David Woodhouse wrote:
>On Fri, 2005-02-18 at 16:56 -0800, Marc Perkel wrote:
>
>
>>So - after one attempted message to a failed recipient I add the from
>>address to a list and the next time I return a temporary error. The list
>>is cleared every 5 minutes so if someone sent something innocently -
>>they are only blocked for 5 minutes.
>>
>>But - someone probing for email addresses only get to do it once every 5
>>minutes. All their other attempts are blocked.
>>
>>
>
>So when someone sends a mail to me with faked sender fred@???,
>and my systems do a callout to check that address, I get blocked for 5
>minutes?
>
>
No - I do an exception for if the sender is null or postmaster.
>And if I send a message to you and manage to mistype your address, then
>correct it when I get the bounce, I'm also blocked for 5 minutes?
>
>
Your message doesn't bounce. It gets a temporary error for the rest of
the current 5 minute period. So your next message is delayed for up to 5
minutes. Thats not to expensive a penalty.
>Consider doing it only for incoming non-bounce messages and only on the
>second and subsequent failed address, not the first.
>
>
Taking the above into consideratrion - there's nothing wrong with doing
it on the first because all errors result in a 5 minute delay. And - I'm
trying to keep it simple. Basicly a "sin" results in greylisting for 5
minutes. I add the from address to a list and every 5 minutes I wipe out
the list.
Here's my ACL
defer senders = /var/spool/spam/suspicious-from.txt
message = FROM Address temporarilly BLOCKED - Failed Recipient!
!condition = ${if
match_domain{$sender_address}{+all_mail_handled_locally}{true}{false}}
warn message = Recipient Failure
domains = +all_mail_handled_locally
!verify = recipient/callout=2m,defer_ok,use_sender
!hosts = +relay_from_hosts
!senders = : postmaster@*
condition = ${run{/etc/exim/scripts/log-file
/var/spool/spam/suspicious-from.txt $sender_address}{yes}{yes}}
And - then you add a 5 minute cron job to empty the list every 5 minutes.
true > /var/spool/spam/suspicious-from.txt
This is just one of four penalty boxes I'm playing with. I have a one
hour penalty box as well for those who sent me high scoring spam. And
some that block the host IP address for a period of time. And blocking
means returning temporary errors so that real email comes back later.
Similar to greylisting the idea is that spammer try once and go away.
Real email retries over days. Unlike greylisting these is no initial
penalty for first time contacts.
And - this is a low overhead solution.
--
Marc Perkel - marc@???
Spam Filter: http://www.junkemailfilter.com
My Blog: http://marc.perkel.com
My Religion: http://www.churchofreality.org
~ "If it's real - we believe in it!" ~
