[BlueOnyx:21402] Re: Solarspeed RBL blacklist

Colin Jack colin at mainline.co.uk
Thu Sep 21 02:32:46 -05 2017 

Oooh … like this!

Colin

On 20/09/2017, 22:34, "Blueonyx on behalf of Michael Stauber" <blueonyx-bounces at mail.blueonyx.it on behalf of mstauber at blueonyx.it> wrote:

    Hi all,
    
    I'd like to share a bit of something I spent a little time on recently
    and which eventually might make it into the AV-SPAM as configurable option:
    
    I was getting a bit of SPAM in the last six weeks which had me bonkers.
    It was usually 30-40 emails a day. About 10% of those were the stuff
    that often slips through anyway.
    
    The rest were often HTML-emails with random text in the footer, a link
    and an image, or text that was generic enough to not outright trigger
    any rules that would mark it as SPAM. Clearly the perpetrators were
    checking their emails with SpamAssassin and tweaked them enough to make
    the emails score low enough.
    
    About 80% of those SPAMs that made it through were from the same ASN and
    that ASN changed daily. The amount of ASN's they went through in the
    last 30 days or so is kinda bamboozling. Yet they come back with more.
    
    Still: The SPAMs were spread out through the day and night, so they
    didn't all arrive at the same timeframe.
    
    After optimizing some existing SpamAssassin rules (and creating new
    ones) I managed to cut the leakage down a bit. However, I started to
    think about starting my own RBL and to tie that into SpamAssassin, which
    is fairly simple.
    
    As I do run a PowerDNS master/slave DNS server with MySQL backend, it
    was easy to do so: I just set an unused Zone aside, configured it
    properly with short TTLs and short caching and set up a separate PHP
    script that takes IP's, turns them into RBL records and (if not already
    present in SQL) feeds them into SQL and bumps the Zone serial.
    
    To automate this further I set up a Perl-Script that parses a separate
    IMAP folder into which all detected SPAMs (and all SPAMs that I moved
    manually into that folder) get parsed an the sender IP is extracted. The
    script then checks if the sender IP is not in our whitelist (which
    contains everything we never want to block!) and then automatically
    pushes every remaining (bad) IP into the RBL blacklist.
    
    From there it was just a matter to set up a cronjob that runs this every
    few minutes. So all that is left to do is to move escaped SPAMs into
    this separate IMAP folder and the offending IP gets blacklisted
    automatically.
    
    Even better: I have a few ancient mailboxes that get nothing but SPAM.
    Including them in the script that parses the IMAP folder now auto-feeds
    the IP addresses of SPAM-senders into the RBL as well.
    
    Once the RBL has grown large enough to make it worth our while I'll
    include it in the AV-SPAM and you can decide if you want to use it as
    well and which score you apply to emails from IPs that are in the
    Solarspeed RBL. If the score is high enough, these emails can be
    rejected at the MTA level. Which is what I currently do.
    
    -- 
    With best regards
    
    Michael Stauber
    _______________________________________________
    Blueonyx mailing list
    Blueonyx at mail.blueonyx.it
    http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list