I believe the rule SB_NEW_BULK in 3.0 already does what you want, in
terms of identifying new IP addresses sending large amounts of mail.
# S23 = domain daily magnitude
# S25 = date of first message from this domain
header SB_NEW_BULK eval:check_rbl_sub('sb', 'sb:S23 > 6.2
&& (time
- S25 < 120*86400)')
describe SB_NEW_BULK Sender domain is new and very high
volume
tflags SB_NEW_BULK net
- dan
--
Dan Kohn <mailto:[EMAIL PROTECTED]>
<http://www.dankohn.com/> <tel:+1-650-327-2600>
-----Original Message-----
From: John Hardin [mailto:[EMAIL PROTECTED]
Sent: Monday, July 12, 2004 16:32
To: Justin Mason
Cc: Matthew Trent; SpamAssassin list; Chris Santerre
Subject: Re: include IP lookups in SURBL lists
On Mon, 2004-07-12 at 16:13, Justin Mason wrote:
> Or use the data from SenderBase. http://senderbase.org/
Nice resource, thanks for the reference. I don't see how I can get
"domains registered in the last X hours" -type info from it, though.
{googles a bit}
Apparently there is a free service that could be queried daily for this
data:
http://www.namestead.com/new-domains-lists/new_com_040711_domain-name-ne
w-list.txt
Chris: any interest in providing a recently-registered-domains SURBL?
--
John Hardin KA7OHZ <[EMAIL PROTECTED]>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
2 days until Apropos Forum 2004
