Mike Jackson wrote:
So - if I wanted to set up my own RBL for others to query me, how
would I do that? I'm seriously thinking about it. Alternatively, I can
stream my spam to anyone else who is already doing it. I've modified
my spam stream to exclude stuff already listed in several other
popular block lists.
A combination of these 2 works wonders for me..
http://simple-evcorr.sf.net/ (simple event correlator)
http://www.corpit.ru/mjt/rbldnsd.html (designed for serving DNSBL zones)
SEC hooks onto the mailscanner logs checking for 3 spams or 2 viruses in
a span of 60 seconds, this is then fed to rbldnsd, which serves it with
little latency (though the latency has nothing to do with rbldnsd).
- dhawal
I'm no expert by any means, but I tried setting up an internal RBL for
my company using some Perl scripts (to mangle the email upon receipt)
and PDNS with a MySQL backend. I saved the last hop IP address from
dictionary-attack emails sent to a particular domain that we host that
gets hundreds of dictionary-attack type spams per day. It worked well,
except that in my case it was nearly pointless - while I could verify
that lookups were working, over the course of a 48 hour period it added
hundreds of IPs but didn't flag any messages, since the spambot(s)
sending to this domain would never send from the same IP address twice
(which I verified in the logs), nor were they sending to any of the
other 100+ domains we host. We're not fighting an enemy that's entirely
stupid.
Anyway, the entire point of this email was to suggest the (perhaps)
obvious of using a DNS daemon that can read its zone info on the fly
rather than requiring a restart. That's why I used PDNS, but I'm sure
there's other DNS daemons that can do the same thing and are perhaps
better suited to the task.
