Matt Sergeant writes:
David Kaufman wrote:
Yup. Matt Sergeant wrote an article for O'Reilly Network last year and
in it he develops exactly that, a "repeat offender" module that watches
for repeatedly denied IP addresses and locally blacklists them, as an
example of how to write your a plugin:
Anyone using that? I'd be fascinated to know how it's going.
Maybe not as fascinating, but I could tell you why I'm not using it...
A single bad computer within corporation A could basically make me
(short-term) DOS myself when it comes to e-mails from corp. A; and if I have
to whitelist important sources from that plugin then I think that it isn't
working as well as it should/could.
Add a longterm good/bad e-mails-database and do the blocking based on both
long-term history as well as short-term problems, and it'd be, IMHO, of
greater use; then it could allow a few bad e-mails every now and then, but
at the same time block the whole server if it/its users are victims of some
new virus/whatever mailbombing people they've earlier had contact with.
Expanding on that you could keep stats of normal mailactivity and start
softbouncing if you suddenly get an abnormal surge in activity (a possible
new virus/whatever), and if the problem keeps getting worse you could
firewall either easily identifiable subnets or take the (mail)server offline
a cpl of hours.
(Just a few thoughts.)
/Tony
