Re: My Newly Expanded DNS Blacklist - Who wants to try it?

Sat, 16 Jun 2007 22:01:39 -0700 


Jari Fredriksson wrote:

Marc Perkel wrote:

  

Using my new ideas here's my raw blacklist file. It has about 80k IP
addresses and is updated every 10 minutes.

http://iplist.junkemailfilter.com/black.txt

Here's instructions on how to use it with SpamAssassin and Exim.

http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples

I'd like to get some feedback on how well it's working.

    



Hmm, how about documenting how is it supposed to work? How does an IP address 
end up to your list?


  

The wiki link has it somewhat documented but I'm trying something new and I'm 
still testing it so I'm not going to document it for a while till I know it 
works. But - the simple explanation is this.

On the lower numbered MX records I have 3 mail servers any one of which can 
carry the whole load in an emergency. I have on higher numbered MX about 10 
dummy IP addresses that normal email should never hit. Spammers however, 
especially spam bots have been hitting random MX records instead of figuring 
out the proper order. The idea is that the backup servers might have less spam 
filtering than the main server.

So any hits on these fake MX records are counted as spam hits. Every 10 minutes 
I count up the spam and ham hits per IP and generate my black, white, and 
yellow lists. To make the black list there has to be enough hits to be worth 
counting and has to be 99% spam. The high MX records always return a 421 error 
but counts as a spam hit.

Some of the details are a little more complex. I process SA determined spam 
hits differently than spammer trick spam not only in scoring but in the time 
that I keep the data. Fake MX data lives 1 day. Spam lives 3 days, and ham 
lives 7 days. Every 6 hours I shift the log data own creating a new file and 
deleting the oldest file.

If this works out it could be done on a more massive community scale and it 
could totally wipe out all spambot spam. Right now I have no spambot spam at 
all making it through the system using this and other tricks. Most of my 
filtering is done using Exim rules but I still use SA for the remaining 1% or 
so. I'm also feeding spam to several block list services who are using my data 
to add to blocking spam everywhere.
























					Reply via email to