[Mimedefang] Revisit: Filtering on HELO

[Jeff Rife]

On 26 Mar 2007 at 17:24, Philip Prindeville wrote:

> I remember the time that someone in my CIDR block did
> something, and our whole CIDR block was blacklisted.
> 
> I was really pissed...  took 5 days to get only the offending
> host address blocked instead of the whole CIDR block.

That would be one of the many reasons I no longer do any blocking based 
on external opinions about "quality" of an IP/domain/whatever.  I do 
use some of these as scoring rules for SA, but those numbers get 
tweaked based on how accurate I feel the list is.  Pretty much anything 
that is a list that collects IPs into broad groups (either because of 
subnet matches like you saw, or "this is a dialup" type of 
classifications) gets the score adjusted lower than the default.

I have just finished the implementation of my own IP reputation code 
that is based solely on what that IP has done when connecting to me.  
Virus and spam gets the IP blacklisted for a time that is based on how 
many viruses have come from that IP and how bad the average spam from 
that IP is.

It works nicely, and I just got a 54-point spam, and that's the only e-
mail I have received from that IP in over a month (I've been logging 
for a while before enabling the rejection code).  So, they got 
blacklisted for two days.  Not really much, but enough that I don't 
have to see anything from that bot for a while.  If they pop me with 
another one when they are free again, they'd get around 4 days on the 
list.


--
Jeff Rife |  
          | http://www.nabs.net/Cartoons/Dilbert/CoWorker.gif