Alpha of Milter-Spamtrap

Dennis Willson taz at taz-mania.com
Sat Dec 2 21:14:31 GMT 2006


It doesn't matter what domain it comes from, The blacklist is made up of 
the IP address of the sending mail server (which cannot be spoofed for a 
full TCP conversion needed to send mail) so the email would have to 
really come from their mail servers. Spoofing the from address is not an 
issue. If a machine sends an email to one of the honeypot addresses then 
the IP address is recorded of the sender. The sender would have to have 
and send to one of the honeypot addresses, so you should not give out 
the honeypot address to real people.
In addition, you can whitelist IP addresses or address ranges in CIDR 
format so even if they send to a honeypot email address they won't be 
blacklisted.

To get the honeypot addresses distributed you can:
Post useless posts to a usenet group using the honeypot email addresses
Put the email address on a webpage in such a way as normal people 
viewing the page can't read it, but a Spam bots can
Find some emails that have a "remove" form and give the honeypot email 
address to be removed (even though it isn't subscribed)
And there are others ways as well



Damian Mendoza wrote:
> Hi,
>
> Sounds like a great approach, but how do you prevent aol, hotmail,
> geocities, yahoo mail, etc from getting into the backlist as spam sender
> as spam appears to come from these domains.
>
>
> Thanks,
>
> Damian
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Dennis
> Willson
> Sent: Thursday, November 30, 2006 10:50 PM
> To: mailscanner at lists.mailscanner.info; spamtools at lists.abuse.net
> Subject: OT: Alpha of Milter-Spamtrap
>
> I put an alpha version of milter-spamtrap up on sourceforge.
> http://sourceforge.net/projects/milter-spamtrap
>
> I will do more testing this weekend and upload a new version. If anyone 
> wants to download it and look it over that would be great.
> I am also looking for some input on something. Originally, I had thought
>
> you would have a choice as to only save the IP addresses in a file or 
> use the MySQL database or both. However, when I think back to when I did
>
> my dedicated spamtrap I hit about 1 million entries in a relatively 
> short time. I think that is way too many for text files. I think I 
> should keep the text files only for debug purposes, I think it would be 
> un-workable to have it read in a million IP addresses from a text file 
> on startup to do the blocking.
>
> Features:
>     - external editable text configuration file;
>     - whitelists by an IP address (CIDR notation)
>     - blocks servers that have previously sent Spam
>     - fast in-memory cache of blacklisted servers
>     - cache entries time-out after an hour so if they have been removed
> from
>       the database they will go away. If milter-spamtrap receives 
> another Spam
>       from the same server, it will find it in the database and place it
>
> in the
>       cache for another hour (only works with MySQL database support)
>     - optional MySQL database of blacklisted servers
>     - optional saving of Spam headers and/or body to show what caused
> the
>       offending server to be placed on the blacklist
>     - optional cron job to convert database entries to a BIND DNSBL zone
>
> file
>       so you can share your blacklist with others
>     - ability to mark an IP address as 'inactive' but not lose the
> listing
>       so that a history can be maintained (only available when logging
> to a
>       MySQL database)
>     - ability to have one or more individual email addresses defined as 
> honeypots
>     - ability to have one or more whole domains defined as honeypots
>     - optional extensive debug logging
>
>   


More information about the MailScanner mailing list