spamtrap and dynamic blacklisting

[Dino Edwards]

Actually, now that I thought about it more, a better approach would be to instead of searching for the corresponding sender and trying to block that sender, look for the corresponding sender IP address (which amavis also records) and instead of using the amavis wblist table, dump those IPs in a Postfix senders table with reject action. Sender addresses are almost always forged so blocking the IP is probably better.


----------------
Dino Edwards
----------------

Hermes Secure Email Gateway
Hermes Secure Email Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under one unified web based Web GUI for easy administration and management of your incoming and ougoing email for your organization. Anti-spam, anti-virus and anti-malware protection, encrypted S/MIME, encrypted PDF and SMTP TLS support, built-in email archiving, end-user self-service web gui.

Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/



-----Original Message-----
From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On Behalf Of Dino Edwards
Sent: Friday, March 10, 2017 11:21 AM
To: 'Patrick Proniewski' <patrick.proniewski at univ-lyon2.fr>; amavis-users at amavis.org
Subject: RE: spamtrap and dynamic blacklisting

This maybe a bit complicated but here's how I would approach this:

1. Setup SQL tables for Amavis. This will allow amavis to log all messages coming through along with the recipient and the sender (specific tables are msgrcpt, msgs, maddr, mailaddr)

2. Schedule queries to run against those messages and corresponding recipients you are looking for. You are going to have to do some join statements between 3 tables I believe. I can help with that if you need)

3.Dump the senders of those messages into Amavis black/white list (wblist table) with a block action. Maybe create a trigger in the wblist table to insert a date/time stamp so that you can delete those entries after a set amount of time. 

4. Replicate your database across multiple MX hosts.



-----Original Message-----
From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On Behalf Of Patrick Proniewski
Sent: Thursday, March 9, 2017 5:49 PM
To: amavis-users at amavis.org
Subject: spamtrap and dynamic blacklisting

Hello,

I'm contemplating the following idea: 

- setting-up some spamtrap email addresses and publish them discretely on few places
- detect usage of these email addresses somewhere during SMTP session (postfix, amavisd, milter-greylist, realtime log processing, whatever)
- feed the corresponding sender address, or EHLO, or domain name, or whatever to Amavisd so that I can soft-blacklist next emails from the same [sender address|EHLO|domain name|...]
- after a while (1 day?), expire the blacklist

Do you think it's possible to make such a setup with Amavisd-new? And by the way, I use more than one MX server, so synchronisation between MX is important.

I'm already using Redis for JSON logging, may be I could use the same backend, not sure about the synchronisation though.

Another convoluted way to proceed would be something like this:

- setting-up a DNS server on each MX server with nsupdate capability
- setting-up milter-greylist rules to update a RBL into those DNS server each time a spamtrap gets an email
- use the RBL hit to increase spamscore

But I feel like a native Amavisd option would be better and simpler.

Any idea?

thanks