spamtrap and dynamic blacklisting

Michael Schwartzkopff misch at schwartzkopff.org
Tue Mar 14 12:31:40 CET 2017 

Am Dienstag, 14. März 2017, 12:28:43 schrieb Patrick Proniewski:
> Hi Dino,
> 
> > Actually, now that I thought about it more, a better approach would be to
> > instead of searching for the corresponding sender and trying to block
> > that sender, look for the corresponding sender IP address (which amavis
> > also records) and instead of using the amavis wblist table, dump those
> > IPs in a Postfix senders table with reject action. Sender addresses are
> > almost always forged so blocking the IP is probably better.
> I'm not so sure. Of course sender is potentially forged, but I have a
> slightly different goal than just spam filtering here.
> 
> I have many users (about 40k students+staff+other), and get around 35K
> messages a day into Amavisd (way more try to come in and are blocked by
> greylist/blacklist/SPF/...). What we often see is mass mailing from "grey"
> senders, or from mailchimp or other mass mailing solutions : not totally
> spam. Some of these senders use address lists that are legitimate, but
> often it's only illegitimate address lists (web site harvesting,
> blackmarket/spam resell…). I want to block all these illegitimate mass
> mailings, while letting legitimate mass mailings in. ie. I can't block
> Mailchimp servers, I want to block a specific Mailchimp user, hence rely on
> sender address.
> 
> Phishing also uses harvested email addresses, and to my experience, phishers
> don't change sender address, they use the same for thousands recipients, so
> I could easily block phishing campaign with only the sender address.
> 
> And I don't want to block immediately the sender, I want it to get a bonus
> to it's spam score, say +5. Complete blacklist using Postfix could be quite
> straightforward to setup as I already got a shell script able to push
> different files (client_access, client_access_cidr, header_checks,
> recipient_access, recipient_bcc, sender_access) to all MX servers.
> 
> (I'm subscribed to digest, please Cc me)
> 
> 
> Patrick

Perhaps a better approach to blocking is the RECENT target in netfilter. 
Parsing the log file a script could easily add misbehaving IP addresses.

-- 
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München

Tel: (0162) 1650044
Fax: (089) 620 304 13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20170314/c70ed7d4/attachment.sig>

More information about the amavis-users mailing list