spamtrap and dynamic blacklisting

Dino Edwards dino.edwards at mydirectmail.net
Wed Mar 15 10:48:23 CET 2017 

It's interesting that you mentioned mailchimp. We've had the same issues with mailchimp. We have contacted them before about people abusing their services and they don't seem very interested in doing anything about it, hence I wouldn't consider blocking their IPs a bad thing but that's another discussion.

The only way that I know to add spam scores is by creating SA rules. I don't think Amavis can add scores on its own unless someone knows another approach to this. Regardless, if you don't want to use SQL then you are going to have to parse the log files for sender sending to your honeypot receivers and add those to a SA rule in order to add the +5 spam score. Again, the entire problem with this approach is you are using valuable resources processing e-mail (i.e. letting it get to Amavis) instead of stopping it at the front door with Postfix.



-----Original Message-----
From: Patrick Proniewski [mailto:patrick.proniewski at univ-lyon2.fr] 
Sent: Tuesday, March 14, 2017 7:29 AM
To: amavis-users at amavis.org
Cc: Dino Edwards <dino.edwards at mydirectmail.net>
Subject: Re: spamtrap and dynamic blacklisting

Hi Dino,

I'm not so sure. Of course sender is potentially forged, but I have a slightly different goal than just spam filtering here.

I have many users (about 40k students+staff+other), and get around 35K messages a day into Amavisd (way more try to come in and are blocked by greylist/blacklist/SPF/...). What we often see is mass mailing from "grey" senders, or from mailchimp or other mass mailing solutions : not totally spam. Some of these senders use address lists that are legitimate, but often it's only illegitimate address lists (web site harvesting, blackmarket/spam resell…). I want to block all these illegitimate mass mailings, while letting legitimate mass mailings in.
ie. I can't block Mailchimp servers, I want to block a specific Mailchimp user, hence rely on sender address.

Phishing also uses harvested email addresses, and to my experience, phishers don't change sender address, they use the same for thousands recipients, so I could easily block phishing campaign with only the sender address.

And I don't want to block immediately the sender, I want it to get a bonus to it's spam score, say +5. Complete blacklist using Postfix could be quite straightforward to setup as I already got a shell script able to push different files (client_access, client_access_cidr, header_checks, recipient_access, recipient_bcc, sender_access) to all MX servers.

(I'm subscribed to digest, please Cc me)


Patrick

More information about the amavis-users mailing list