How to block if emailTO is not in Authori
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5801
Printed Date: 10 May 2025 at 1:13pm
Topic: How to block if emailTO is not in Authori
Posted By: john11
Subject: How to block if emailTO is not in Authori
Date Posted: 20 September 2006 at 1:56am
| We seem to be getting hammered by some DHA attacks.Since we have a list of all the authorized TO addresses and have configured to whitelist and allow only AuthorizedTOEmails, the bogus addresses are being identified as not in the AuthorizedTOEmailList. Iis there a way to block the sending IP(s) (ideally for an adjustable period of time, say 4 hours) that send to a bogus TO addresses? |
Replies:
Posted By: sgeorge
Date Posted: 21 September 2006 at 11:53pm
|
Hi John, I think you'll find that the cached IP blocking feature will do this for you. With the ip limbo/cache featured enabled, ips are recorded for servers that send you a message that was rejected. If they send more rejected messages within a specific amount of time (3 within 10 minutes, by default), then their is temporarily banned (default: for 60 minutes). Now, with those defaults, it's not going to block them on their first rejection, but it should help. In fact, it's probably better that you don't reject after the first rejection.... imagine if I misspelled my friend mike's email as miek@email.com. I might not be able to re-try sending my message for 4 hours if I don't have a 2nd chance. Anywho... one thing I like to do: put dozens of bogus honeypot email addresses hidden on my organization's web site. That's one way to put some spammers straight onto your blacklist once they send to one of the no-no addresses. |
Posted By: jerbo128
Date Posted: 22 September 2006 at 9:08pm
|
sgeorge - Awesome idea on seeding for the honeypot. I assume that you use something similar to white letters on a white background? Anyone know if there is a way to tell exactly what honeypot ip caused an email to be blocked? Just in case I get a legitimate ip in the honeypot. |
Posted By: sgeorge
Date Posted: 27 September 2006 at 3:38pm
|
jerbo, for my web site's honeypot list I use a combo of white text on white bg, font-size of 1px. In addition, I keep all of the email addresses in a <DIV> container with a css display property of style="display: none". In terms of tracking down the i.p.s (at least in SpamFilter v3.1.3.597)... Finding the original infraction (the one that added the ip to the list) *In logs: Entries should look similar to.. ... EMail To is in honeypot emails - ... Added 123.123.123.123 to honeypot blacklist *in quarantine: "where tblquarantine.rejectid = 18" Finding rejections due to the fact that an i.p. is in HoneypotBlockedIPs.txt *In logs: Entries should look similar to... ... IP blocked by honeypot autofilter - ... 123.123.123.123 - Mail from: bozo@spam.com To: me@mydomain.com will be rejected *in quarantine: "where tblquarantine.rejectid = 18" In the quarantine, I don't think there is a way to specificly search for the email that caused the i.p. to go on the list. Though, if I were trying to do that would do a query with "where rejectid = 18 and (emailto = 'honeypotemail1@mydomain' or emailto = 'honeypotemail2...', etc)" Also, I made a unix bash script that takes my entire HoneypotBlockedIPs.txt list and runs a reverse DNS for the entire list. This is helpful for me to identify major domain names and mail sservers. Would that be useful for you? |
Posted By: samsung
Date Posted: 09 November 2006 at 6:38pm
|
Hi sgeorge very interesting idea- To clarify, So.... when you trap spammer's IP into HoneypotBlockedIPs.txt, do you keep it there forever? or after RDNS processing, do you blacklist IP and remove it from IP from HoneypotBlockedIPs.txt file? if Auth-TO lists are used, and hidden email address seed is not in Auth-TO list, then spammer's action when emailing seeding address does it trigger Honeypot?? Or, email is rejected with NDR before spamfilter gets a chance to check for seed in Honeypot?? Much appreciate your clarification. Thanks S
|
Posted By: Thermo
Date Posted: 10 November 2006 at 12:11pm
|
Samsung Wrote: "If Auth-TO lists are used, and hidden email address seed is not in Auth-TO list, then spammer's action when emailing seeding address does it trigger Honeypot??" I am also interested in an answer to this question. Thanks, Michael |
Posted By: dcook
Date Posted: 10 November 2006 at 4:54pm
|
great idea on the batch NS lookups. I found a windows program that does the trick -- http://www.jimprice.com/jim-soft.htm#nsbatch - http://www.jimprice.com/jim-soft.htm#nsbatch
------------- Dwight www.vividmix.com |
Posted By: WebGuyz
Date Posted: 11 January 2007 at 12:19pm
|
The name has to be in the AuthorizedTo list as well as the HoneyPot to work. ------------- http://www.webguyz.net |
Thermo wrote: