This is a multi-part message in MIME format.
--------------040809020402080906080303
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



Jari Fredriksson wrote:
> Marc Perkel wrote:
>
>> Using my new ideas here's my raw blacklist file. It has about 80k IP
>> addresses and is updated every 10 minutes.
>>
>> http://iplist.junkemailfilter.com/black.txt
>>
>> Here's instructions on how to use it with SpamAssassin and Exim.
>>
>> http://wiki.ctyme.com/index.php/Spam...assin_Examples
>>
>> I'd like to get some feedback on how well it's working.
>>

>
>
> Hmm, how about documenting how is it supposed to work? How does an IP address end up to your list?
>
>

The wiki link has it somewhat documented but I'm trying something new and I'm still testing it so I'm not going to document it for a while till I know it works. But - the simple explanation is this.

On the lower numbered MX records I have 3 mail servers any one of which can carry the whole load in an emergency. I have on higher numbered MX about 10 dummy IP addresses that normal email should never hit. Spammers however, especially spam bots have been hitting random MX records instead of figuring out the proper order. The idea is that the backup servers might have less spam filtering than the main server.

So any hits on these fake MX records are counted as spam hits. Every 10 minutes I count up the spam and ham hits per IP and generate my black, white, and yellow lists. To make the black list there has to be enough hits to be worth counting and has to be 99% spam. The high MX records always return a 421 error but counts as a spam hit.

Some of the details are a little more complex. I process SA determined spam hits differently than spammer trick spam not only in scoring but in the time that I keep the data. Fake MX data lives 1 day. Spam lives 3 days, and ham lives 7 days. Every 6 hours I shift the log data own creating a new file and deleting the oldest file.

If this works out it could be done on a more massive community scale and it could totally wipe out all spambot spam. Right now I have no spambot spam at all making it through the system using this and other tricks. Most of my filtering is done using Exim rules but I still use SA for the remaining 1% or so. I'm also feeding spam to several block list services who are using my data to add to blocking spam everywhere.



--------------040809020402080906080303
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit











Jari Fredriksson wrote:
type="cite">
Marc Perkel wrote:


Using my new ideas here's my raw blacklist file. It has about 80k IP
addresses and is updated every 10 minutes.

http://iplist.junkemailfilter.com/black.txt

Here's instructions on how to use it with SpamAssassin and Exim.

http://wiki.ctyme.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples

I'd like to get some feedback on how well it's working.




Hmm, how about documenting how is it supposed to work? How does an IP address end up to your list?




The wiki link has it somewhat documented but I'm trying something new and I'm still testing it so I'm not going to document it for a while till I know it works. But - the simple explanation is this.

On the lower numbered MX records I have 3 mail servers any one of which can carry the whole load in an emergency. I have on higher numbered MX about 10 dummy IP addresses that normal email should never hit. Spammers however, especially spam bots have been hitting random MX records instead of figuring out the proper order. The idea is that the backup servers might have less spam filtering than the main server.

So any hits on these fake MX records are counted as spam hits. Every 10 minutes I count up the spam and ham hits per IP and generate my black, white, and yellow lists. To make the black list there has to be enough hits to be worth counting and has to be 99% spam. The high MX records always return a 421 error but counts as a spam hit.

Some of the details are a little more complex. I process SA determined spam hits differently than spammer trick spam not only in scoring but in the time that I keep the data. Fake MX data lives 1 day. Spam lives 3 days, and ham lives 7 days. Every 6 hours I shift the log data own creating a new file and deleting the oldest file.

If this works out it could be done on a more massive community scale and it could totally wipe out all spambot spam. Right now I have no spambot spam at all making it through the system using this and other tricks. Most of my filtering is done using Exim rules but I still use SA for the remaining 1% or so. I'm also feeding spam to several block list services who are using my data to add to blocking spam everywhere.





--------------040809020402080906080303--