Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

auto-blacklist ?

2006-07-31 by Fabien Tassin

Hi,

I've been using 2.0.* for quite a while now. It's efficient but yet, I'd like
to propose something.

If I look at the logs of my MXs (10k+ avg incoming emails per day), I can
easily identify two types of heavy spam tools. The 1st one is blocked by
the grey list feature, the 2nd retries then end-up auto-whitelisted.
Problem is, it fills up the database with hundreds of tuples (in a couple
of seconds), with no added values (as we know it's the same source of spam,
one entry should be enough).

Basically, an ip addr sends 30 to 200 emails in a row.
It's often a dozen of "from" mapped to a list of "to" (rcpts in my domain).
Some of those "to" are valid, some are not. From those that are not, I can
identify some emails wrongly harvested from usenet, mailing lists or
web pages. My users often use fake emails as spam protection. I prefer
distinct pseudo-emails per usage (as for this email) that I drop when they get
spammed (and I can trace where they've been harvested/sold).
Anyway, I'd like to propose an auto-blacklist mechanism.

I see that you've just introduced blacklists in the devel branch.
What I would like to have is not blacklist but auto-blacklist.

Something like that:

I define a rule saying that if an email is sent to someuser@...
(the honey pot), and if the IP addr of the sender is not whitelisted (*),
then:
- the IP addr is immediately auto-blacklisted for a certain amount of time,
even if the recipient or the from are whitelisted
- all entries/tuples from the DB matching this IP are immediately
removed, both the greylisted ones and the auto-whitelisted ones.

(*) this is useful if a relay or a secondary MX already accepted the emails,
then it's no longer possible to distinguish spam from real emails that way.

The auto-blacklist timer should be reset after each match.

In my case, that would remove ~50% of the (bogus) whitelist and ~90% of the
greylist.
That's far less work that manually blacklisting the ip addresses and
thanks to the greylist, that should catch 100% of this kind of spam.

It would be nice to have a counter for the number of emails received by
the auto-blacklisted IP addrs, but that's the cherry on the shortcake.

Thoughts ?
Can you see a flaw ?

/Fabien

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.