spamtrap and dynamic blacklisting

Dino Edwards dino.edwards at mydirectmail.net
Fri Mar 10 18:52:00 CET 2017 

I'm currently using this on a machine that averages about 5k to 6k processed messages per day and the system load average is around 0.05% so it seems to be keeping up with no problems. I don't think you can increase the spam score with the wblist, it's either allow or deny. But like I said on my subsequent message, I don't think doing this with senders is the best idea. I think the address forging would be make the whole thing useless. I think doing it with IPs would be better and let Postfix reject the email right at the door before it even gets to amavis. All this can be accomplished without writing any code, just some SQL queries.



----------------
Dino Edwards
----------------

Hermes Secure Email Gateway
Hermes Secure Email Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under one unified web based Web GUI for easy administration and management of your incoming and ougoing email for your organization. Anti-spam, anti-virus and anti-malware protection, encrypted S/MIME, encrypted PDF and SMTP TLS support, built-in email archiving, end-user self-service web gui.

Learn More & Download the free open-source appliance at:
https://www.deeztek.com/hermes-secure-email-gateway/



-----Original Message-----
From: Patrick Proniewski [mailto:patrick.proniewski at univ-lyon2.fr] 
Sent: Friday, March 10, 2017 11:55 AM
To: Dino Edwards <dino.edwards at mydirectmail.net>
Cc: amavis-users at amavis.org
Subject: Re: spamtrap and dynamic blacklisting

Hi Dino,

Thanks for the idea, but I feel like the all-message-log-SQL-database is a bit too much (high resource consumption). If I need to rely on an SQL database for wblist I can populate this DB from outside: 

I'm aggregating logs from every MX hosts into Splunk. From there I can have a scheduled or realtime search job that will extract interesting data and can push them into an SQL master. Doing so I can even take action based upon milter-greylist logs, before Amavisd ever see the message. (AFAIK I can't populate a Redis DB from Splunk, it would require a custom script I can't code right now).

But, it still require SQL master server, SQL slave on each MX, and I'm afraid the SQL lookup inside Amavisd will slow it down (I'm doing before-queue-content-filtering). I already have Redis on every server for Amavisd logs, milter-greylist sync between MX, I'm a little bit reluctant to add SQL into the mix.
Nevertheless, it could be awesome. Is there any documentation about using a "wblist" SQL table for soft blacklisting? I don't want to block the sender, I just want to increase it's spam score.

Thanks,
pat

> On 10 Mar 2017, at 17:21, Dino Edwards <dino.edwards at mydirectmail.net> wrote:
> 
> This maybe a bit complicated but here's how I would approach this:
> 
> 1. Setup SQL tables for Amavis. This will allow amavis to log all messages coming through along with the recipient and the sender (specific tables are msgrcpt, msgs, maddr, mailaddr)
> 
> 2. Schedule queries to run against those messages and corresponding recipients you are looking for. You are going to have to do some join statements between 3 tables I believe. I can help with that if you need)
> 
> 3.Dump the senders of those messages into Amavis black/white list (wblist table) with a block action. Maybe create a trigger in the wblist table to insert a date/time stamp so that you can delete those entries after a set amount of time. 
> 
> 4. Replicate your database across multiple MX hosts.
> 
> 
> 
> -----Original Message-----
> From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On Behalf Of Patrick Proniewski
> Sent: Thursday, March 9, 2017 5:49 PM
> To: amavis-users at amavis.org
> Subject: spamtrap and dynamic blacklisting
> 
> Hello,
> 
> I'm contemplating the following idea: 
> 
> - setting-up some spamtrap email addresses and publish them discretely on few places
> - detect usage of these email addresses somewhere during SMTP session (postfix, amavisd, milter-greylist, realtime log processing, whatever)
> - feed the corresponding sender address, or EHLO, or domain name, or whatever to Amavisd so that I can soft-blacklist next emails from the same [sender address|EHLO|domain name|...]
> - after a while (1 day?), expire the blacklist
> 
> Do you think it's possible to make such a setup with Amavisd-new? And by the way, I use more than one MX server, so synchronisation between MX is important.
> 
> I'm already using Redis for JSON logging, may be I could use the same backend, not sure about the synchronisation though.
> 
> Another convoluted way to proceed would be something like this:
> 
> - setting-up a DNS server on each MX server with nsupdate capability
> - setting-up milter-greylist rules to update a RBL into those DNS server each time a spamtrap gets an email
> - use the RBL hit to increase spamscore
> 
> But I feel like a native Amavisd option would be better and simpler.
> 
> Any idea?
> 
> thanks

More information about the amavis-users mailing list