Anti Spam thoughts, feedback welcome.

9 posts / 0 new
Last post
#1 Wed, 07/29/2009 - 05:33
Dim Git

Anti Spam thoughts, feedback welcome.

Hi People.

As posted in another thread, I have been fooling around with Fail2Ban. I had some problems getting it running and will post about that in a new thread when thoroughly tested.

However, whilst reading page after page about Fail2Ban it would seem possible to use it as an anti-spam tool.

For those unfamiliar with Fail2Ban :- Fail2Ban works by watching any log you specify and using a regex Fail2Ban can update iptables and/or hosts.deny. Once certain criteria are met, the IP number is banned for a preset period.

So, Fail2Ban was told to watch maillog for "recipient unknown" more than, say, 3 times in one minute all from the same IP and then ban that IP for say, 10 minutes.

Looking through my logs I have seen numerous occasions daily where this could save resources.

I guess that the sending server would be "refused connection" and would have to try again later. Could that work similar to grey listing?

Could this be a good/bad idea ?

Am I going nuts ? :-)

Comments welcome.

Wed, 07/29/2009 - 09:45
ronald
ronald's picture

why not just install postgrey. It works like a charm and it is sooo easy to set up

Thu, 07/30/2009 - 00:52
Dim Git

I have to admit that I know very little about how Postgrey works.

But, these are my thoughts :

Postgrey adds a delay. True, as far as I know this is only a matter of maybe 10 minutes ?
If you are troubleshooting a mail problem, that delay can be a pain in the arse. :-) Postgrey will add a log entry (deferred) for EVERY email email. Will spammers eventually catch up with greylisting and find a way to beat it?

As far as I can tell, setting up Fail2Ban would save all those log entries in the Logwatch report.

I do not know what the overheads of the two would be like though.

All of the above could be wrong and I'm happy to be corrected. Maybe I am being selfish because a conversation on this topic would interest me but perhaps not the rest of the contributors here. If so, apologies.

Thanks anyway.

Thu, 07/30/2009 - 06:26
ronald
ronald's picture

default delay for postgrey is 5 minutes which you can adjust. Also you can whitelist domains so no delays are in place but defeating the purpose.

The delay is only the first email, once recognised as legitimate, it is then whitelisted. so delay only at the first email received.

I can not think of a situation where postgrey or the delay would be a disadvantage. If the system works properly and then install postgrey, I see no issue, in fact I do not experience an issue.

Spammers can't catch up with it. All postgrey does is asking the sender to resend again. Spammers don't do that as they use "stolen" computers. Legitimate senders sending spam is a different issue, but I dont see them often

Fri, 07/31/2009 - 01:31
Dim Git

Thanks for your reply Ronald, I now have another topic to do some reading on.

Sat, 08/01/2009 - 09:20
Dim Git

A slow dawning of realisation has crept over me.

The title of the topic is wrong, it has little to do with spam as such. And absolutely no similarity to greylisting in any way whatsoever.

The only spam connection is that it stops spammers prospecting for email addresses.

The idea is to ban an IP number after it has sent 3 emails to unrecognised addresses. If nothing else, it should save all those entries in mailwatch obscuring the real entries.

Sat, 08/01/2009 - 11:08
ronald
ronald's picture

to ban an IP on such basis would be silly. In no time half the world would be banned from your server.

the idea of postgrey is to not receive emails from spammers, i.e reject them. Spammers use hijacked computers and therefore often dynamic IP's. There is no sense in banning such IP's. He would just send from a different IP

Sat, 08/01/2009 - 12:57
Dim Git

Ah, sorry, omitted to say, the duration of the ban can be set, maybe 10-15 minutes would be reasonable. Just enough to stop repeated emails to non-existent addresses.

Wed, 08/26/2009 - 05:09
flameproof

The idea is to ban an IP number after it has sent 3 emails

Not sure, but sometimes I get identical emails almost at the same time with different IPs. It seems IPs can be faked at will.

I would be interested how I can filter out Russian SPAM. Were the Subject looks like:

Subject: [SPAM 4.5] =?koi8-r?B?69LV1MHRINLB09DSz8TB1sEh?=

I tried to set a filter on "koi8-r", but it doesn't work.....

I will give postgrey a try.....

Topic locked