I was just thinking whether to block so many ips or not. I was aware that this was a spammer originating block but still you know was reluctant. But thanks for the advice, I will proceed now.
If they are abusing you, block 'em, and don't look back.
For your to-block-or-not-block quandary, note that Advanced IMGate has a reactive blocking script that blocks IPs and Class C's that send above a threshold qty of msgs to unknown recipients. The addresses are added to the mta_clients_dict file (dict_ionary attack) only if they don't have a PTR (some blocked IPs later obtain an PTR, but, "sorry, too late. Your past behavior has convicted you.").
On one site, here are the current numbers of IPs and Class Cs blocked in that file (it is updated every hour):
mx1# egrep -ic "554.*ip" /etc/postfix/mta_clients_dict.map 62132 ... blocked IPs.
mx1# egrep -ic "554.*classc" /etc/postfix/mta_clients_dict.map 3812 ... blocked Class Cs.
For the first 4 hours of Tue:
mx1# less /var/tmp/spam-stats.rpt
1 ACL [EMAIL PROTECTED]
2 SMTP invalid [EMAIL PROTECTED]
7 ACL to_local_recipients unknown recipient
9 SMTP Exceeded Hard Error Limit after HELO
9 ACL SAV: new verification in progress
19 ACL provider PTR and ccTLD sender domain
20 ACL from_senders_bw
21 SMTP Invalid HELO hostname
22 SMTP Exceeded Hard Error Limit after END-OF-MESSAGE
24 SMTP Exceeded Hard Error Limit after RSET
24 ACL helo_hostnames
29 ACL provider PTR and ccTLD HELO
44 DNS no A/MX for @recipient.domain
58 DNS timeout for MTA PTR hostname (forged @sender.domain)
69 SMTP invalid [EMAIL PROTECTED]
76 SMTP Exceeded Hard Error Limit after MAIL
177 ACL unk PTR and ccTLD
203 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
277 ACL mta_clients_bw
310 SMTP unqualified HELO hostname
311 ACL SAV: unverifiable sender address
381 RBL dnsbl.njabl.org
460 SMTP unauthorized pipelining
470 SMTP Exceeded Hard Error Limit after CONNECT
546 RBL blackhole.securitysage.com
954 ACL from_senders_imgfx
1125 ACL MAIL FROM: ccTLD from unknown PTR
1201 ACL No PTR for big ISP HELO hostname
1776 RBL bl.spamcop.net
2625 ACL SAV: undeliverable sender address
3252 DNS no A/MX for @sender.domain
3446 RBL sbl.spamhaus.org
3597 RBL dynamic.rhs.mailpolice.com
4288 RBL list.dsbl.org
4544 ACL unauthorized relay
5233 ACL greylist initial reject
6006 ACL MAIL FROM: bigISP forged
13494 SMTP HELO hostname is IP
19778 SMTP Exceeded Hard Error Limit after DATA
21588 RBL block.rhs.mailpolice.com
47187 ACL mta_clients_dict <<<<<<<<<<<<<<<
228242 SMTP Exceeded Hard Error Limit after RCPT
470600 ACL to_relay_recipients unknown recipient
=======================
842505 TOTAL rejects (99% reject rate outside of business hours)So our _dict filter is over twice as effective as the next most effective filter (mailpolice).
The _dict filter runs right after the reject_unknown_recipient filter. So, the 47K _dict rejects above have gotten past the reject_unknown_recipient filter simply because these abusive IPs are also sending to our known recipients.
When we turned on the _dict filter on this MX, the SAV rejects (forged sender) and greylisting rejects (don't re-send after 4xx reject) plummeted, another indication that the _dict "behavioral" filter (behavior: sending to unknown recipients) corresponds very well with IPs sending forged [EMAIL PROTECTED] and IPs that aren't real MTAs (because they don't re-try, are probably infected machines or spam farms).
_dict side effect: wouldn't the _dict filter block MTAs that run sender_address_verification against our MX, and thereby "send" us lots of msgs to unknown/forged recipients?
Yes, but ONLY if the SAV_ing MTAs don't have a PTR. Have a PTR, and you can run SAV against our MX all you want without negative effects.
The implicit message to Internet: "Get a PTR or, welcome to the precipice of our blackhole."
Len
_____________________________________________________________________ http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
