Author: W B Hacker Date: To: exim users Subject: Re: [exim] DynaStop - I like it!
Jethro R Binks wrote: > Bill:
>
> On Thu, 2 Nov 2006, W B Hacker wrote:
>
>> The good news is that a blocklist of 400-600 partially-wildcarded 'HELO' names
>> nails about 70-80%, and twice that gets nearly all of them - both figures now
>> solidly verified against two or more RBL's. About 1/4 of these persist
>> year-on-year for the 5+ years we have been watching.
>
> That sounds like a useful list to publish ... I only have a small
> collection of a half-dozen or so persistent offenders!
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
One of the many reasons I *don't* publish it is that arrival targets are highly
domain-specific, even on the same virtual-hosting box, let alone other boxes in
the same rack and IP block.
TANSTAAFL, and one size does NOT fit all.
But if we each individually set up to auto-gather info on our own server's primo
attackers, research the worst of them, and apply some customization, yes, that
can help a lot. If only by de-cluttering our logs ;-)
Perhaps 10-20% of our worst long-term/chronic repeaters long ago moved into ipfw
tables where I can no longer whitelist them. No need to.