Aleksander, > Probably not a good idea, since you don't know how big is remote network > block. It might be something like /24, but it also might be something > like /29. If you blindly assume it is /24, you'll get the spammer > blocked (maybe, it just might be that one of your users had .forward > file at remote site, and you can't know that either), but you will also > penalize everybody else.
My approach is to arbitrarily look across the last octet, work out the distribution of the addresses which are sending spam, and then take action to block any address within one standard deviation of the average octet value. Whether the network is /24 or /29 doesn't matter, until two /29 blocks which are in the same /24 both start sending me spam which triggers this check, in which case, yes it is possible that someone in the middle gets burned. As examples, here is one block which has been sending me spam: 66.55.189.16 66.55.189.17 66.55.189.19 66.55.189.20 66.55.189.21 66.55.189.25 66.55.189.29 66.55.189.30 66.55.189.32 66.55.189.33 66.55.189.35 66.55.189.36 66.55.189.37 66.55.189.39 66.55.189.41 66.55.189.42 66.55.189.43 66.55.189.47 66.55.189.48 66.55.189.49 66.55.189.50 66.55.189.51 66.55.189.52 66.55.189.53 66.55.189.54 66.55.189.57 66.55.189.58 66.55.189.59 66.55.189.61 66.55.189.63 All I can assume is that since all of these addresses are sending me the same type of spam (recipient address in the subject, mainly consumer electronics or casino related), they must be owned by the same people. A check with WHOIS says the whole range is owned by Vendare (VENDARE-EMAIL), but I can't assume they haven't subnetted and sold on addresses in blocks. However, I do know the extent (16 - 63), and I can assume that they own all of the addresses in that range. However, if they owned 1-64, and someone else has 65-128, and I got a spam from 66, I might assume that their range was 1-66, and accidentally block someone else. To counter this, I use the average +/- one SD, which in this particular case gives a range from 27 to 56, so I block all known spammer addresses, and also every address between 27 and 56. If I add an entry for 66, the average changes from 41.25 to 42.03, the SD from 14.18 to 14.60, and the range changes to be 27 to 57. If I add a single spammer at 66.55.189.254, the results are dramatically different - the range becomes 8 to 88, which is not good. The reason is because the average is based on an assumption that we have only one entry per IP address, but of course it will be weighted based on the number received from each address, so if the spammer range is showing up to 10 spam messages per address, and the outlier is showing 1, this sort of skewing should not happen. Also, by keeping a spam/ham count for every IP address we see, it would be possible to also check whether any predicted spammer addresses were in fact known to us for sending legitimate mail. This also allows for .forward files from MSN, Yahoo, etc plus mailing lists which occasionally carry Spam - if we receive 1000 legitimate e-mails and 5 spams, the total for this domain is -995 which would not trigger the IpTables block at +10. Storing this data in a database table with spam and ham counts per IP address per day/week and then summing over the last week/month to get a current ham/spam ratio per IP would be relatively simple. Expiring old totals would be necessary, but also simple. Perhaps once per hour, the ratio would be calculated for each IP, the IPTables list updated to reflect any changes, and a notification sent to the administrator with a list of the changes made, and the domain names of any systems now blocked. Best Wishes, Paul. __________________________________________________ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 _______________________________________________________________________ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 _______________________________________________________________________
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
