John Rudd wrote:
If you're going to do this, I would suggest that instead of counting
to X hits on your low priority MX's and then blacklisting the IP, do
this:
Count on all of your MX's, and look for a ratio between "hits on low
priority MX's and hits on high priority MX's".
IFF the high priority MX hit rate is 0, then just do a simple count on
the hits against the low priority MX's.
IF the highr priority MX hit rate is > 0, then do (low priority hit
rate) / (high priority hit rate), and look for a number >= something
like 10.
That way, senders that might sequentially try your servers, due to
problems, or even just because they roll through the servers over
time, wont get tagged.
OK - I've implemented an interesting trick that solves the problem. I'm
using the Exim RateLimit logic that only allows 1 hit per 20 seconds to
be counted. Thus if a high priority MX is hit then that creates a 20
second window where hitting my fake MX records don't count. I've noticed
in my logs that most servers will zip through all MX records (now 10) in
less than a second or two. This trick also prevents multiple hits on
fake MX records from being counted multiple times.
With this new trick along with a few others I no longer get any bot spam
at all. I'm still tweaking and testing but this is looking really good.
- Re: My Newly Expanded DNS Blacklist - Who wants to try it? Marc Perkel
-
