On 07/09/2011 16:10, John Hardin wrote: >> I don't want to use greylisting as I often receive legitimate email from >> new contacts - often while I'm on the phone to them - so, introducing a >> delay is undesirable to me. > > Perhaps a hybrid approach, where you greylist only if the foreign IP > appears in a DNSBL? > For instance: > http://www.danplanet.com/home/75-miscellaneous/114-a-dnsbl-and-greylisting-hybrid-approach >
While I wasn't thinking about greylisting, a hybrid approach would make it acceptable to me. Perhaps, a greylist approach would be even better than actively dropping repeated spams as, a greylist would not result in an unacceptable false-positive in the same way as rejecting mail would. In fact, I really like the idea of greylisting when a mail fails a DNS block list. >> I'd hoped that there would be a way to exploit repetition of a recently >> received spam to improve identification... > > The utility of that depends strongly on how quickly repetitions come > in. If they come in too fast you won't be able to react. Hmm - I hadn't thought of that... I'd assumed that subsequent mails would block while earlier ones are processed - but that seems less likely, now I think about it explicitly. The repeated spams seem to all arrive during the same second - so, it's entirely possible that this would be too fast. Conversely, this bunching, coupled with identical credentials, correlates strongly with SPAM, so it would make a good thing for spamassassin to detect, if it could be made to do so. > You should be able to set up a log watcher and firewalling or a MTA > reject database to block an IP that submits more than N messages > scoring as spam within one minute, but I don't think anybody will be > able to provide a premade solution for that. I'm trying as hard as I can to be lazy on this one... or, in other words, I'd prefer a more 'standard' solution to avoid ending up maintaining a grotesque hack for years to come. >> I've had a brief look at policyd- though it seems very heavyweight for >> what I'm trying to achieve... and I'm yet to discover a recipe to >> identify 'just like this recent spam'... > Same from address and source IP? That is generally logged by MTAs and > spam tools. This is the thing that was so very, very odd. The message is identical - including the headers. If I look at the first and last spam email in a 9-message block, then <ctrl>u to get the source, and paste them into files... diff confirms that the messages are byte-by-byte identical. I don't think it's my server that's doing the duplicating... as some spams arrive only once... even though the bulk of the spam I receive is repeated 9 times.