On 1 Jun 2004, at 20:46, Waitman Gobble wrote:
1. Compare the country of the originating IP address to the country of the "domain" in the "from address". Basically want to dump email that claims to be "from" a US company/domain but originates out of China, etc. and vice-versa.
2. Keep track of ips that send multiple "from" domains. And black-list those.
3. If the "from" address is a well-known mail service such as yahoo, hotmail, msn, aol, etc. Then the connecting IP has to be on "their" network.
You'd get a lot more blocked just by using some well chosen blocklists.
My recommendations are:
sbl.spamhaus.org
cbl.abuseat.org
opm.blitzed.org
zombie.dnsbl.sorbs.net
relays.ordb.org
list.dsbl.org
http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
web.dnsbl.sorbs.net
dul.dnsbl.sorbs.netThat takes out a lot of the spam (they are listed in order of preference in case you want to trim off ones that look dodgy).
Then add in DCC. That takes out a further large chunk. (yes I know DCC only detects bulk mail, not spam, but by my measurements it's accurate enough to use as an outright block).
Add in the early_talkers plugin - that's a further chunk. Then drop anything without a Message-ID. Then drop anything without any Received headers.
This gets pretty much all of my spam (I actually have a few other tricks up my sleeve, but can't reveal them as they are quite sensitive to being found out by the spammers). I get a few Nigerian scams slipping through every now and then. And I'm still annoyed by anti-virus bounces and by challenge-response bounces, but these tend to be manageable.
Matt.
