[Gross] perpetual match
Jesse Thompson
jesse.thompson at doit.wisc.edu
Wed Oct 31 22:57:55 EET 2007
I generate a report from my gross logs that lists the top 20 IPs in the
"Match" category, in an attempt to see which spammers are smart enough
to retry and also find legitimate mailers that are being greylisted.
I've noticed for some time that a couple of campus mail servers are
always on the top of the match list. I ignored it for a long time
figuring that they were just on a blacklist, and since they weren't
complaining, no bother fixing it.
I got curious one day and tried to figure out which blacklist they were
on. They weren't listed on any blacklist that I query or the Sophos
blocker. hmmm
Next, I checked the gross logs. There were 0 Grey entries for these IP
addresses going back 30 days. hmmm
Why would this occur?
My best guess is that there are false positives in the bloom filters. I
have filter_bits = 24, so maybe I should raise it a bit to see if the
problem goes away?
But why does it only happen to these few mailers? Surely this would be
more random?
One thing that is unique about these servers is that the from address is
relatively constant:
server 1 (forwarded mail has the env_from rewritten):
<ip> joeuser at deptartment.wisc.edu joeuser at wisc.edu
or
<ip> juser at deptartment.wisc.edu joeuser at wisc.edu
server 2:
<ip> mailman-bounces at department.wisc.edu joeuser at wisc.edu
server 3:
<ip> list-name-bounces at department.wisc.edu joeuser at wisc.edu
Could this be leading to the bloom filter false positives?
Anyway, this isn't really a big problem, just a minor annoyance since it
screws up my stats.
Jesse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.utu.fi/pipermail/gross/attachments/20071031/bff2f2c3/attachment.bin>
More information about the Gross
mailing list