[Greylist-users] Auto shun hack

[Paul Venezia]

Hey all-

In an effort to control the 700,000+ dictionary spams my server gets every
day, I've coded another ruleset into relaydelay that checks the relay_ip
against the relaytofrom DB, checking for a number of un-resent messages.
If the blocked_count >= 1 and passed_count = 0 for a specific relay_ip for
a timeperiod from the first record in the DB to a time 100 minutes before
NOW(), relaydelay will toss a record into a new table with the relay_ip
address, DNS name and timestamp, then create a firewall rule to block that
host from TCP/25. At boot time, a separate script is run to create new
firewall rules from the blockedrelays table.

At the moment, I have 12,000+ auto-generated rules on the ipfw firewall on
my FreeBSD mailserver and have seen over one million rejected connections
in the past 24 hours. Perusal of the blockedrelays table shows reverse DNS
records of spambot zombies and known spammers -- without exception.

I don't know if anyone else is in this situation, but this ruleset has
dropped the load on my mailserver from continuous 0.50 to 0.08, and my
daily relaytofrom database from 50MB to about 12MB. It is *very*
draconian, but also highly effective, and gets more effective as time
passes.

It only works with ipfw at the moment, but recoding to ipf or iptables
should be simple enough. Mail me if you want the code.

-Paul