On Thu, Feb 21, 2008 at 11:47 PM, Marc Perkel <[EMAIL PROTECTED]> wrote: > > > Steve Radich wrote: > > Sorry; apparently I was unclear. > > > > MX records I'm saying as follows: > > 100 - Real > > 200 - Real perhaps, as many "real" as you want > > 300 - Bogus - one that blocks port 25 with tcp reset for example > > 400 - accept port, logs ip -> blacklist (not to be scored > > aggressively at all) with a 421/retry. > > > > If a whole bunch of places are seeing the same smtp server hitting this > > 400 level MX then I'm saying that seems like a useful thing to be > > included in a blacklist using a low score in sa. > > > > The point was to offer the 400 level mx as a free service to log the ips > > quickly for those that don't want to set up the server themselves. > > > > In theory the 400 level MX wouldn't be used by "real" smtp very often, > > hence it's likely a spammer and therefore the IP could be auto > > blacklisted. Realize I'm NOT proposing we block on this, just score > > based on this list. > > > > Steve Radich - http://www.aspdeveloper.net / > > http://www.virtualserverfaq.com > > BitShop, Inc. - Development, Training, Hosting, Troubleshooting - > > http://www.bitshop.com > > > > > > I'm actually doing something like that. What I do is track hits on the > highest MX that has not hit the lowest numbered MX, then because I use > Exim I can track which IP addresses don't send the QUIT command to close
I am thinking about playing around with the same type of thing here.. Is this any different from looking for "lost connection after DATA" or "lost connection after RCPT" errors in a postfix server's logs? Not sure why you can detect this because you run Exim specifically. Or am I missing something? > the connection. This combination creates a highly reliable blacklist and > I'm currently tracking about 1.1 million virus infected spambots that > have tried to spam me in the last 4 days. > > It's my hostkarma list. > > Sounds interesting.. do you block based on this list or just use it for scoring in SA or something like that? What is the false positve rate? -Aaron >