[Rspamd-Users] No greylisting with score 5.70 ?

G.W. Haywood rspamd at jubileegroup.co.uk
Thu Mar 7 12:36:24 UTC 2024


Hi there,

On Thu, 7 Mar 2024, Tino Hendricks via Users wrote:

> ...
> 2024-03-07 09:50:42 ... ip: 64.188.4.213 ...
> ...

> ...
> ... I need to tweak other parameters to catch these annoying mails.
> ...

You can probably eliminate around half your spam by using DNS-based
blacklists.  For some examples, take a look at

https://multirbl.valli.org/dnsbl-lookup/64.188.4.213.html

which as of this morning shows that IP listed in 26 blacklists.  As it
happens, we use about half of those to score connecting IP addresses.

This IP would *never* get spam through to us, based entirely on the IP
that connects.  The decision is made even before the connecting server
says 'EHLO'.  After the message has been received (but not accepted),
the connection then gets dropped into the tarpit until the sending
server gives up trying.  This does use milter children to monitor the
state of all the connections, but there are a lot of them and they're
doing nothing while they wait for a connection to break so it's cheap.

8<----------------------------------------------------------------------
milter=> SELECT timestamp,ip,bl_count,bl_score,delay \
          FROM connections \
 	 WHERE ip && '64.188.4.0/24' AND \
 	    timestamp > '2024-02-23' ORDER BY timestamp ;

       timestamp      |      ip      | bl_count | bl_score | delay 
---------------------+--------------+----------+----------+-------
  2024-02-28 14:29:32 | 64.188.4.208 |        3 |        5 |   130
  2024-02-28 14:30:24 | 64.188.4.208 |        3 |        5 |   150
  2024-02-28 14:32:18 | 64.188.4.208 |        3 |        5 |    60
  2024-02-28 14:33:21 | 64.188.4.208 |        3 |        5 |    30
  2024-02-28 14:38:33 | 64.188.4.208 |        3 |        5 |    90
  2024-02-28 14:38:33 | 64.188.4.208 |        3 |        5 |  1090
  2024-02-28 14:40:48 | 64.188.4.208 |        4 |        6 |  1690
  2024-03-04 15:27:37 | 64.188.4.215 |        4 |        7 |    80
  2024-03-04 16:58:38 | 64.188.4.215 |        7 |       10 |    30
  2024-03-04 17:29:50 | 64.188.4.215 |        7 |       10 |   210
  2024-03-04 17:33:49 | 64.188.4.215 |        7 |       10 |    30
  2024-03-04 18:10:56 | 64.188.4.215 |        8 |       12 |   300
  2024-03-04 18:39:33 | 64.188.4.215 |        9 |       13 |    10
  2024-03-04 19:40:06 | 64.188.4.215 |        9 |       13 |    10
  2024-03-05 13:28:49 | 64.188.4.207 |        2 |        2 |   440
  2024-03-05 15:41:01 | 64.188.4.207 |        6 |        9 |  7840
(16 rows)
8<----------------------------------------------------------------------

You can see in the table that the score for each of the three IPs in
this /24 which tried to connect to us in the past two weeks had, by
the time of the last connection increased from the value which it had
at the first.  This is typical of many spammer IPs, and gives you an
idea of the magnitude of greylist delay which might be useful.  Our
servers reply with a 4xx (temporary failure) to everything that they
don't like, the idea being that by the time the greylist interval has
expired, the spammy IP has had plenty of time to get itself onto some
of the DNS block lists which we use.

The column 'delay' above is the number of seconds our server held onto
the connection without replying at End Of Message before the remote
server gave up.  That's over two hours for 64.188.4.207 on 2024-03-05
at 15:41:01, during which time that thread, at least, wasn't spamming
anybody else. }:-)

We also collect all the spammy messages and send them to e.g. SpamCop
and other spam collectors, and to law enforcement where appropriate.

You don't have to do anything so fancy as this of course, this is just
to show what's possible with SMTP and the resources that are available.

The spam from the IPs in my table was all about electric bicycles.

-- 

73,
Ged.


More information about the Users mailing list