctly into my /var/log/maillog file so >i know that things are working correctly > >on the linux console i use the following command to block an ip address > >/sbin/iptables -I INPUT -s 111.111.111.111 -j DROP > >this code snippet below is from the dspam source ie dspam.c file in the >src directory > >the variable called "ip" contains the ip address which is logged to the >maillog file > >i understand that just a single line is required after the last line to >execute the command but i am not sure of the C syntax > >can someone help me ? > >########### > >int tracksource(DSPAM_CTX *CTX) { > char ip[32]; > > if (!dspam_getsource (CTX, ip, sizeof (ip))) > { > if (CTX->totals.innocent_learned + CTX->totals.innocent_classified >> >2500) { > if (CTX->result == DSR_ISSPAM && > _ds_match_attribute(agent_config, "TrackSources", "spam")) { > FILE *file; > char dropfile[MAX_FILENAME_LENGTH]; > LOG (LOG_INFO, "spam detected from %s", ip); > > >########### > >thanks >raj > > > > !DSPAM:30,46cd1783249431513770212!
