[Mimedefang] Revisit: Filtering on HELO
Jeff Rife
mimedefang at nabs.net
Mon Mar 26 21:10:00 EDT 2007
On 26 Mar 2007 at 17:24, Philip Prindeville wrote:
> I remember the time that someone in my CIDR block did
> something, and our whole CIDR block was blacklisted.
>
> I was really pissed... took 5 days to get only the offending
> host address blocked instead of the whole CIDR block.
That would be one of the many reasons I no longer do any blocking based
on external opinions about "quality" of an IP/domain/whatever. I do
use some of these as scoring rules for SA, but those numbers get
tweaked based on how accurate I feel the list is. Pretty much anything
that is a list that collects IPs into broad groups (either because of
subnet matches like you saw, or "this is a dialup" type of
classifications) gets the score adjusted lower than the default.
I have just finished the implementation of my own IP reputation code
that is based solely on what that IP has done when connecting to me.
Virus and spam gets the IP blacklisted for a time that is based on how
many viruses have come from that IP and how bad the average spam from
that IP is.
It works nicely, and I just got a 54-point spam, and that's the only e-
mail I have received from that IP in over a month (I've been logging
for a while before enabling the rejection code). So, they got
blacklisted for two days. Not really much, but enough that I don't
have to see anything from that bot for a while. If they pop me with
another one when they are free again, they'd get around 4 days on the
list.
--
Jeff Rife |
| http://www.nabs.net/Cartoons/Dilbert/CoWorker.gif
More information about the MIMEDefang
mailing list