As we all know, the order of restrictions influences the qty per category,
but here's where my latest advanced config has one site:
2 RBL spamdomains.blackholes.easynet.nl
5 SMTP invalid [EMAIL PROTECTED]
5 SMTP Exceeded Hard Error Limit after RSET
7 RBL opm.blitzed.org
8 SMTP Exceeded Hard Error Limit after END-OF-MESSAGE
9 SMTP Exceeded Hard Error Limit after CONNECT
16 Other
26 SMTP Exceeded Hard Error Limit after ETRN
27 ACL unauthorized relay
29 ACL helo_hostnames
34 DNS no A/MX for @recipient.domain
49 ACL bogon network header
55 RBL proxies.relays.monkeys.com
58 ETRN Mail theft attempt
72 RBL list.dsbl.org
73 SMTP helo hostname invalid
80 ACL mta_clients_bw
99 RBL korea.services.net
119 ACL HTML obfuscation
135 SMTP Exceeded Hard Error Limit after MAIL
146 RBL relays.ordb.org
209 ACL header checks
217 SMTP invalid [EMAIL PROTECTED]
254 SMTP unauthorized pipelining
351 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
416 DNS timeout for MTA PTR hostname (forged @sender.domain)
578 RBL sbl.spamhaus.org
623 DNS no A/MX for @sender.domain
717 ACL to_local_recipients unknown recipient
771 RBL dnsbl.njabl.org
812 ACL PTR hostname does not match hostname (forged HELO) << restr.class
955 ACL from_senders_bw
1128 RBL dynablock.easynet.nl
1723 ACL forged @sender.domain not from sender PTR domain << restr.class
4312 RBL blackholes.easynet.nl
5360 ACL from_senders_imgfx
8098 SMTP helo hostname is an IP <<<< amazingly effective
9515 SMTP helo hostname not fully qualified <<< duh!!!
9547 ACL from_senders_slet
12348 ACL mta_clients_dict
19065 SMTP Exceeded Hard Error Limit after DATA
55916 SMTP Exceeded Hard Error Limit after RCPT
159149 ACL to_relay_recipients unknown recipient
This client is not yet using the subscriber networks block. but it turns
out a lot of subscriber spammers get caught by the unqualified helo
hostname and the helo hostname + sender.domain forrging of aol, msn, yahoo,
earthlink, hotmail domains.
The "ACL mta_clients_dict" is built by harvesting the previous 30 or 60
days of rejects of to_relay_recipients unknown recipient, by IP and ClassC,
with unknown[ip.ad.re.ss], and then running a harvesting script every 2
hours during the day to catch today's dictionary attackers, giving these
qty's of lines:
mta_clients_dict.map ClassC's : 177
mta_clients_dict.map IPs : 9344
mta_clients_dict.map before : 9521
The _dict restriction is placed a couple lines after the
check_recipient_maps where to_relay_recipients.map is used. The _dict
rejects are for msgs to _known_ users (msg got past the unknown user
filter) but from the abusive IPs that have been hitting us with large qty's
of msgs to unknown users.
Len
