[Greylist-users] Blacklisting an IP - outside of Greylist
Brian Ross
bross at qualcomm.com
Wed Mar 28 08:56:26 PDT 2007
Hi Dennis,
I'd suggest, based on the connection volume, using iptables.
If you use the access database or an RBL your mail server will still
incur much of the overhead of setting up the socket connection and
exchanging at least a portion of the SMTP conversation.
However, if you're merely trying to prevent leakage while restarting the
greylist the access database would do the trick. Also consider using F=T
on your INPUT_MAIL_FILTER macro to tempfail when the milter is
unavailable.
Here at Qualcomm I'm doing a combination of these things. We maintain a
large access database blacklist (based on statistics from our content
evaluation system), and then generate dynamic IPF rules from the sendmail
logs.
The most recent X minutes of the sendmail log are parsed by a script which
looks for known bad senders according to the access.db, and outputs IPF
rules. Another script causes IPF to drop its current ruleset and reload
the new ones. This keeps our IPF rules small, very current and very
manageable.
We also use F=T for our greylist milter.
-Brian
On Wed, 28 Mar 2007, Dennis Wynne wrote:
> We have one IP that is really hitting on us, the blocked count in the
> greylist database shows 32,552 blocks since I blacklisted them.
>
> One message snuck through this morning, they hit us so often that during the
> time the daily stop/start of the script was going on the message snuck
> through.
>
> To avoid having to look this number up over and over in the database all day
> and have any mail sneak by in case the script is down for any reason, I want
> to block this IP at the earliest or best spot (lease overhead for my system)
> that I can.
>
> Thoughts:
>
> 1) I can put it in the access sendmail "database" with an entry like:
>
> Connect:1.1.1.1 REJECT
>
>
> 2) I can add them to the iptables "firewall" with something like this:
>
> -A RH-Firewall-1-INPUT -d 1.1.1.1 -j REJECT
>
>
> 3) I could get them listed on one of the real-time black lists I use - they
> currently are not listed. This seems the least sure and still has high
> overhead, I would think.
>
>
> Any other options?
>
> Thanks!
> Dennis
>
>
>
>
> _______________________________________________
> Greylist-users mailing list
> Greylist-users at lists.puremagic.com
> http://lists.puremagic.com/cgi-bin/mailman/listinfo/greylist-users
>
More information about the Greylist-users
mailing list