Here's something I've been meaning to write for ages and finally got around to it, in part by pulling in a bunch of code from my uribl plugin posted here last month.
Like uribl, it scans the body (and optionally headers) during delivery, extracting hostnames from any URIs it finds. Unlike uribl, it then resolves any hostnames, and compares the resulting addresses against a configured set of CIDR ranges. If any matches are found, it either adds a header for later use, or rejects the mail outright. This attacks the particular problem of spammers advertising sites hosted by spam-friendly ISPs in China, whose hostnames change fairly rapidly. The SURBL project works by blacklisting hosts that have been seen in spam; this plugin skips that step and blacklists hosts found in particular ISPs or countries, whether they've been spammed before or not. In a simple case, one could throw CIDRs for all of chinanet.cn into the config to deal with the chronic comcast-zombie/chinanet-webhost spam seen these days. In a much more aggressive one, you could toss all of the APNIC IP ranges (http://www.apnic.net/db/ranges.html) in (I'm currently doing that for testing, and one decent approach would be to combine this with a Spamassassin rule). The plugin is at http://devin.com/qpsmtpd/uri_badip . You'll need Net::CIDR::Lite to use it. -- Devin \ aqua(at)devin.com, 1024D/E9ABFCD2; http://www.devin.com Carraway \ IRC: Requiem GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++
signature.asc
Description: Digital signature
