Since I am blocking on the originating IP address, I do not really care about domains. Other public RBL's block much of the spam that comes in. My goal was to try to block the snowshoe spammers (those that send a few e-mails from an IP and then move to another one). What I am seeing is spammers that have usually a /29 to /24 IP block and rotate sending spam from IPs within those blocks. SurgeMail's content filters catch most, but not, of the incoming spam. If I can find where they are coming from, I can block them.
It seems to have cut down the about of missed spam, however, it can be time consuming.
Jim
On Oct 14, 2013, at 4:48 PM, David Camm HIDDEN@advwebsys.com> wrote:
> jim -
>
> the man page at the url below is a bit less than helpful, but i'm sure after downloading the tarball, i'd be able to figure it out.
>
> one thing that strikes me about a large amount of the spam we're receiving lately is that the spammers are using dozens if not hundreds of domains (especially .me and .us) which means keeping up with them and adding those ip addresses manually could wind up being an all-consuming task. and since the domains (and ips) change very frequently i'm wondering if this is worth it - at least for me.
>
> david camm
> advanced web systems
> keller, tx
>
>
> On 10/14/2013 3:03 PM, JDL wrote:
>> Sorry. The correct config for rbldnsd is as follows.
>>
>> RBLDNSD="- -4 -b x.x.x.x -r /var/lib/rbldns \
>> block.xxxxxxxxx:ip4set:block \
>> rbl.xxxxxxxx:ip4set:spam \
>> rbl.xxxxxxxx:ip4set:watch \
>> "
>>
>> Jim
>>
>>
>> On Oct 14, 2013, at 3:39 PM, JDL HIDDEN@agineNet.net> wrote:
>>
>>> David,
>>>
>>> I simply installed the rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html) package on a CentOS linux server and started adding addresses/blocks. My /etc/sysconfig/rbldnsd configuration file is as follows.
>>>
>>> BLDNSD="- -4 -b x.x.x.x/5353 -r /var/lib/rbldns \
>>> block.xxxxxxxxx:ip4set:block \
>>> rbl.xxxxxxxx:ip4set:spam \
>>> rbl.xxxxxxxx:ip4set:watch \
>>> "
>>>
>>>
>>> I also added the following to the SurgeMail configuration.
>>>
>>> ---------- surgemail.ini ----------
>>>
>>> g_orbs_list name="block.xxxxxxxx" action="deny" stamp=""
>>> g_orbs_list name="rbl.xxxxxxxx" action="stamp" stamp="127.0.0.2=ImagineNet_Spam~127.0.0.10=ImagineNet_Watch"
>>>
>>> ---------- sf_mfilter_local.txt ----------
>>>
>>> if(isin("X-ORBS-Stamp", "ImagineNet_Spam")) then
>>> call feature_manual(1, "Imagine Net Spam RBL")
>>> end if
>>>
>>> ---------- mfilter.rul ----------
>>>
>>> if (isin("X-ORBS-Stamp", "ImagineNet_Watch")) then
>>> call report(HIDDEN@e@somewhere.tld", "ImagineNet_Watch RBL Hit")
>>> end if
>>>
>>>
>>> If you use a score of 1 for feature_manual, you will need to use SurgeMail 6.4b-47 or later and, according to NetWin, g_sf_binary must be enabled (g_sf_binary "TRUE").
>>>
>>> This configuration provides the following.
>>>
>>> 1. Block IP's, CIDR subnets, or ranges and put comments in the file (when, who, why, etc.).
>>>
>>> 2. The first RBL is a hard block (deny).
>>>
>>> 3. The second RBL either tells SurgeMail to classify a message as spam (result of 127.0.0.2) OR sends me a report if the IP is on my watch list (result of 127.0.0.10).
>>>
>>>
>>> Hope this helps.
>>>
>>> Jim Lohiser
>>> Imagine Net, Inc.
>>>
>>>
>>>
>>> On Oct 14, 2013, at 2:15 PM, David Camm HIDDEN@advwebsys.com> wrote:
>>>
>>>> jim -
>>>>
>>>> interesting. how'd you do that?
>>>>
>>>> david camm
>>>> advanced web systems
>>>> keller, tx
>>>> On 10/9/2013 10:55 AM, JDL wrote:
>>>>> I have started maintaining our own RBL. Is there are tellmail command to force SurgeMail to clear its RBL cache? I have reduced g_orbs_cache_life from the default of 7200 to 3600. However, if I add a spammer to my RBL, it can take quite a while for SurgeMail to see the change. I was looking for a way to clear the RBL cache without restarting SurgeMail.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jim Lohiser
>>>>> Imagine Net, Inc.
>>>>>
>>>>
>>>
>>
>>
>
>
|
