2nd Stage DNS blocking
I could imagine I am not the first with this idea, and there is already
a proper name for it. Let me describe:
We receive spam via the usual MTA chain. Sometimes we receive mail from
(free) mail providers like gmail and yahoo. Sometimes we fetchmail these
latter ones to feed them to our MX.
We only check the connecting server, and in some of the examples above
it might even be trusted. But that one was tricked to take spam before.
Random samples show me: We would not have taken most of the spam from
the intermediate or even originating MTA or sender. I would like to run
these "Received from" addresses against dnslists and/or blacklists in files.
You obviously cannot do this before the acl data. I am not a regex wiz,
and I think one needs an external script anyway to extract IPs. Hints?
Ideas?
Has anyone done before?