IP Blacklist for Email

[Night201]

1/2 of the mail connections to my companies email server are from servers trying to send emails to unknown users at our company. It's crazy. So many of them are from Korea. Anyway, I have a generated log that has all the ip addresses and domain names of the originating sender/mail server and I am currently going through the ip address and also getting range of ip addresses. I'm going to be blocking these ip addresses at the firewall, so the server won't even have to process mail trying to come from these people.

This should cut the email activity on our server in half and improve performance as well.

Would anyone be interested in this list once I am done with it

 

[wlee]

You should be able to submit your reports to SPAMCOP and ORDB. Then everyone that subscribes will have the benefit of your list.


SPAMCOP

Open Relay Database

 

[Nothinman]

Use an already maintained RBL, it'll be much more accurate and less work for you.

 

[randal]

Originally posted by: Nothinman
Use an already maintained RBL, it'll be much more accurate and less work for you.

That's what we do ... we use:

bl.spamcop.net,
relays.ordb.org
sbl-xbl.spamhaus.org,
proxies.blackholes.easynet.nl

for our internal email and it does a helluva job. We use just spamcop & ordb for client email, though -- spamhaus and easynet are really mean folks.

 

[Need4Speed]

here are the restrictions and DNSBL's I use, along with Spamassassin and Net:NS module.

from my postfix main.cf file:
smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client cbl.abuseat.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client sbl.spamhaus.org, reject_rbl_client opm.blitzed.org, reject_rbl_client relays.ordb.org, reject_rbl_client dul.dnsbl.sorbs.net

I've trained the bayesian filter with tons of emails (spam and ham) and I would say that I'm up to 98-99% effective filtering.

here is a quick RRD graph:
http://www.cyberfrogs.net/rrd/graphs/

the RED are rejected at the MTA level
the ORANGE are rejected by Spamassassin

You could conclude from the graphs that the MTA rejection via the DNSBL's isnt all that good when compared to SA.

Here is a list of the tests and DNSBL's that SA uses:
http://spamassassin.apache.org/tests_3_0_x.html

You can see that something drastic changed in my filter around the middle of november...thats when I added the the Net:NS module.