On Feb 12, 2016, at 5:39 AM, Alex <mysqlstud...@gmail.com<mailto:mysqlstud...@gmail.com>> wrote:
Hi, For some time now I've been cycling URLs and IPs through a mariadb database gathered from incoming mail on a honeypot I've created. Surprising how many are received ahead of spamhaus/barracuda. I'm looking for ideas on how to now make this information available to spamassassin on my production system. I'd like to somehow export the IPs, any URLs in the body, and email addresses to spam assassin. DNSBLs are very effective at this task, and I would recommend using before you filter the email with SA, unless you specifically want to score, due to uncertainty. Is it possible for spamassassin to query a database directly? It is: https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html But even than I find it more effective having the server running the DNSBL manage the the block list using some metrics such as number of times the IP address appears, and/or not recording ip addresses in a whitelist table etc... Once (either via blacklist or metric) the IP gets into the DNSBL there is no need for me to worry about SA, simply reject. I find URI tend to change A LOT, so IP based blocking can be much more effective. But I think that's more of a preference. I'm familiar with how to create a uridnsbl, but is DNS the best approach here? The info needs to be updated and reloaded rapidly, and not all the info (URLs, emails) are conducive to being in DNS. That's the way I do it. using bind DLZ http://bind-dlz.sourceforge.net/ We have a delegated subdomain off our main domain that hosts a DNS exclusively used for block list, created from incoming mail sent to honeypot email address (ones that are no never were/or are no longer valid). Again I tend to focus on the IP address not the URI as a find that URI are dime a dozen and change quite frequently. Is anyone else doing this, and are you just rejecting the IPs at the SMTP level outright? We use sendmail features to reject long before it gets to SA. It works better (IMHO) since there is much lower over head for sendmail doing a quick DNS lookup than engaging the milter that runs the email through it's passes with SA. http://weldon.whipple.org/sendmail/dnsbl.html But in this case it's IP based only not URI based. For URI (especially ones that you'll want to regex) SA may be more effective. Thanks, Alex
