Okay,
I have finished the create and delete scripts.
Essentially the perl script monitors the current
file in the smtp directory.
It scans the file for both "DENIED_RDNS_RESOLVE"
and "DENIED_RDNS_MISSING" constructing two files
one that creates iptables rules and the other is a file
that deletes the same rules.
As I am using the current file can someone tell me
how often their current file is reset please? My timing
is almost 9 hours under normal circumstances.
Using the script is done via the crontab and I will be
using 5 minute intervals. This will guarantee a rolling set
of ip addresses that have no dns entries.
I welcome suggestions/comments from other users.
After final testing I will release the script to all QMT
users.
best wishes
Tony White
On 23/02/2014 05:06, cj yother wrote:
Yes, you can do this and it will reduce the load on the
server. When you're hit with a spam message that has no RDNS
and they are sending hundreds or thousands to your server it
will stop them after x attempts and ban them for x
hours/days. This will reduce the load on Spamdyke and in turn
your server. Like you say it might not be a lot, but it sure
feels good!
On 02/22/2014 09:18 AM, Eric
Shubert wrote:
On
02/22/2014 01:50 AM, Tony White wrote:
Hi folks,
Is this a viable option please?
90% of the SPAM I am getting lately always returns
DENIED_RDNS_MISSING
or
DENIED_RDNS_RESOLVE
In all cases the email From User is the same as the
Recipient
but with prefix or postfix characters.
Can we perhaps use this to build a script to test
denied messages
and maybe the username similarity then put the ip address
in the
iptables as a "drop"?
Given that this would not improve the effectiveness at all,
but would only (ever so slightly) reduce the load on the
server, do you think it'd be worth the effort? Is your host
suffering from a heavy load?
Also, I'd be a little concerned that these spam attempts
would then be more difficult to measure. They could be
logged before being dropped, but then whatever mechanism
that gathers spam stats would have one more thing to count.
It's not a terrible idea though. I wonder if fail2ban could
be configured to count DENIED_RDNS messages for each IP
address, and if there were more than a certain number of
failed attempts in a given time period, then block the IP
address.
I'd like to hear from anyone with more familiarity with F2B
than myself about this possibility. This might be an
additional F2B configuration we could include.
--