Re: [exim] Delaying messages for 5 minutes?

My latest project is outbound filtering. I'm filtering for an Australian
ISP with 40k users. Their problem has been that people with weak
passwords get their accounts hacked and send millions of spams and they
get blacklisted.

Now they are routing through my servers and I need to catch it or I get
blacklisted. :)

My theory is this. Spammers tend to send lots of email. If someone is
sending just a few emails they aren't spamming. So I can just pass
anything sent slowly.

So if the email is coming fast then the question is - is it a good email
list like someone's newsletter - or is it spam.

Spammers tend to have bad lists so they have a lot of bad recipients. So
I'm doing forward callouts and looking at ratios of good email to bad
email. Also running Spam Assassin and other content tests on fast moving
suspicions streams. So at some point if I decide it's a spam stream then
I block it for as long as the sending rate is high.

But - it takes several minutes to determine the nature of the stream.
And didn't want the spammer to get several hundred spams out before I
figure out what's happening. So the idea is to stuff the start of a fast
streem into a 10 minute delay queue with the idea that if they are
spamming then I can kill it all.

That's the plan anyhow. And looking for other tricks to make it better.


On 4/11/2011 3:31 PM, W B Hacker wrote:
>
> Hopefully some new uses for old tricks and even a few new techniques
> will eventually come of this.
>
> It DOES seem that there is a growing need in that several waves of
> 'something' infectious have caused both long-since reformed and
> recently reputable major ISP'en to transmit garbage they'e not done
> for years, and even appear at least sporadically on well-regarded
> blacklists.
>
> I've even had to LWL specific members of some of those to insure they
> can reach 'us'.
>
> Given these worthies history of good screening, that HAS to be some
> form of UID:PWD hijacking.
>
> While it is extremely unlikely to bite *here* [1], I'd like to not
> have to LWL 'incoming' AOL, Yahoo, MSN/Hotmail users one-at-a-time, so
> hope it all leads to several good solutions, and that the solutions
> propagate faster than the problem.
>
> 'Carry on the good work'
>
> Bill
>
> [1] 'BFBI'. No Windows clients save a couple of test accounts used
> about once every second or third year.
>