ok, thanks for the explanation.

p.s. a database with details of the dropped connections might proove useful in combatting the spammers...

I will look into that, thanks Dan.

But now i have a new problem, i added some of the honeypot mail addy's to authedTOlist, and guess what happened; our ISP's mail relay server got blocked out.

So now the question becomes: how do i whitelist the relay's ip and still maintain full filtering on all mails it forwards?

Maybe a new function 'untrusted whitelist IP' or 'mail relay server IP' for just such an occasion is called for?

I saw someone else post somewhere that he needed such a function to pass mails thru from one domain to another, but can't find it now.

Any ideas?

Marco

Roberto,

It doesnt 'seem' to be a very hard programming problem, simply have the honeypot filter match the ip's that are in a 'relay ip' tab, and if they match up, let the ip pass on the honeypot. (and maybe some more filters)

but maybe i'm seeing things too simple, correct me if i'm wrong.

Marco

*edit* just thought of something; for better statistics representation, have the relay ip's country be excluded from the statistics as well.

The relay buffers mails from all over the world, when the mail gateway is temporary unavailable, but is then placed in the statistics as beeing originated from the netherlands, in my case.

So, exluding mails that 'originate' on this relay would give more accurate statistics.

*edit2*

OR: in case the honeypot is triggered, compare the originating ip with the ones in the 'relay ip list' and if matched, drop the mail, but DO NOT blacklist the relay's ip.

I don't know the exact configuration of the relay servers, since they are managed externally, by our ISP.

But as far as i know they act as gateways when our smtp server is responding, and the incoming mais are relayed 'as is' to our smtp host (the spamfilter).

However, when our smtp host is unavailable (due to a crash or overload) all incoming mails are forwarded to the secondary , and this secondary keeps trying to deliver the mails on regular intervals.

I have no control over the secondary, and cannot place a spamfilter in fron of it.

90% of all mails are delivered to the primary, but for some reason, mails get directed to the secondary as well even when the primary is up and running.(usually during the night).

(Maybe some of the spammers deliberately send mail to secondary server ip's)

I can live with the fact that all ip based checks will be worthless in this case, but i DO want the mails to be passed thru whatever filters that are still valid. (keywords, surbl, authedTOlist, bayes, honeypot)

All in all, spamfilter is allready doing a GREAT job, it catches 95% of all spam (even under the conditions described above)

I would really like to use the honeypot as well, since it WOULD actually catch some flies, and it allready caught some. All i'm asking for is the option to prevent *some* ip's from beeing added to the honeypotblacklist when its active.

Regards,

Marco

Thanks for thinking along Dan, appreciate it.

ok, i did some researching on our MX entries (The ISP is also running the primay DNS) .

It is set up like this:

preference: 10 : mail.ourdomain.com

20: relay1.ISPdomain.net

20: relay2.ISPDomain.net

30: mail1.ourdomain.com

30: mail2.ourdomain.com

Only the mail.ourdomain.com is under my control.

I think things happen like this: the secondary mailservers of the ISP (mail1, mail2) are only receiving the inbound mails when the primary is unavailable. For some reason the relay's ip's are beeing put in the mail headers as beeing the originating ip. So when inbound mails got buffered and were using honeypot adresses, the relay's ip's got blacklisted.

Resuming; the honeypot is blacklisting the relay1, relay2 ip's, because of mail that is sent to us, gets buffered on mail1/mail2 , and is using honeypot adresses.

My first thought was to make a script that checks the honeypotblockededIP.txt file for presence of those 2 ip's and remove if found, But that isnt a very elegant solution, and would cost additional CPU load.

does this make sense to you?

it would ROCK if possible!

It would make the filters 100% operational in my described situation.

Im also thinking now about backtracing to the origin, or at least the next after the originating ip, in case of spoofing.

If at all possible that would make spammer's lifes pretty miserable.

nah, i'm starting to rant now :)

Marco,

Yet another part of a conversation I am having with LogSat:

One option that may help, but is rather tricky would be a method of testing for how many hops a message takes.   I am not sure I would trust this as more and more systems use several hops to deliver mail.  Our system does.  So determining a value for "Max Hops" could be an issue.

Aren't I just a Royal Pain in the you know what!

Regards,