Lähettäjä: W B Hacker Päiväys: Vastaanottaja: exim users Aihe: Re: [exim] DynaStop - I like it!
Phil Pennock wrote: > On 2006-11-02 at 06:56 +0800, W B Hacker wrote:
>> The good news is that a blocklist of 400-600 partially-wildcarded 'HELO' names
>> nails about 70-80%, and twice that gets nearly all of them - both figures now
>> solidly verified against two or more RBL's. About 1/4 of these persist
>> year-on-year for the 5+ years we have been watching.
>
> Is such a list quietly available anywhere, if I promise that I would
> only redistribute it to clueful folk on a no-public-disclosure
> restriction?
Not useful. The 'obvious' stuff is in GP RBL's - ergo we gradually remove those
entries as they are ID'ed as having become duplicates. Not a high priority so
long as the list is not overly large.
The stuff that helps the most is whatever *your* server is being hammered with
that IS NOT in an RBL, and does NOT fit a predefined pattern.
And you have to develop that from analysis of submissons to YOUR domains.
Mine would be mostly useless even if you were in Hong Kong.
Yours for server 'A' may differ from server'B'
Of the hundreds of millions of potential sources, only a small percentage -
often under a thousand, will be the ones most of concern to any single MTA in a
given week, month, or calendar quarter. These change over time, but not by the
day or hour.
What use to you is blocking a particular Korean High School or Chinese
University that happens to hammer a Swiss .tld on a HKG IP-block?
Probably zero.
>
> I check that the HELO isn't one of my own IP addresses and isn't one of
> any known-bad HELO lines. "localhost" and "friend" catch a significant
> number, but I should look at expanding this.
>
The 'obvious' ones are all RBL'ed. Use a 'warn' to log hits on your custom tests
just *before* the RBL call, and log that also.
Then do offline comparisons to see who is NOT in the RBL, but IS a bad-actor by
*your* standards, AND hits you frequently, AND slips by SA otherwise, THEN make
a gift of a 'deny' or just add some points to their spam_score later on.