Problem: I am getting hit with a dictionary attack on my mail server over a = limited bandwidth connection. Volume is slowly increasing, going to over = 4000 (maybe 6000 now) email messages a day. Over 90% of these are spam = from the dictionary attack.
I do use a few blacklists, and they catch about 90% of them. But I seem = to be on the bleeding edge of this stuff because I get the first batch = of junk sent out before they are added to the blacklists.=20 I finally got tired of all the junk mail (and wasted bandwidth) and = started looking for better ways to minimize it. I have a list of email = addresses that are receiving email but the email addresses have never = existed, anyone sending email to them is sending spam.=20 Current Solution: So I decided to write a filter. I am trying to block the sending ip = addresses and I am trying to block this as early as possible to cut down = on my bandwidth usage. From what I can tell looking at the XMail source, = if the sending IP address is listed in the spammers.tab file the = connection is dropped before any real traffic happens. (The check is = made at the time of connection before anything is sent or received).=20 So my plan is to add any senders that get through to me in the = spammers.tab. When I receive an email I am looking up the email address = that it was sent to. If that email address is in my list of bad email = addresses I want to halt all email from that sending ip address by = adding that ip to the spammers.tab. In the filter.out.tab I have a filter that looks up the email address it = was sent to. If the email address is in my list I am adding that ip = address to the spammers.tab and returning a 4 from the filter. This does seem to stop me from receiving the email. But it does appear = that the spammers are able to send many emails on the same connection, = without the server rechecking the spammers.tab. So what I am looking for is an idea on how to have the filter do = something that will cause all the checks to be redone. Ideally it would = force the connection to be closed so when the spammer retries it would = then be found in the spammers.tab and blocked. Or if this is not the best way to implement this functionality, what are = some other ideas? It does seem to be working pretty good, if I could = just have the filter force the connection to be dropped it might be = close to perfect. Thanks Phillip - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
