[Gross] Spammers adapt
Eino Tuominen
eino at utu.fi
Thu Feb 28 21:11:34 EET 2008
Hi,
I just noticed that our match rate is much higher now than it has been
before. I did some log analysis and found lots of patterns like this:
Feb 28 19:39:32 smtp01 grossd: [ID 702911 mail.info] #a78: greylist:
190.48.141.76 jr.tolerd at kecoindustries.com our-user
Feb 28 19:39:36 smtp01 grossd: [ID 702911 mail.info] #a79: greylist:
190.48.141.76 jr.tolerd at kecoindustries.com our-user
Feb 28 19:39:47 smtp01 grossd: [ID 702911 mail.info] #a24: match:
190.48.141.76 jr.tolerd at kecoindustries.com our-user
That is, retries go now beyond 10 seconds delay I've been using. I just
resized our filter_bits to 26 and set grey_delay=120.
Next I've decided to implement weights on checks and implement that
block_threshold so grossd can reject obvious spammers with permanent
errors. I've been pondering this kind of setup:
dnsbl = bl.spamcop.net;2
dnsbl = dnsbl.njabl.org;1
dnsbl = dnsbl.sorbs.net;1
dnsbl = zen.spamhaus.org;3
dnsbl = rbl-plus.mail-abuse.org;3
block_threshold = 4
That is, no one match will lead to a permanent rejection, but two will
be enough if one of them is highly trusted (spamhaus or rbl-plus).
--
Eino Tuominen
More information about the Gross
mailing list