[BlueOnyx:21408] Re: Solarspeed RBL blacklist

[Meaulnes Legler @ MailList]

hey Michael, this sounds great! We all appreciate your efforts to reduce SPAM. I see your mails aren't tagged as SPAM anymore as they were a while long in my inbox (and as those from Maurice de Laat still are), looks like you handle it (as always:-)

May you translate those abbreviations for me, please?

  * ASN (that change daily)
  * RBL records

Thank you and best regards

Meaulnes Legler
Zurich Switzerland


On 20.09.17 22:34, Michael Stauber wrote:
> Hi all,
> I'd like to share a bit of something I spent a little time on recently
> and which eventually might make it into the AV-SPAM as configurable option:
> I was getting a bit of SPAM in the last six weeks which had me bonkers.
> It was usually 30-40 emails a day. About 10% of those were the stuff
> that often slips through anyway.
> The rest were often HTML-emails with random text in the footer, a link
> and an image, or text that was generic enough to not outright trigger
> any rules that would mark it as SPAM. Clearly the perpetrators were
> checking their emails with SpamAssassin and tweaked them enough to make
> the emails score low enough.
> About 80% of those SPAMs that made it through were from the same ASN and
> that ASN changed daily. The amount of ASN's they went through in the
> last 30 days or so is kinda bamboozling. Yet they come back with more.
> Still: The SPAMs were spread out through the day and night, so they
> didn't all arrive at the same timeframe.
> After optimizing some existing SpamAssassin rules (and creating new
> ones) I managed to cut the leakage down a bit. However, I started to
> think about starting my own RBL and to tie that into SpamAssassin, which
> is fairly simple.
> As I do run a PowerDNS master/slave DNS server with MySQL backend, it
> was easy to do so: I just set an unused Zone aside, configured it
> properly with short TTLs and short caching and set up a separate PHP
> script that takes IP's, turns them into RBL records and (if not already
> present in SQL) feeds them into SQL and bumps the Zone serial.
> To automate this further I set up a Perl-Script that parses a separate
> IMAP folder into which all detected SPAMs (and all SPAMs that I moved
> manually into that folder) get parsed an the sender IP is extracted. The
> script then checks if the sender IP is not in our whitelist (which
> contains everything we never want to block!) and then automatically
> pushes every remaining (bad) IP into the RBL blacklist.
> >From there it was just a matter to set up a cronjob that runs this every
> few minutes. So all that is left to do is to move escaped SPAMs into
> this separate IMAP folder and the offending IP gets blacklisted
> automatically.
> Even better: I have a few ancient mailboxes that get nothing but SPAM.
> Including them in the script that parses the IMAP folder now auto-feeds
> the IP addresses of SPAM-senders into the RBL as well.
> Once the RBL has grown large enough to make it worth our while I'll
> include it in the AV-SPAM and you can decide if you want to use it as
> well and which score you apply to emails from IPs that are in the
> Solarspeed RBL. If the score is high enough, these emails can be
> rejected at the MTA level. Which is what I currently do.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20170922/cfb5d829/attachment.html>