<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE></TITLE>
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV><SPAN class=348131909-18062004><FONT face=Arial color=#0000ff size=2>I did
modify Vispan to automatically update an RBL via DNS but dropped the idea. I
might still have the code somewhere.</FONT></SPAN></DIV>
<DIV><SPAN class=348131909-18062004><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=348131909-18062004>
<P><FONT face=Arial color=#000000
size=2>-----------------------------------------------------------------</FONT>
<BR><FONT face=Arial color=#000000 size=2>David While</FONT> <BR><FONT
face=Arial color=#000000 size=2>Technical Development Manager</FONT> <BR><FONT
face=Arial color=#000000 size=2>Faculty of Computing, Information &
English</FONT> <BR><FONT face=Arial color=#000000 size=2>University of Central
England</FONT> <BR><FONT face=Arial color=#000000 size=2>Tel: 0121 331
6211</FONT> <BR><FONT face=Arial color=#000000
size=2>-----------------------------------------------------------------</FONT>
</P></SPAN></DIV>
<BLOCKQUOTE>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> MailScanner mailing list
[mailto:MAILSCANNER@JISCMAIL.AC.UK]<B>On Behalf Of </B>shanna
leonard<BR><B>Sent:</B> 17 June 2004 22:42<BR><B>To:</B>
MAILSCANNER@JISCMAIL.AC.UK<BR><B>Subject:</B> Internal DNS rbl ? WAS: Re:
Automaticly getting the IP of a Virus Sender?<BR><BR></FONT></DIV>YES!<BR>With
the proliferation of noisy virues, autoblocking via IP (either on
server, in MTA, or firewall) is extremely appealing.<BR><BR>But I like the
idea of maintaining an internal DNS RBL instead of direct updates to access db
or firewall rules because we can then be very flexible in what we chose to do
with the "bad" IPs. (i.e. from RBL we could create firewall rules,
reject at MTA, etc) or add to spamassassin score, etc. <BR><BR>RBL would make
it easy to cooperate with others (via zone transfers?) and "share the
wealth"<BR><BR>So I am interested if anyone has integrated RBL updates into
the following code? or has other experience integrating RBL updates into
MailScanner.<BR><BR>1) vispan . I like the stats part of it, I am not sure how
it decides what to block(heuristics?), but it appears to block an IP based on
receipt of a (configurable number) of spams/viruses from that IP in a
day.<BR><BR>It does direct updates to sendmail access db. I also noticed
a bug that there was a problem under solaris w/ it?<BR><BR>2)Customconfig.pm
with IP Block in Mailscanner<BR><BR>It has a whitelist, good.
<BR><BR>It ratelimits based on # of messages (an hour?) . It appears to
be configurable based on source IP block (I.E accept 200 messages from a
particular source IP in an IPblock we expect legitimate mail from less from
others. This flexibility would be useful.<BR><BR> it updates
sendmail access db. I saw recent code posted which does update to
iptables?<BR><BR>3) I emailed to virbl<A class=moz-txt-link-freetext
href="http://virbl.bit.nl/">http://virbl.bit.nl/</A> - to get their code and
attempt a local RBL from it. their code works with amavis... has anyone else
tried to modify it to use Mailscanner?<BR><BR><BR><BR>Randal, Phil wrote:<BR>
<BLOCKQUOTE
cite=mid801403078973F243A6A74322E134AF500F2293@mail.herefordshire.gov.uk
type="cite"><PRE wrap="">Karl M. Joch wrote:
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">Hello,
I was looking to add a script to automaticly block IPs of
Virus senders in the firewall. Is there any way to run a
script when finding a Virus, or Spam, getting the sender IP
in a variable? All of our servers updates the firewall from a
central point and the blocks are removed every night. This
would help against mass mail viruses alot. I know this can be
dangerous when blocking some ISPs mail server but maybe this
helps that some ISPs blocks some traffic at their servers
too. Finally the ISP mail server will retry to send the
emails for a loger time, but mails from a workstation having
a virus are mostly sent direct and not queued somewhere which
will bring the traffic and the system load for virus scanning down.
</PRE></BLOCKQUOTE><PRE wrap=""><!---->
Vispan does this by blocking the virus sender's IP in your
Sendmail "access" file.
See <A class=moz-txt-link-freetext href="http://www.while.homeunix.net/mailstats/">http://www.while.homeunix.net/mailstats/</A>
Cheers,
Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to <A class=moz-txt-link-abbreviated href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</A>
Before posting, please see the Most Asked Questions at
<A class=moz-txt-link-freetext href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</A> and the archives at
<A class=moz-txt-link-freetext href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</A>
</PRE></BLOCKQUOTE><BR><PRE class=moz-signature cols="82">--
----
MHO
---
shanna leonard
arizona health sciences library
626-2923
----------------------------------
</PRE>-------------------------- MailScanner list ----------------------<BR>To
leave, send leave mailscanner to <A
href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</A><BR>Before
posting, please see the Most Asked Questions at<BR><A
href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</A> and
the archives at<BR><A
href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</A><BR></BLOCKQUOTE></BODY></HTML>
-------------------------- MailScanner list ----------------------<br>
To leave, send leave mailscanner to <a href="mailto:jiscmail@jiscmail.ac.uk">jiscmail@jiscmail.ac.uk</a><br>
Before posting, please see the Most Asked Questions at<br>
<a href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</a> and the archives at<br>
<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</a><br>