Cory Wright <[EMAIL PROTECTED]> writes: > Do you mean blocking all messages with envelope senders at yahoo.com, etc, > or all mail originating from the yahoo servers? > > I've noticed that most of the @yahoo.com spam I receive doesn't even come > from a yahoo server.
That's often true. I've been thinking about this from another direction and have put together a small program (Python, of course) to implement/experiment with what I'm thinking. First, a little background. I have BOUNCE_ENV_SENDER set to [EMAIL PROTECTED] Until yesterday, any mail sent to that address was dropped on the floor. The only mail coming to that address are bounces from TMDA confirmation requests. I decided to write a program to look through the Received headers to determine the IP of the last MTA to touch the mail before it hit either my server or any of my backup servers. That IP address is recorded by a server I trust. Therefore, I can be sure that it is recorded accurately. Any other Received headers before the one that represents first contact with my trusted systems are ignored. The program works on plain messages (in pending/ I discovered that, while I have 742 message queued at this moment, there are only 469 unique spamming IPs) and on qmail bounce messages (QSBMF format). A qmail bounce includes the entire original message. My program sucks that message out and, if it is not a TMDA confirm request message, searches it. If it *is* a TMDA confirm request message, the program grabs the message/rfc822 MIME portion (the original spam) and searches that for the last untrusted IP. The goal is to continually update my private RBL server with the IP addresses of bogus senders, or at least the relays they are using. I've only written this in the last couple of days, so there are undoubtedly shortcomings. For one, the only bounce format it understands is qmail's. I need to find out if other MTAs have documented bounce formats in order for this to be useful to non-qmail users. I don't know if it's going to turn out to be too aggressive. Since I'm only looking at mail to the thl-spambounce address at this point, I suspect it won't be. It does address the problem Cory mentioned above. Even though the confirm request may go to Yahoo (because of a forged envelope sender), when Yahoo bounces the request back to me, the program will search the original spam and thus will not blacklist Yahoo. The output from the program is the IP printed to stdout. Any postprocessing can be done from there. I intend to write the IPs to a file and rsync them to my mail server. If a user wanted to not blacklist domains like Yahoo, assuming the spam actually came from Yahoo, the output could be filtered for "whitelisted" IPs before using it to blacklist sites. Any thoughts on this or suggestions for improvements are welcome. Once I clean it up a bit, I'll post it. Tim _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
