Spam Filter ISP Support - Report IP to SFDB

Print Page | Close Window

Report IP to SFDB

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6283
Printed Date: 12 March 2025 at 8:09pm

Topic: Report IP to SFDB

Posted By: StevenJohns
Subject: Report IP to SFDB
Date Posted: 02 November 2007 at 6:24pm

Roberto,

We are seeing an increasing number of spam emails slip through the filters over the last few months. We run a secondary filtering system after SF which is catching these emails (fortunately the users don’t get them!), which is exactly what it is there for.

My understanding of the SFDB is that SF will report the IP if any of the SF filters get triggered. However, these filters are obviously not getting triggered and the spam is being let through. However, I would like to be able to take the sending smtp server IP and feed it into SFDB as a spam sending server as reported by our secondary filter. How can I do this?

Replies:

Posted By: LogSat
Date Posted: 03 November 2007 at 10:47pm

This is currently not possible. Only SpamFilter itself is able to upload spammer data back to the SFDB (and this is done via encrypted parameters to avoid chances of poisoning the database with invalid data). We currently do not see adding the ability to upload new data to it in a different way.

We're currently working on developing another new filter similar to the SFDB, but which will track the actual contents of the emails even if they originate from unknown sources. We'll have more on this within a couple of months..

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: StevenJohns
Date Posted: 05 November 2007 at 4:20am

OK, what do you suggest we do with the spam that is getting through then ???

Posted By: IKILLSPAM1
Date Posted: 05 November 2007 at 11:09am

You could try tuning your SF configuration. Maybe your not using it to its full potential.

Are you using DNSBLs, if so which? URBLs? Block no PTR,InvalidMX. Block countries with whom you dont communicate with. Setup keywords based on emails you get in. Bayesain Filtering. Honeypots, using email addrs sent in to invalid users. I tend to go into the quarantine and build a list from time to time of addresses that get lots of spam but which never even existed.

Used properly SF does a great job.

Posted By: mbrusl
Date Posted: 05 November 2007 at 4:46pm

I myself have an ongoing lists of names and IPs that I get from the quarentine area everyday and put them in lists and have them available on my site at www.spacequad.com One of my list has over 22 thousand known spammer domains that if that domain name is in the email, it gets trashed right away with no questions asked. You can try using that as a suppliment as well.

Michael

Posted By: atifghaffar
Date Posted: 09 November 2007 at 12:47pm

Steven,

This reduced the spam a lot for us.

iptables -A INPUT -m geoip --src-cc AF -j DROP
iptables -A INPUT -m geoip --src-cc AG -j DROP
iptables -A INPUT -m geoip --src-cc AR -j DROP
iptables -A INPUT -m geoip --src-cc AI -j DROP
iptables -A INPUT -m geoip --src-cc AL -j DROP
iptables -A INPUT -m geoip --src-cc BG -j DROP
iptables -A INPUT -m geoip --src-cc BR -j DROP
iptables -A INPUT -m geoip --src-cc BY -j DROP
iptables -A INPUT -m geoip --src-cc CO -j DROP
iptables -A INPUT -m geoip --src-cc CL -j DROP
iptables -A INPUT -m geoip --src-cc CM -j DROP
iptables -A INPUT -m geoip --src-cc CN -j DROP
iptables -A INPUT -m geoip --src-cc GT -j DROP
iptables -A INPUT -m geoip --src-cc HK -j DROP
iptables -A INPUT -m geoip --src-cc IN -j DROP
iptables -A INPUT -m geoip --src-cc ID -j DROP
iptables -A INPUT -m geoip --src-cc JP -j DROP
iptables -A INPUT -m geoip --src-cc KG -j DROP
iptables -A INPUT -m geoip --src-cc KR -j DROP
iptables -A INPUT -m geoip --src-cc KZ -j DROP
iptables -A INPUT -m geoip --src-cc MX -j DROP
iptables -A INPUT -m geoip --src-cc MY -j DROP
iptables -A INPUT -m geoip --src-cc NG -j DROP
iptables -A INPUT -m geoip --src-cc PE -j DROP
iptables -A INPUT -m geoip --src-cc PH -j DROP
iptables -A INPUT -m geoip --src-cc RO -j DROP
iptables -A INPUT -m geoip --src-cc RU -j DROP
iptables -A INPUT -m geoip --src-cc SV -j DROP
iptables -A INPUT -m geoip --src-cc TH -j DROP
iptables -A INPUT -m geoip --src-cc TW -j DROP
iptables -A INPUT -m geoip --src-cc UA -j DROP
iptables -A INPUT -m geoip --src-cc VE -j DROP
iptables -A INPUT -m geoip --src-cc VN -j DROP

-------------
best regards

Atif

Posted By: StevenJohns
Date Posted: 09 November 2007 at 5:44pm

Thank you all for your suggestions. I am implementing some of them at the moment and will let you know how it goes.

Cheers

Posted By: LogSat
Date Posted: 10 November 2007 at 4:23pm

As a side-note, SpamFilter is able to block emails by country as well. If you let SpamFilter block unwanted countries rather than using firewall rules, you'll still be able to receive emails from blocked countries by using whitelists. If using firewall rules to block countries, it will be harder to allow emails from these countries (if there's ever a need).

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: atifghaffar
Date Posted: 11 November 2007 at 3:27pm

Roberto,

The firewall rules were the last resort.

We had the spamflters so busy telling the connections ( you are not allowed) that there was no more time left to do anything.

With these rules the number of connections are way too less.

Also I made once a list by watching the limbo cache and the ips that were in the cache. Our watchlist allowed 10 connections after recievieving

$line=~/IP is in local blacklist cache/;

and then block them for good on the firewall.

The second rule (block by ip address) made a lot of hoo--haa (strangely).
No one has yet complained about the first (block by country) rule yet.

-------------
best regards

Atif

Posted By: atifghaffar
Date Posted: 11 November 2007 at 3:29pm

Oh and all the rules that you see above only help me to reduce 30% of the spammers. If I want 80% spammer block then this rule should do it.

iptables -A INPUT -m geoip --src-cc US -j DROP

Unfortunately I cannot use this rule.

-------------
best regards

Atif

Print Page | Close Window