OK, I'm ready to take the next step in trying to cut down on the wasted cycles my email server spends rejected spam after spam after spam from the same source.

My thoughts are that I'd like to monitor all the messages processed by simscan, and automatically blacklist IPs for a limited time (24 hours?) if they meet certain requirements.


I'm running stock simscan 1.1, without the additional logging that someone (Rick?) did. Ideally, for every email, I'd like to know the following:

Already in CHKUSR logs:
sender IP
SMTP AUTH info (if any)
sender's "SMTP HELO" hostname
sender's IP address
recipient address
whether recipient exists or not

Additional fields:
virus status (yes/no)
spam score

My thoughts are that I can start blacklisting IPs that match spammer patterns:

lots of non-existent addresses
lots of "random" from addresses coming from the same HELO/ip address combo
fqdn of HELO doesn't match reverse lookup of IP
lots of high-scoring spam

I haven't decided whether I want to modify simscan to try to log this information to MySQL for processing, or write a separate Perl program that runs in the background parsing the qmail-smtpd logs. My thought is that a MySQL socket connection for every single instance of simscan might be more load than the overhead of reading/parsing the log files.

Has anyone started work on something like this? If I could at least start with a report of every IP that sent me email, the number of messages, and the min/max/average spam score of the messages sent, I could decide whether the additional work would pay off.

Has anyone started on something like this? Any pointers on code to use to "tail" a file and detect when it's been renamed/rolled so I can switch to the next "current" log?

--
Tom Collins  -  [EMAIL PROTECTED]
Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/
QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/

Reply via email to