Steve Radich wrote:
Sorry; apparently I was unclear.
MX records I'm saying as follows:
100 - Real
200 - Real perhaps, as many "real" as you want
300 - Bogus - one that blocks port 25 with tcp reset for example
400 - accept port, logs ip -> blacklist (not to be scored
aggressively at all) with a 421/retry.
If a whole bunch of places are seeing the same smtp server hitting this
400 level MX then I'm saying that seems like a useful thing to be
included in a blacklist using a low score in sa.
The point was to offer the 400 level mx as a free service to log the ips
quickly for those that don't want to set up the server themselves.
In theory the 400 level MX wouldn't be used by "real" smtp very often,
hence it's likely a spammer and therefore the IP could be auto
blacklisted. Realize I'm NOT proposing we block on this, just score
based on this list.
Steve Radich - http://www.aspdeveloper.net /
http://www.virtualserverfaq.com
BitShop, Inc. - Development, Training, Hosting, Troubleshooting -
http://www.bitshop.com
I'm actually doing something like that. What I do is track hits on the
highest MX that has not hit the lowest numbered MX, then because I use
Exim I can track which IP addresses don't send the QUIT command to close
the connection. This combination creates a highly reliable blacklist and
I'm currently tracking about 1.1 million virus infected spambots that
have tried to spam me in the last 4 days.
It's my hostkarma list.
