Report IP to SFDB |
Post Reply 
|
| Author | |
StevenJohns 
Senior Member 
Joined: 03 August 2006 Status: Offline Points: 119 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Report IP to SFDBPosted: 02 November 2007 at 6:24pm |
|
Roberto, We are seeing an increasing number of spam emails slip through the filters over the last few months. We run a secondary filtering system after SF which is catching these emails (fortunately the users don’t get them!), which is exactly what it is there for. My understanding of the SFDB is that SF will report the IP if any of the SF filters get triggered. However, these filters are obviously not getting triggered and the spam is being let through. However, I would like to be able to take the sending smtp server IP and feed it into SFDB as a spam sending server as reported by our secondary filter. How can I do this? |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 November 2007 at 10:47pm |
|
This is currently not possible. Only SpamFilter itself is able to upload spammer data back to the SFDB (and this is done via encrypted parameters to avoid chances of poisoning the database with invalid data). We currently do not see adding the ability to upload new data to it in a different way.
We're currently working on developing another new filter similar to the SFDB, but which will track the actual contents of the emails even if they originate from unknown sources. We'll have more on this within a couple of months.. |
|
|
|
|
StevenJohns
Senior Member
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 November 2007 at 4:20am |
|
OK, what do you suggest we do with the spam that is getting through then ???
|
|
|
|
|
IKILLSPAM1
Groupie 
Joined: 02 May 2007 Location: United States Status: Offline Points: 70 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 November 2007 at 11:09am |
|
You could try tuning your SF configuration. Maybe your not using it to its full potential.
Are you using DNSBLs, if so which? URBLs? Block no PTR,InvalidMX. Block countries with whom you dont communicate with. Setup keywords based on emails you get in. Bayesain Filtering. Honeypots, using email addrs sent in to invalid users. I tend to go into the quarantine and build a list from time to time of addresses that get lots of spam but which never even existed.
Used properly SF does a great job.
|
|
|
|
|
mbrusl
Groupie
Joined: 05 December 2005 Location: Thunder Bay Ont Status: Offline Points: 61 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 November 2007 at 4:46pm |
|
I myself have an ongoing lists of names and IPs that I get from the quarentine area everyday and put them in lists and have them available on my site at www.spacequad.com One of my list has over 22 thousand known spammer domains that if that domain name is in the email, it gets trashed right away with no questions asked. You can try using that as a suppliment as well.
Michael |
|
|
|
|
atifghaffar
Senior Member
Joined: 31 May 2006 Location: Switzerland Status: Offline Points: 104 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 November 2007 at 12:47pm |
|
Steven,
This reduced the spam a lot for us. iptables -A INPUT -m geoip --src-cc AF -j DROP iptables -A INPUT -m geoip --src-cc AG -j DROP iptables -A INPUT -m geoip --src-cc AR -j DROP iptables -A INPUT -m geoip --src-cc AI -j DROP iptables -A INPUT -m geoip --src-cc AL -j DROP iptables -A INPUT -m geoip --src-cc BG -j DROP iptables -A INPUT -m geoip --src-cc BR -j DROP iptables -A INPUT -m geoip --src-cc BY -j DROP iptables -A INPUT -m geoip --src-cc CO -j DROP iptables -A INPUT -m geoip --src-cc CL -j DROP iptables -A INPUT -m geoip --src-cc CM -j DROP iptables -A INPUT -m geoip --src-cc CN -j DROP iptables -A INPUT -m geoip --src-cc GT -j DROP iptables -A INPUT -m geoip --src-cc HK -j DROP iptables -A INPUT -m geoip --src-cc IN -j DROP iptables -A INPUT -m geoip --src-cc ID -j DROP iptables -A INPUT -m geoip --src-cc JP -j DROP iptables -A INPUT -m geoip --src-cc KG -j DROP iptables -A INPUT -m geoip --src-cc KR -j DROP iptables -A INPUT -m geoip --src-cc KZ -j DROP iptables -A INPUT -m geoip --src-cc MX -j DROP iptables -A INPUT -m geoip --src-cc MY -j DROP iptables -A INPUT -m geoip --src-cc NG -j DROP iptables -A INPUT -m geoip --src-cc PE -j DROP iptables -A INPUT -m geoip --src-cc PH -j DROP iptables -A INPUT -m geoip --src-cc RO -j DROP iptables -A INPUT -m geoip --src-cc RU -j DROP iptables -A INPUT -m geoip --src-cc SV -j DROP iptables -A INPUT -m geoip --src-cc TH -j DROP iptables -A INPUT -m geoip --src-cc TW -j DROP iptables -A INPUT -m geoip --src-cc UA -j DROP iptables -A INPUT -m geoip --src-cc VE -j DROP iptables -A INPUT -m geoip --src-cc VN -j DROP |
|
|
best regards
Atif |
|
|
|
|
StevenJohns
Senior Member
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 November 2007 at 5:44pm |
|
Thank you all for your suggestions. I am implementing some of them at the moment and will let you know how it goes.
Cheers
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 November 2007 at 4:23pm |
|
As a side-note, SpamFilter is able to block emails by country as well. If you let SpamFilter block unwanted countries rather than using firewall rules, you'll still be able to receive emails from blocked countries by using whitelists. If using firewall rules to block countries, it will be harder to allow emails from these countries (if there's ever a need).
|
|
|
|
|
atifghaffar
Senior Member
Joined: 31 May 2006 Location: Switzerland Status: Offline Points: 104 |
Post Options
Thanks(0)
Quote Reply
Posted: 11 November 2007 at 3:27pm |
|
Roberto,
The firewall rules were the last resort. We had the spamflters so busy telling the connections ( you are not allowed) that there was no more time left to do anything. With these rules the number of connections are way too less. Also I made once a list by watching the limbo cache and the ips that were in the cache. Our watchlist allowed 10 connections after recievieving $line=~/IP is in local blacklist cache/; and then block them for good on the firewall. The second rule (block by ip address) made a lot of hoo--haa (strangely). No one has yet complained about the first (block by country) rule yet. |
|
|
best regards
Atif |
|
|
|
|
atifghaffar
Senior Member
Joined: 31 May 2006 Location: Switzerland Status: Offline Points: 104 |
Post Options
Thanks(0)
Quote Reply
Posted: 11 November 2007 at 3:29pm |
|
Oh and all the rules that you see above only help me to reduce 30% of the spammers. If I want 80% spammer block then this rule should do it.
iptables -A INPUT -m geoip --src-cc US -j DROP Unfortunately I cannot use this rule. |
|
|
best regards
Atif |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.148 seconds.