>From what I understand from the post, you are suggesting a scheme similar to what snort2pf is doing for snort and pf. In layman terms, when snort issues an alert, snort2pf informs pf about the attacker's IP, and pf takes an action. AFAIK, this is currently the only way to convert snort from an IDS into an IPS on OpenBSD (snort inline works only on Linux, if I'm not mistaken).
Similarly, when SpamAssassin or DSPAM determine that an e-mail is spam, (again in layman terms) they inform spamd about the spammer IP and then-after that IP is handled by spamd. Please beware this scheme does not require any change to spamd functioning. And if implemented, it could save processing resources of the system, because the spammers which are not in any blacklist could be dynamically added to the spamd blacklists and could not reach content scanners like SpamAssassin and DSPAM, which are much more expensive in terms of processing resources. Probably a simple shell script could do the job, which would look at SpamAssassin logs to find out the spam score and IP address, and insert into spamd blacklists as necessary. The only caveat is that threshold spam score for blacklisting should be kept very high to prevent inserting false positives into spamd blacklist. In my experience spamd is very successful, but SpamAssassin catches some spam e-mails that spamd misses occasionally. (After all, OpenBSD maillists also use both, see http://www.openbsd.org/mail.html). Please correct me if I am wrong, but I believe the OP's point was missed in the other replies. I also would like to know what people at misc@ think about such a scheme. On Tue, 2007-06-12 at 03:04 -0700, Praveen wrote: > Hi, > From the man page it appears that spamd relies on > static information about spam originators. > Why not a more dynamic scheme ?. > > Why not run the content of the mail through a spam > detector (like dspam), find the spam score and make > decisions based on that. I know that spam detection > is no where near perfect but it can be used for > assigning a 'badness score' to a site(originator of > email). So a site keeps getting this score and the > average (per msg) exceeds a we black list the site for > fixed duration. Similarly for white listing. > > 'Badness score' and also be assigned for other things, > like trying to send to non-existant user (a typical > spammer probe), absence of mx entry etc. > > > A milter(sendmail/postfix) can be implemented for > this. > Thus decisions will be more dynamic and 'configuration > free'. > > Does this sound reasonable ?
