Shoot an email to support@logsat.com and Roberto will give you the link.

Stopped using my spamtrap because of the greylisting in the new beta.

To all that have been using some sort of harvesting method using SF.
I think you may have missed the original point (and in the process made a very good one as well).

The original idea was to create a high number MX record, point it to a dummy smtp that will disconnect the session before it is completed.
Spammer WILL NOT try to resend the message, while 'real' smtp servers will retry based on their setup.

This way, even if your spamfilters are down, real emails will not be lost.
I quite like the idea of harvesting the ip's although my initial main concern was to reduce the load on the secondary MX record.

Happy New Year to everyone!

Dwight,

I actually took mine off-line due to the following:  I am testing using the Greylist option and many servers initially see the greylisting action (disconnect) as a non-responsive server and pushed up the "food chain" until they hit my dummy SMTP server and then got black-listed.  This was compounded by the scripting I wrote to auto-add the IP's to my dnsbl server.  This caused a huge amount of good servers to suddenly be black-listed by our own server and that just ended up s%*king ... big time.  Up to that point, I had nearly 500,000 IP in my dnsbl with no false positives.

I have over 200K from the harvest alone.  That is less than a week's worth.  I too need to go through and remove a lot of singles and replace them with Class C entries. I have shut down my "harvester" for the time being so that I can watch the new beta.  In case the beta screws up bad, I don't want a lot of good mail going to the harvester.  Let me know if you want to swap IP blacklists.

jerbo128 wrote: I too would be happy to host a copy of a dnsbl zone.  But I do not have the time to manage it either.  Seems to be the running word of the day!   Jeremy

Edited by WebGuyz - 15 December 2007 at 11:17am

We're following this thread to see if we're needed, but so far everyone is doing great in experimenting :-)
As a side-note, the SFDB is very resilient to false positives. We only blacklist IPs if we receive multiple reports about an IP, all made from different SpamFilter installations. If some of you incorrectly report an IP due to an incorrect honeypot entry, this practically will not influence the SFDB, as it's just a single report.

Now if many of you make the same mistake by reporting the same IP that is being blocked by a honeypot entry, chances are that, since all of you then received the same emails from that IP within a few minutes, again chances are that the email is actually indeed spam as you all received. If it's a newsletter or an email notification with large scopes (for example the Microsoft Updates Security notifications), the IP addresses of these legitimate senders should be already listed in a whitelist of approved senders we use within the SFDB, so the risk of causing false positives should be very low.

I also went through the process of setting up a local dnsrbl but it was a handful. I understand your concern about the task of managing it.  

Edited by dcook - 14 December 2007 at 12:21pm

dcook wrote:   I believe that no good email should go to an IP without an MX record!! So to me it's a great lure.

jerbo128 wrote: Webguyz - I have found that spammers will try to send to almost every host that they can find.  www, mail, ns0, etc.   In the 2nd 24 hours of running this, I have collected another 40K ip's.   Jeremy

is it possible for you guys to share the list of the IPs?

Dan,

jerbo128 is absolutely correct. The RFC2821 does not *suggest* that lower preference MX records *should* be used. It is instead very clear and *requires* that the lowest MX records be used first (if they are online...). Any application that does not follow this rule is in violation of the RFCs. If there's a listserver that doesn't follow the standard, it has a bug :-) and it should be reported.

jerbo128 wrote: I added  10 domains to my dummy smtp. Now, 24 hours later, I have 30,000 ip's in my honeypot list.  I feel like I am taking candy from a baby.  Those stupid idiots  :-)

dcook,