This is a discussion on Re: My Newly Expanded DNS Blacklist - Who wants to try it? - SpamAssassin ; Marc Perkel wrote: > > > Rick Cooper wrote: >> I don't know what his reason is but had I attempted to send mail to your >> server last Friday I could easily have ended up hitting one of your ...
Marc Perkel wrote:
> Rick Cooper wrote:
>> I don't know what his reason is but had I attempted to send mail to your
>> server last Friday I could easily have ended up hitting one of your
>> MXs. I had a problem with Verizon where I would loose my connection for
>> seconds to a min and everything would be fine for seconds to a min or
>> This went on for hours, it was like someone flicking a light switch.
>> If exim
>> couldn't connect to your lower mx servers during one of these episodes it
>> would have rolled up the list as it should since Verizon has yet to
>> my mail server they are having transient network problems and to consider
>> any connection issues to be temporary and please try again.
> Rick, it does take multiple hits to get listed and I did add code that
> if you hit all the high ones in sucession that it only counts as one.
> However, having said that, this is experimental and there's a
> possibility that it's just not going to work. I do believe that there's
> information to be had by looking at hosts who hit high numbered MX
> records when low numbered MX servers are available. I'm just trying to
> figure out how to extract this information.
> So - I ask the question - I think we can all agree that there's
> information to be had. How do we extract this in a useful form an avoid
> false positives?
If you're going to do this, I would suggest that instead of counting to
X hits on your low priority MX's and then blacklisting the IP, do this:
Count on all of your MX's, and look for a ratio between "hits on low
priority MX's and hits on high priority MX's".
IFF the high priority MX hit rate is 0, then just do a simple count on
the hits against the low priority MX's.
IF the highr priority MX hit rate is > 0, then do (low priority hit
rate) / (high priority hit rate), and look for a number >= something
That way, senders that might sequentially try your servers, due to
problems, or even just because they roll through the servers over time,
wont get tagged.