OK, I'm ready to take the next step in trying to cut down on the wasted
cycles my email server spends rejected spam after spam after spam from
the same source.
My thoughts are that I'd like to monitor all the messages processed by
simscan, and automatically blacklist IPs for a limited time (24 hours?)
if they meet certain requirements.
I'm running stock simscan 1.1, without the additional logging that
someone (Rick?) did. Ideally, for every email, I'd like to know the
following:
Already in CHKUSR logs:
sender IP
SMTP AUTH info (if any)
sender's "SMTP HELO" hostname
sender's IP address
recipient address
whether recipient exists or not
Additional fields:
virus status (yes/no)
spam score
My thoughts are that I can start blacklisting IPs that match spammer
patterns:
lots of non-existent addresses
lots of "random" from addresses coming from the same HELO/ip address
combo
fqdn of HELO doesn't match reverse lookup of IP
lots of high-scoring spam
I haven't decided whether I want to modify simscan to try to log this
information to MySQL for processing, or write a separate Perl program
that runs in the background parsing the qmail-smtpd logs. My thought
is that a MySQL socket connection for every single instance of simscan
might be more load than the overhead of reading/parsing the log files.
Has anyone started work on something like this? If I could at least
start with a report of every IP that sent me email, the number of
messages, and the min/max/average spam score of the messages sent, I
could decide whether the additional work would pay off.
Has anyone started on something like this? Any pointers on code to use
to "tail" a file and detect when it's been renamed/rolled so I can
switch to the next "current" log?
--
Tom Collins - [EMAIL PROTECTED]
Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/
QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/