Re: PLUG: PMAS
- From: helbig@xxxxxxxxxxxxxxxxxxxxxxxx (Phillip Helbig---remove CLOTHES to reply)
- Date: Mon, 18 Jun 2007 08:48:12 +0000 (UTC)
In article
<3f119ada0706171352o747f7c10n4b67ab50262039b8@xxxxxxxxxxxxxx>, DeanW
<dean.woodward@xxxxxxxxx> writes:
1) Delaying- the first time it sees a message from IP, from USER, to
RECIPIENT, it returns a "temporary failure" and logs the triplet. If
that triplet comes up again in < 5 minutes, it gets rejected again and
logged as a spammer. If more than 5 minutes, then it's considered a
valid sender, and logged as such; future messages are not delayed
(unless it fails one of the subsequent spam checks). If it doesn't
come back in 24 hours, the entry is purged.
This is known as greylisting.
2) Max errors: To defeat dictionary attacks, after 3 invalid
recipients, the connection is dropped.
Presumably from the same IP address within a certain time. I think this
would be relatively easy to implement in HP TCPIP.
I just had a look at my current TCPIP$SMTP_RECV_RUN.LOG;* (I'm up to
;382 within the last 7 hours. 1000 a day is possible. I now renumber
them starting with 0 every night. In one of them, I have:
check_user: User malcsue is apparently a username but has no account: FAIL
check_user: User boomail is apparently a username but has no account: FAIL
check_user: User hatnboots is apparently a username but has no account: FAIL
check_user: User donnasn is apparently a username but has no account: FAIL
check_user: User asktonya is apparently a username but has no account: FAIL
check_user: User morty is apparently a username but has no account: FAIL
check_user: User hammerlord is apparently a username but has no account: FAIL
check_user: User xaqj is apparently a username but has no account: FAIL
check_user: User empirekb is apparently a username but has no account: FAIL
check_user: User iaiio is apparently a username but has no account: FAIL
check_user: User ibizajmari is apparently a username but has no account: FAIL
check_user: User dsdmi is apparently a username but has no account: FAIL
check_user: User cityofch is apparently a username but has no account: FAIL
check_user: User chroobs is apparently a username but has no account: FAIL
check_user: User eyeish is apparently a username but has no account: FAIL
Unfortunately, the IP address is not in this file, and the error message
is not in the operator log. Otherwise, it would be relatively easy to
extract the IP address and add it to the local Bad-Clients list.
Those two block 87% of inbound spam before the message body even
begins to be transmitted; RBLs and a Bayesian filter catch almost all
the rest. Each user here sees 1-2 spam messages a day. I can live with
it.
Presumably, there is some overlap between your techniques and RBLs, i.e.
RBLs alone would block more than 13%.
.
- References:
- Re: PLUG: PMAS
- From: DeanW
- Re: PLUG: PMAS
- Prev by Date: issue with cpu usage on lock and unlock of system
- Next by Date: Re: PLUG: PMAS
- Previous by thread: Re: PLUG: PMAS
- Next by thread: Re: PLUG: PMAS
- Index(es):
Relevant Pages
|
