Hi all, I'd like to share a bit of something I spent a little time on recently and which eventually might make it into the AV-SPAM as configurable option:
I was getting a bit of SPAM in the last six weeks which had me bonkers. It was usually 30-40 emails a day. About 10% of those were the stuff that often slips through anyway. The rest were often HTML-emails with random text in the footer, a link and an image, or text that was generic enough to not outright trigger any rules that would mark it as SPAM. Clearly the perpetrators were checking their emails with SpamAssassin and tweaked them enough to make the emails score low enough. About 80% of those SPAMs that made it through were from the same ASN and that ASN changed daily. The amount of ASN's they went through in the last 30 days or so is kinda bamboozling. Yet they come back with more. Still: The SPAMs were spread out through the day and night, so they didn't all arrive at the same timeframe. After optimizing some existing SpamAssassin rules (and creating new ones) I managed to cut the leakage down a bit. However, I started to think about starting my own RBL and to tie that into SpamAssassin, which is fairly simple. As I do run a PowerDNS master/slave DNS server with MySQL backend, it was easy to do so: I just set an unused Zone aside, configured it properly with short TTLs and short caching and set up a separate PHP script that takes IP's, turns them into RBL records and (if not already present in SQL) feeds them into SQL and bumps the Zone serial. To automate this further I set up a Perl-Script that parses a separate IMAP folder into which all detected SPAMs (and all SPAMs that I moved manually into that folder) get parsed an the sender IP is extracted. The script then checks if the sender IP is not in our whitelist (which contains everything we never want to block!) and then automatically pushes every remaining (bad) IP into the RBL blacklist. >From there it was just a matter to set up a cronjob that runs this every few minutes. So all that is left to do is to move escaped SPAMs into this separate IMAP folder and the offending IP gets blacklisted automatically. Even better: I have a few ancient mailboxes that get nothing but SPAM. Including them in the script that parses the IMAP folder now auto-feeds the IP addresses of SPAM-senders into the RBL as well. Once the RBL has grown large enough to make it worth our while I'll include it in the AV-SPAM and you can decide if you want to use it as well and which score you apply to emails from IPs that are in the Solarspeed RBL. If the score is high enough, these emails can be rejected at the MTA level. Which is what I currently do. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx