spamtrap and dynamic blacklisting

[Patrick Proniewski]

Hi Dino,

> Actually, now that I thought about it more, a better approach would be to instead of searching for the corresponding sender and trying to block that sender, look for the corresponding sender IP address (which amavis also records) and instead of using the amavis wblist table, dump those IPs in a Postfix senders table with reject action. Sender addresses are almost always forged so blocking the IP is probably better.


I'm not so sure. Of course sender is potentially forged, but I have a slightly different goal than just spam filtering here.

I have many users (about 40k students+staff+other), and get around 35K messages a day into Amavisd (way more try to come in and are blocked by greylist/blacklist/SPF/...). What we often see is mass mailing from "grey" senders, or from mailchimp or other mass mailing solutions : not totally spam. Some of these senders use address lists that are legitimate, but often it's only illegitimate address lists (web site harvesting, blackmarket/spam resell…). I want to block all these illegitimate mass mailings, while letting legitimate mass mailings in.
ie. I can't block Mailchimp servers, I want to block a specific Mailchimp user, hence rely on sender address.

Phishing also uses harvested email addresses, and to my experience, phishers don't change sender address, they use the same for thousands recipients, so I could easily block phishing campaign with only the sender address.

And I don't want to block immediately the sender, I want it to get a bonus to it's spam score, say +5. Complete blacklist using Postfix could be quite straightforward to setup as I already got a shell script able to push different files (client_access, client_access_cidr, header_checks, recipient_access, recipient_bcc, sender_access) to all MX servers.

(I'm subscribed to digest, please Cc me)


Patrick