So, having been fed up with spam and virus mail again, pushing my monthly bandwidth up and over my 30GB/month purchased limit (which is supposed to be for web, not email!), I reenabled my dynamic rolling block.
I block mail at various levels. Postfix lets me block mail during the SMTP handshake for hosts that don't have an A or MX record, and for delivery to addresses that are known spamtraps within the @stonehenge.com mail domain. Then, the mail goes to amavis, which uses SpamAssassin to block mail that looks very spammy (I have this set fairly high to avoid false positives). Then, $user@stonehenge.com mail gets delivered to my procmailrc for sorting, and I do further checks for simple mydoom and sobig patterns, and finally I call clamscan looking for known virus payloads. Altogether, I've got about 10 log files being written in two different formats (/var/log/maillog vs rfc822 headers).
But, POE to the rescue. I set up tail watchers on all the various log files, extract the offending IPs of the hop prior to my box, and then issue simple pfctl commands to add and delete those from a block list in my OpenBSD pf firewall. The address goes in, and 2 hours later, comes back out.
At the moment, I have nearly 2000 addresses in my list that have assaulted me within the last two hours, and get about 300 attempts a minute to reconnect. Using tcpdump with openbsd's passive fingerprinting, I can see that most of the block reattempts are repeated hits from windows boxes on cable or DSL, very likely worm-infected machines that would be much better recycled than online.
The result is that my loadaverage has now returned to sensible values, and my total bandwidth due to mail is back down to a reasonable 5GB/month average. Yeay!
Re:Bandwidth...
merlyn on 2004-04-26T17:46:53
For Postfix, I reject during the SMTP handshake, not bouncing it with checks later. Amavis doesn't bounce it either... we just swallow the spam. And I don't bounce anything from my procmail tests or clamscan tests. The only bounces I generate are $baduser@stonehenge.com (provided they aren't a spammed-to-death address).
The caveat is that there might be false positives. It's useful as an outright smtp block, or at a place where you can return "try again later" to an incoming SMTP connection, but not at a point where you've already accepted the mail. You want a legit mailer to retry, but the bad guys mailers will not.