Internal DNS rbl ? WAS: Re: Automaticly getting the IP of a Virus Sender?

Fri Jun 18 10:20:05 IST 2004

I did modify Vispan to automatically update an RBL via DNS but dropped
the idea. I might still have the code somewhere.

----------------------------------------------------------------- 
David While 
Technical Development Manager 
Faculty of Computing, Information & English 
University of Central England 
Tel: 0121 331 6211 
----------------------------------------------------------------- 

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
Behalf Of shanna leonard
Sent: 17 June 2004 22:42
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Internal DNS rbl ? WAS: Re: Automaticly getting the IP of a
Virus Sender?

YES!
With the proliferation of noisy virues,  autoblocking via IP (either on
server, in MTA, or firewall) is extremely appealing.

But I like the idea of maintaining an internal DNS RBL instead of direct
updates to access db or firewall rules because we can then be very
flexible in what we chose to do with the "bad"  IPs. (i.e. from RBL we
could create firewall rules, reject at MTA, etc) or add to spamassassin
score, etc. 

RBL would make it easy to cooperate with others (via zone transfers?)
and "share the wealth"

So I am interested if anyone has integrated RBL updates into the
following code? or has other experience integrating RBL updates into
MailScanner.

1) vispan . I like the stats part of it, I am not sure how it decides
what to block(heuristics?), but it appears to block an IP based on
receipt of a (configurable number) of spams/viruses from that IP  in a
day.

It does direct updates to sendmail access db.  I also noticed a bug that
there was a problem under solaris w/ it?

2)Customconfig.pm with IP Block in Mailscanner

It has a whitelist, good.  

It  ratelimits based on # of messages (an hour?) . It appears to be
configurable based on source IP block (I.E accept 200 messages from a
particular source IP in an IPblock we expect legitimate mail from less
from others.  This flexibility would be useful.

 it updates sendmail access db.   I saw recent code posted which does
update to iptables?

3) I emailed to  virbl http://virbl.bit.nl/ - to get their code and
attempt a local RBL from it. their code works with amavis... has anyone
else tried to modify it to use Mailscanner?

Randal, Phil wrote:

Karl M. Joch wrote:

Hello,

I was looking to add a script to automaticly block IPs of

Virus senders in the firewall. Is there any way to run a

script when finding a Virus, or Spam, getting the sender IP

in a variable? All of our servers updates the firewall from a

central point and the blocks are removed every night. This

would help against mass mail viruses alot. I know this can be

dangerous when blocking some ISPs mail server but maybe this

helps that some ISPs blocks some traffic at their servers

too. Finally the ISP mail server will retry to send the

emails for a loger time, but mails from a workstation having

a virus are mostly sent direct and not queued somewhere which

will bring the traffic and the system load for virus scanning down.

Vispan does this by blocking the virus sender's IP in your

Sendmail "access" file.

See  http://www.while.homeunix.net/mailstats/

Cheers,

Phil

----

Phil Randal

Network Engineer

Herefordshire Council

Hereford, UK

-------------------------- MailScanner list ----------------------

To leave, send    leave mailscanner    to  jiscmail at jiscmail.ac.uk

Before posting, please see the Most Asked Questions at

http://www.mailscanner.biz/maq/     and the archives at

http://www.jiscmail.ac.uk/lists/mailscanner.html

--

----

MHO

---

shanna leonard

arizona health sciences library

626-2923

----------------------------------
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20040618/7f9d391a/attachment.html