How to block if emailTO is not in Authori |
Post Reply 
|
| Author | |
john11 
Newbie 
Joined: 06 April 2005 Location: United States Status: Offline Points: 17 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: How to block if emailTO is not in AuthoriPosted: 20 September 2006 at 1:56am |
|
We seem to be getting hammered by some DHA attacks.Since we have a list of all the authorized TO addresses and have configured to whitelist and allow only AuthorizedTOEmails, the bogus addresses are being identified as not in the AuthorizedTOEmailList. Iis there a way to block the sending IP(s) (ideally for an adjustable period of time, say 4 hours) that send to a bogus TO addresses?
|
|
 |
|
|
sgeorge
Senior Member 
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 21 September 2006 at 11:53pm |
|
Hi John, I think you'll find that the cached IP blocking feature will do this for you. With the ip limbo/cache featured enabled, ips are recorded for servers that send you a message that was rejected. If they send more rejected messages within a specific amount of time (3 within 10 minutes, by default), then their is temporarily banned (default: for 60 minutes).
Now, with those defaults, it's not going to block them on their first rejection, but it should help. In fact, it's probably better that you don't reject after the first rejection.... imagine if I misspelled my friend mike's email as miek@email.com. I might not be able to re-try sending my message for 4 hours if I don't have a 2nd chance. Anywho... one thing I like to do: put dozens of bogus honeypot email addresses hidden on my organization's web site. That's one way to put some spammers straight onto your blacklist once they send to one of the no-no addresses. |
|
|
|
|
jerbo128
Senior Member
Joined: 06 March 2006 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 22 September 2006 at 9:08pm |
|
sgeorge - Awesome idea on seeding for the honeypot. I assume that you use something similar to white letters on a white background? Anyone know if there is a way to tell exactly what honeypot ip caused an email to be blocked? Just in case I get a legitimate ip in the honeypot. |
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 27 September 2006 at 3:38pm |
|
jerbo, for my web site's honeypot list I use a combo of white text on white bg, font-size of 1px. In addition, I keep all of the email addresses in a <DIV> container with a css display property of style="display: none".
In terms of tracking down the i.p.s (at least in SpamFilter v3.1.3.597)... Finding the original infraction (the one that added the ip to the list) *In logs: Entries should look similar to.. ... EMail To is in honeypot emails - ... Added 123.123.123.123 to honeypot blacklist *in quarantine: "where tblquarantine.rejectid = 18" Finding rejections due to the fact that an i.p. is in HoneypotBlockedIPs.txt *In logs: Entries should look similar to... ... IP blocked by honeypot autofilter - ... 123.123.123.123 - Mail from: bozo@spam.com To: me@mydomain.com will be rejected *in quarantine: "where tblquarantine.rejectid = 18" In the quarantine, I don't think there is a way to specificly search for the email that caused the i.p. to go on the list. Though, if I were trying to do that would do a query with "where rejectid = 18 and (emailto = 'honeypotemail1@mydomain' or emailto = 'honeypotemail2...', etc)" Also, I made a unix bash script that takes my entire HoneypotBlockedIPs.txt list and runs a reverse DNS for the entire list. This is helpful for me to identify major domain names and mail sservers. Would that be useful for you? Edited by sgeorge |
|
|
|
|
samsung
Newbie
Joined: 26 October 2006 Status: Offline Points: 3 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 November 2006 at 6:38pm |
|
Hi sgeorge very interesting idea- To clarify, So.... when you trap spammer's IP into HoneypotBlockedIPs.txt, do you keep it there forever? or after RDNS processing, do you blacklist IP and remove it from IP from HoneypotBlockedIPs.txt file? if Auth-TO lists are used, and hidden email address seed is not in Auth-TO list, then spammer's action when emailing seeding address does it trigger Honeypot?? Or, email is rejected with NDR before spamfilter gets a chance to check for seed in Honeypot?? Much appreciate your clarification. Thanks S
|
|
|
|
|
Thermo
Newbie
Joined: 10 July 2006 Location: Canada Status: Offline Points: 25 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 November 2006 at 12:11pm |
|
Samsung Wrote:
"If Auth-TO lists are used, and hidden email address seed is not in Auth-TO list, then spammer's action when emailing seeding address does it trigger Honeypot??" I am also interested in an answer to this question. Thanks, Michael |
|
|
|
|
dcook
Senior Member
Joined: 31 January 2005 Location: United States Status: Offline Points: 174 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 November 2006 at 4:54pm |
|
great idea on the batch NS lookups. I found a windows program that does the trick -- http://www.jimprice.com/jim-soft.htm#nsbatch
|
|
|
Dwight
www.vividmix.com |
|
|
|
|
WebGuyz
Senior Member
Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
Quote Reply
Posted: 11 January 2007 at 12:19pm |
|
The name has to be in the AuthorizedTo list as well as the HoneyPot to work. |
|
|
http://www.webguyz.net
|
|
|
|
Topic Options
Thermo wrote:|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.141 seconds.