Hi all, we working on our small DNS Blacklist service for email servers. We want to do something like spamcop, Truncate etc... blackliste service. My question is, how to collect / find spamming emails in our logs or spamassassin rules configuration or some other way, to automatically blacklist senders IP addresses in our blacklist dns system ? Is there any automatically way how to find spamming domains to email accounts on our servers and blacklist them on our dns blacklist? We have currently two methods for blacklisting: Download public data from existing DNS BL services and import them. Second method is manually spam reporting by our users. But we need also method to automatic spam detection and blacklisting. We plan to future allow blacklisting for other email servers providers and we want give them a chance to easy blacklist IP in our system from detected spam on their servers. But I have no idea how to do. How solve this another DNS BL services ? Thank you for your help
I guess many RBL use honeypots. Create mailboxes that are not in use on various domains and servers and then "seed" these email addresses in the internet, e.g. use them as "example" addresses in log listings or posts when you ask something in a forum or use them in a comment on your blog. The spammers are spidering the internet to find email addresses posted somewhere and will add them to their lists. As you dont use these addresses for something real, all emails that arrive there must be spam.
Thank you Till, and is there any option to determine spam from logs, or in spamassassin - eg. if score is higher than, provide blacklisting, or some other way ?
Sure, you can do that as well. Take the mail.log file and write a script that parses the log, find the lines that contain the amavisd (spamassassin) scores and seek for the IP that belongs to that listing.
Thank you for your idea. I look at it. I have one more question, it is possible (and if, how) to log DNS query source IP ? I want to log IP address of server which send DNS query to our server. With tcp dump I dont see real source IP of server who request. I try passivedns but it doesnt work properly.
