Re: Auto-RBL was: Why did this not hit more? (SPF, DKIM, Ironport, X-originating-ip)

> Or think of it as a way of SA saying "when I get twelve spams of
> score 10+ from ip 208.23.118.172...I will feed the auto-expiring RBL,
> which *SENDMAIL* works off of, thus keeping my *SPAMASSASSIN* load
> lower. Thus a spam deluge via a dictionary attack that may take hours
> is mitigated in the course of X number of mails.
I already do something similar, but I haven't bothered to take it quite that far yet.

I use fail2ban to parse my exim logs. If an IP address hits more than 5 invalid accounts in 5 minutes, the IP is banned (fail2ban uses iptables) for 24 hours. As well if an IP address, which is listed on spamhause, hits me more than twice in 5 minutes it is banned for 24 hours. Granted neither of these cases usually end up getting messages as far as spamassassin.

I've managed to drastically reduce the amount of simultaneous connections using this method; which was overloading the server. The next step would be to add the "when I get twelve spams of score 10+ from [...]" parsing. Though I hadn't thought of trying my hand at a SA plugin, I may do that. Received on Tue Oct 9 12:33:24 2007