This is a form of graylisting, but instead of returning a temporary SMTP
error, it spools the E-mail for processing later.
The better way around this is to use two pieces of information and use
DNS as the database. You would capture the Mail From and IP address and
the Reverse DNS address. On the first match of either the Mail From +
IP or the Mail From + Reverse DNS base domain, you would add a record to
the zone and spool the message for scanning X minutes later. The
lookups would use a MailFromBL format where you replace the @ with a dot
and characters not allowed would be removed, and double dots replaced
with single dots. For instance:
Mail From: [EMAIL PROTECTED]
Reverse DNS: mnr1.microneil.com
IP: 216.88.36.96
Lookups:
microneil.com.sniffer-owner.SortMonster.com.graylist.example.com
96.36.88.216.sniffer-owner.SortMonster.com.graylist.example.com
A Records:
*.microneil.com.sniffer-owner.SortMonster.com A 127.0.0.2
96.36.88.216.sniffer-owner.SortMonster.com A 127.0.0.2
With Declude you could then do a lookup like so:
SEENBEFORE1 dnsbl
%REVDNS%.%MAILFROMBL%.graylist.example.com 127.0.0.2 0 0
SEENBEFORE2 dnsbl %IP4R%.%MAILFROMBL%.graylist.example.com
127.0.0.2 0 0
Note that the reverse DNS base domain has a wildcard in it. This is
important because of issues with graylisting where multiple servers can
send messages for the same senders, and you don't want to be continually
delaying them so you just wildcard the base domain.
You could then use Declude's COPYFILE action to copy the file to a
holding directory and then a separate process that would move pairs of
files older than X minutes back into Declude's overflow or proc
(depending on the version). The program that moves the files could also
extract the IP, Reverse DNS and Mail From information and add it
automatically to a zone on every run.
This has merit, but there are a couple of issues. First, Declude's
MailFromBL needs some tweaking so that it doesn't use characters that
are invalid in zones, and it needs to replace double dots which are also
invalid. Secondly, I know that this isn't a good global solution
because some people don't want their messages delayed, and to give
things like Sniffer and SpamCop enough time to react, it might mean
holding for several hours and that isn't optimal for all
users/customers, though some might take the bad with the good.
I could do this fairly easily in plain VBScript, and it only needs one
script since Declude could handle the spooling of the message with
existing functionality.
Matt
Mike Nice wrote:
getting much better at what they do. When a spammer uses Geocities
links, hijacks real accounts on major providers to send spam through,
and changes their techniques every few hours, it makes it difficult
for Sniffer to proactively block them, and the delay between rulebase
updates means a delay in catching things that have been tagged.
This brings to mind a technique with optional adaptive delay -
enabled by the user. Each mail is assigned a 'triplicate': (To_Email,
From_Email, and domain_of_sending_server). Previously unknown
triplicates are held for a period of time before being examined for
spam. The delay is long enough that SpamCop, Sniffer, and InvURIBL
mailtraps see copies of the spam and update the blacklists.
This would be hard to do with the stock IMail, but possibly could be
done by Declude with the V3 architecture and a database.
It still doesn't provide a good answer to the problem of spammers
hijacking a computer and sending spam through legitimate servers.
This E-Mail came from the Message Sniffer mailing list. For
information and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
