Spam Filter ISP Support

Filter Ideas

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6385
Printed Date: 14 March 2025 at 7:23pm

Topic: Filter Ideas

Posted By: jerbo128
Subject: Filter Ideas
Date Posted: 10 February 2008 at 8:43pm

Two possible ideas I would like to throw out there for new/improved filter ideas:

1 - Local Blacklist and limbo cache - Create the Ability to reject an entire class C of Ip's if more than "x"number of ip's from that class C is listed in the limbo or blacklist cache. This could be on a temporary basis or permanent basis

2 - If an ip is added to the limbo or blacklist cache more than "x" times in "y" days, then ip will be added to a permanent blacklist - such as honeypot blocked ips.

Comments Anyone?

Jeremy

Replies:

Posted By: atifghaffar
Date Posted: 11 February 2008 at 4:07am

Jeremy,

Yes good idea. We are doing the same by reading the spamfilter's logs and blocking the ip or the class on the firewall.

So if this list is easily accessible (text file/table) then I can rewrite the code to look just at this file instead of parsing the logs all day long.

-------------
best regards

Atif

Posted By: IKILLSPAM1
Date Posted: 11 February 2008 at 4:48pm

I also touched on this subject months ago. People had said they didnt see many IPs from the same Class C. I do. Sometimes a bunch.

Heres something I have been doing. I setup an extensive honeypot email address list, based mostly off what Im receiving in quarantine. If I see the same address getting hit over a few days, and I know we definatly dont host it, I add that email address to the honeypot. This works great for the most part, but, some jerks out there send these emails from good servers like yahoo or verizon, and then those servers land in the blockedbyhoneypot ips, but this doesnt happen often.

What I do after that is take the list of IPs, maybe once a month, import them into an MS Access table and query the data, asking it to show me all Class Cs with more than lets say 5 unique hits. I take any it finds and I block the whole Class C in the local ip blacklist file. I then clear my honeypot ip file and start over. This works well and avoids false positives.

Posted By: jerbo128
Date Posted: 11 February 2008 at 6:37pm

I currently use a scheduled stored procedure:

1 - copies honeypotblockedips to tblbl_ips

2 - blacklists all class C's in tblbl_ips where there are more than 5 individual entries in it.

We manually add ip's to tblbl_ips from emails that customers send to the complaint box.

We then query for blacklisted Class C's, and modify to larger networks if needed.

This works very well. I would like to expand on it by using some of the limbo and cache ip's.

Jeremy

Posted By: IKILLSPAM1
Date Posted: 12 February 2008 at 10:26am

Hey Jeremy, seems like your doing the same exact thing I am, just using SQL instead.

I would also like to expand on it. It's just whats the best way to make use of the Limbo\Cached IPs. Maybe if the program could log to the local blacklist a Class C based on a # of unique addresses in the Limbo\Cache. This option of course would be turned off by default, and tailorable to how many unique IPs you want to see before you block the Class C.