Jari Fredriksson wrote:
Marc Perkel wrote:
Using my new ideas here's my raw blacklist file. It has about 80k IP
addresses and is updated every 10 minutes.
http://iplist.junkemailfilter.com/black.txt
Here's instructions on how to use it with SpamAssassin and Exim.
http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples
I'd like to get some feedback on how well it's working.
Hmm, how about documenting how is it supposed to work? How does an IP address
end up to your list?
The wiki link has it somewhat documented but I'm trying something new and I'm
still testing it so I'm not going to document it for a while till I know it
works. But - the simple explanation is this.
On the lower numbered MX records I have 3 mail servers any one of which can
carry the whole load in an emergency. I have on higher numbered MX about 10
dummy IP addresses that normal email should never hit. Spammers however,
especially spam bots have been hitting random MX records instead of figuring
out the proper order. The idea is that the backup servers might have less spam
filtering than the main server.
So any hits on these fake MX records are counted as spam hits. Every 10 minutes
I count up the spam and ham hits per IP and generate my black, white, and
yellow lists. To make the black list there has to be enough hits to be worth
counting and has to be 99% spam. The high MX records always return a 421 error
but counts as a spam hit.
Some of the details are a little more complex. I process SA determined spam
hits differently than spammer trick spam not only in scoring but in the time
that I keep the data. Fake MX data lives 1 day. Spam lives 3 days, and ham
lives 7 days. Every 6 hours I shift the log data own creating a new file and
deleting the oldest file.
If this works out it could be done on a more massive community scale and it
could totally wipe out all spambot spam. Right now I have no spambot spam at
all making it through the system using this and other tricks. Most of my
filtering is done using Exim rules but I still use SA for the remaining 1% or
so. I'm also feeding spam to several block list services who are using my data
to add to blocking spam everywhere.