Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Filter Ideas
  FAQ FAQ  Forum Search   Register Register  Login Login

Filter Ideas

 Post Reply Post Reply
Author
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Topic: Filter Ideas
    Posted: 10 February 2008 at 8:43pm
Two possible ideas I would like to throw out there for new/improved filter ideas:
 
1 - Local Blacklist and limbo cache - Create the Ability to reject an entire class C of Ip's if more than "x"number of  ip's from that class C is listed in the limbo or blacklist cache.  This could be on a temporary basis or permanent basis
 
2 - If an ip is added to the limbo or blacklist cache more than "x" times in "y" days, then ip will be added to a permanent blacklist - such as honeypot blocked ips.
 
Comments Anyone?
 
Jeremy
Back to Top
atifghaffar View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 May 2006
Location: Switzerland
Status: Offline
Points: 104
Post Options Post Options   Thanks (0) Thanks(0)   Quote atifghaffar Quote  Post ReplyReply Direct Link To This Post Posted: 11 February 2008 at 4:07am
Jeremy,

Yes good idea. We are doing the same by reading the spamfilter's logs and blocking the ip or the class on the firewall.

So if this list is easily accessible  (text file/table) then I can rewrite the code to look just at this file instead of parsing the logs all day long.


best regards

Atif
Back to Top
IKILLSPAM1 View Drop Down
Groupie
Groupie


Joined: 02 May 2007
Location: United States
Status: Offline
Points: 70
Post Options Post Options   Thanks (0) Thanks(0)   Quote IKILLSPAM1 Quote  Post ReplyReply Direct Link To This Post Posted: 11 February 2008 at 4:48pm
I also touched on this subject months ago. People had said they didnt see many IPs from the same Class C. I do. Sometimes a bunch.
 
Heres something I have been doing. I setup an extensive honeypot email address list, based mostly off what Im receiving in quarantine. If I see the same address getting hit over a few days, and I know we definatly dont host it, I add that email address to the honeypot. This works great for the most part, but, some jerks out there send these emails from good servers like yahoo or verizon, and then those servers land in the blockedbyhoneypot ips, but this doesnt happen often.
 
What I do after that is take the list of IPs, maybe once a month, import them into an MS Access table and query the data, asking it to show me all Class Cs with more than lets say 5 unique hits. I take any it finds and I block the whole Class C in the local ip blacklist file. I then clear my honeypot ip file and start over. This works well and avoids false positives.
 
 


Edited by IKILLSPAM1 - 11 February 2008 at 4:50pm
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 11 February 2008 at 6:37pm
I currently use a scheduled stored procedure:
1 - copies honeypotblockedips to tblbl_ips
2 - blacklists all class C's in tblbl_ips where there are more than 5 individual entries in it. 
 
We manually add ip's to tblbl_ips from emails that customers send to the complaint box.
 
We then query for blacklisted Class C's, and modify to larger networks if needed.
 
This works very well.  I would like to expand on it by using some of the limbo and cache ip's.
 
Jeremy
 
Back to Top
IKILLSPAM1 View Drop Down
Groupie
Groupie


Joined: 02 May 2007
Location: United States
Status: Offline
Points: 70
Post Options Post Options   Thanks (0) Thanks(0)   Quote IKILLSPAM1 Quote  Post ReplyReply Direct Link To This Post Posted: 12 February 2008 at 10:26am
Hey Jeremy, seems like your doing the same exact thing I am, just using SQL instead.
 
I would also like to expand on it. It's just whats the best way to make use of the Limbo\Cached IPs. Maybe if the program could log to the local blacklist a Class C based on a # of unique addresses in the Limbo\Cache. This option of course would be turned off by default, and tailorable to how many unique IPs you want to see before you block the Class C.
 
 
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.301 seconds.