On 28/06/05, Wolfgang.Fuertbauer@???
<Wolfgang.Fuertbauer@???> wrote:
> > >
> > > Sure. You can put something like this in your rcpt ACL:
> > >
> > > drop
> > > condition = ${if > {${eval:$rcpt_fail_count}}{3}{true}{false}}
> > > message = Too many failed recipients - count =
> $rcpt_fail_count
> > >
> > > This will drop the connection after 3 bad rcpt to's are done.
>
> > We do exactly that, but we also save the IP to feed a local DNSBL and
> > reject on connect the next time they come along.
>
> how do you do that ? can we get your config please?
I'll publish it when it's a little prettier.
Currently I write a code to the log file in a 'log_message' line along
with the offending IP. This is picked up by a perl daemon which runs
File::Tail on the mainlog, and submitted to a MySQL table. A cron job
pulls IPs out of the table once a minute and dumps them in a file for
rbldnsd to pick up. 3 geographically-dispersed MX servers all
contribute to the central database and query the single DNSBL in the
connect ACL and 'drop' on a hit.
The version I'm working on uses a daemon inspired by Alun Jones'
example at
http://users.aber.ac.uk/auj/spam/ - the daemon will accept
several different commands which will cause various things to happen
with the IP in question depending on the severity of the offence -
immediate blacklisting, '3 strikes and you're out', etc.
We've collected 27,500 IPs in the DNSBL in the first week this has
been running, all from remote servers which either sent more than 4
bad recipients in a single connection or HELOd with some specific
blacklisted strings (including our own IPs).
Peter
--
Peter Bowyer
Email: peter@???
Tel: +44 1296 768003
VoIP: sip:peter@???
