On Sat, 7 Feb 2004 07:01:57 -0600, Bob Apthorpe wrote:
> I'm working on a project to combine mail log analysis and
> SpamAssassin (spamd) scoring to rank the spamminess of a
> connecting IP address. I haven't found any standard metrics so I'm
> guessing at what might be useful, such as %spam per unit time {15-
> minutes, hour, day, week} per unit network {/32, /28, /24}.
Two comments:
1: I'm using relaydb for something similar (but not identical) to this.
This technique simply stores the number of spams and hams per IP in a small
database. I'm then checking the ratio of spam to ham for connecting IPs. If the
ratio is above a certain threshold, I reject the connection.
I'm also expiring records after a certain time.
2: This method might seem effective in theory, but in reality it doesn't do as
much as I'd hoped for.
Nowadays spam more often comes from a multitude of addresses rather than a few
dedicated spam sending hosts. This means that few sender IPs actually ever
reach the threshold I've set up (a more aggressive threshold could change this
though).
I haven't checked what difference it'd make is subnets were used instead of
IP-addresses.
Regards
/Jonas
--
Jonas Eckerman, [EMAIL PROTECTED]
http://www.fsdb.org/
