Conversation

Notices

1. Dennis (dennisgut@friend.rbose.org)'s status on Wednesday, 11-Feb-2015 12:04:32 UTC Dennis

   • kat
   @boneidol Yo, Spammer sollten geteert und gefedert werden und dann auf youtube veröffentlicht werden... lol ein bisschen hart, aber ich finde die sollten ma härter dran genommen werden.
   • kat repeated this.
   • kat (boneidol@indy.im)'s status on Wednesday, 11-Feb-2015 13:54:40 UTC kat

     • kat
     @boneidol so I'm getting bursts of several 1000's single delivery attempts all from different IP addresses. One delivery attempt per IP. Looking for some heuristic to identify early and automate blocks.
   • kat (boneidol@indy.im)'s status on Wednesday, 11-Feb-2015 13:56:58 UTC kat

     in reply to

     • kat
     greylisting.. but I'm not a fan of greylisting all connections.
   • kat (boneidol@indy.im)'s status on Wednesday, 11-Feb-2015 14:20:47 UTC kat
     I just want to greylist the "bad" senders and not "good" ones. greylisting is effective, even with a short time. But some many users these days expect email to be instantaneous. And some big senders don't play nice too, resending from a different IP
   • Temporary Marjolein (mk@oracle.skilledtests.com)'s status on Wednesday, 11-Feb-2015 14:24:50 UTC Temporary Marjolein

     in reply to

     • kat
     @boneidol Do a DNS lookup in the anti-spam databases? IOW, are those IP addresses already known as a) spammer b) zombie c) etc. ?
   • kat (boneidol@indy.im)'s status on Wednesday, 11-Feb-2015 14:46:38 UTC kat

     in reply to

     • Temporary Marjolein
     We do look up against a number of DNSBL's and it's very effective. But every now and again get targetted by a fresh botnet. Early spotting of a fresh botnet, and forcing them to back off with selective greylisting ( and additional +ve spamassassin weight) is what I'd like to achieve. It's the early recognition I want to get right.
   • Temporary Marjolein (mk@oracle.skilledtests.com)'s status on Wednesday, 11-Feb-2015 15:10:36 UTC Temporary Marjolein

     in reply to

     • kat
     @boneidol I see - that's not so simple then; normally 'early' detection still depends on people reporting (suspected) spammers first.
   • kat (boneidol@indy.im)'s status on Friday, 27-Feb-2015 09:37:46 UTC kat

     • kat
     What i'm doing is looking over reject logs ( backwards 30 min ) and counting the number of failed deliveries with a particular sender address. If the sender address > SOMENUMBER of rejects, it's likely spam, and I block the envelope address. This is a good match to this botnet
   • kat (boneidol@indy.im)'s status on Friday, 27-Feb-2015 09:39:24 UTC kat

     • kat
     Another good heuristic would be the number of previous IP's a FROM: has connected from. If email from foo@example.com has (attempted) delivered from 20 different IP addresses in the last 30 min it's probably a bot.
   • kat (boneidol@indy.im)'s status on Friday, 27-Feb-2015 10:44:06 UTC kat

     • aqeel
     @aqeel yes... Its a few thousand users
   • kat (boneidol@indy.im)'s status on Friday, 27-Feb-2015 10:46:34 UTC kat

     • aqeel
     @aqeel and users don't send email like that. MTA have fixed IP addresses. User connects to MTA with MUA. I dont care about MUA IP addresses or authenticated senders.