[Exim] anti-spam rule for dist. spammers?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Walt Reed
Date:  
À: exim-users
Sujet: [Exim] anti-spam rule for dist. spammers?
2003-10-16 09:15:22 H=66-214-165-29.mpk-eres.charterpipeline.net [66.214.165.29] F=<CsinosKaty676217665@???> rejected RCPT <xxx@???>: Message Rejected: 66.214.165.29 in block list cbl.abuseat.org.
2003-10-16 09:15:50 H=dslam222-224-59-62.adsl.zonnet.nl [62.59.224.222] F=<CsinosKaty676217665@???> rejected RCPT <xxx@???>: Message Rejected: 62.59.224.222 in block list cbl.abuseat.org.
2003-10-16 09:16:58 H=syr-24-59-36-8.twcny.rr.com [24.59.36.8] F=<CsinosKaty676217665@???> rejected RCPT <xxx@???>: Message Rejected: 24.59.36.8 in block list cbl.abuseat.org.
2003-10-16 09:17:00 H=h17n2fls33o849.telia.com [217.208.234.17] F=<CsinosKaty676217665@???> rejected RCPT <xxx@???>: Message Rejected: 217.208.234.17 in block list cbl.abuseat.org.
2003-10-16 09:17:19 H=ool-18b81275.dyn.optonline.net [24.184.18.117] F=<CsinosKaty676217665@???> rejected RCPT <xxx@???>: Message Rejected: 24.184.18.117 in local blocklist
2003-10-16 09:17:55 1AA80k-0000lM-TJ H=63-109-246-226.reverse.newskies.net [63.109.246.226] F=<CsinosKaty676217665@???> rejected after DATA: This message scored 10.0 spam points.
2003-10-16 09:18:01 H=(211.169.249.120) [211.169.249.120] F=<CsinosKaty676217665@???> rejected RCPT <xxx@???>: Message Rejected: 211.169.249.120 in local blocklist
2003-10-16 09:18:59 H=dhcp024-209-214-030.cinci.rr.com [24.209.214.30] F=<CsinosKaty676217665@???> rejected RCPT <xxx@???>: Message Rejected: 24.209.214.30 in block list cbl.abuseat.org.

Holy distributed spamming batman! 8 attempts before finally giving up,
although one got far enough to hit spamassassin. I have seen this trend
increasing over the past couple months (since sobig.)

So anyway, this got me to thinking about how to defend against this type
of abuse. One idea is to store the envelope sender in a mysql DB after
the first rejection due to SA score or RBL. Future attempts would be
blocked by an ACL rule before RBL / SA checks. This should help cut down
on the network resources used.

Of course if spammers started altering the envelope sender with each
attempt, this idea would no longer work.

Anyone doing anything like this already?