Autoban on breaching spam delete threshold

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply

Would you like this feature?

Yes
27
96%
No
1
4%
 
Total votes: 28

Keba
Normal user
Normal user
Posts: 126
Joined: 2009-04-11 11:43

Autoban on breaching spam delete threshold

Post by Keba » 2009-08-01 14:30

I'm getting a ton of spam attempts from the same IP's, where they try to spam multiple email addresses one after the other. When the different spam detection scores add up to the 'delete' threshold, all that happens is that email is rejected and the spammer tries again from the same IP to the next email address in their list from the domain they are targeting. Sometimes they try again to the same email, but by using a different random 'from' email. It all adds up to a ton of spam!

What I would like to do is be able to auto-ban the spammer IP's if they reach the delete threshold for a period of time (lets say 1 hour). Similar to the failed authentication auto-ban, but based on being detected as a spammer instead.

I believe this would severely reduce blacklist checks, which I'm sure their operators would appreciate...
Keba

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: Autoban on breaching spam delete threshold

Post by sheffters » 2009-08-01 15:26

Sounds good.

Would also need some way of stopping it banning things like Yahoo, Gmail etc though. I could see it ending up blocking those sorts of services too if were not careful.

S.

Keba
Normal user
Normal user
Posts: 126
Joined: 2009-04-11 11:43

Re: Autoban on breaching spam delete threshold

Post by Keba » 2009-08-01 21:05

I've yet to see any spam hit my delete threshold when the emails are via gmail/yahoo etc. My main increases are based on spamhaus/spamcop and spf though. I've purposely left surbl type hits lower (which I believe would be the only thing gmail/yahoo could trigger). I'm very agressive on spam as you will see, and I monitor it/do analysis regularly and have yet to find a false-positive.

I think if you keep spf/spamhaus/spamcop high and the rest low, then you should be fine on the gmail/yahoo/msn type addresses - might just be my experience though!

My current settings are:

mark: 5
delete: 50

spf: 50
helo != host: 1
no mx record: 5
verify dkim: 5

spamhaus: 50
spamcop: 50
surbl: 5

greylisting: 7 mins, 1 day, 60 days, bypass on spf enabled

Of the connections, on average 3% of all email is legit, around 95% is deleted, 2% let through and marked as spam. The delete percentage is sometimes 96% with 1% marked - depends on the spammers that week really, but I've never seen my legit email go over 3% sadly. One day the moronic spammers will stop targetting some of my domains with the random name addresses that have never existed. I live in hope for that day ;)
Keba

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: Autoban on breaching spam delete threshold

Post by sheffters » 2009-08-02 01:50

I live in hope for that day
haha ... wishful thinking! :)

I know it was a remote chance blocking gmail et. al, but think it needs to be considered as the impact should it happen would be harsh. Low chance, yes, but still possible.

S.

Keba
Normal user
Normal user
Posts: 126
Joined: 2009-04-11 11:43

Re: Autoban on breaching spam delete threshold

Post by Keba » 2009-08-02 10:22

sheffters wrote:I know it was a remote chance blocking gmail et. al, but think it needs to be considered as the impact should it happen would be harsh. Low chance, yes, but still possible.
I've been working on the (probably invalid!) assumption that spamhaus and spamcop already ensure that they do not add services like hotmail/gmail/etc... SURBL does detect spam coming from those domains, but thats the main reason its a low 'mark' score rather than a 'delete' score.

I've not been burned yet, so if the customers turn up with pitchforks, large stake and a ton of wood, I'll be sure to run really fast ;)
Keba

palekizoglou
New user
New user
Posts: 1
Joined: 2010-01-26 12:39

Re: Autoban on breaching spam delete threshold

Post by palekizoglou » 2013-10-11 12:00

Hello,

HMS rocks, really. We have been running about 10 hm servers for years at many revisions (now still on 5.3.3) locally and as public servers with practically ZERO problems.

Coming back to this request...
These days more than ever we get connection that try to send mail to unknown users.
Blacklists capture them and reject them alright.
But they get back trying again and again for at least a day.
I presume then they (the spammers) drop the virtual they use and create a new one.
If an autoban spam threshold was triggered then the connections would not even initiate and the blacklists lookup would not happen and server resources would not get used.

The feature is of course always subject to the poll result and the developers' availability and courtesy.

Thank you.

User avatar
Snorkasaurus
Normal user
Normal user
Posts: 188
Joined: 2010-08-29 16:32
Location: Canada
Contact:

Re: Autoban on breaching spam delete threshold

Post by Snorkasaurus » 2013-12-31 02:04

Keba wrote:I'm getting a ton of spam attempts from the same IP's
As long as we are necromancing posts... I'd like to see a feature something like this as well. For example:

Code: Select all

"SMTPD" 3052 539 "2013-12-30 14:54:54.930" "212.143.81.62" "SENT: 220 mail.snork.ca ESMTP NO UCE WASSUP"
"SMTPD" 1668 539 "2013-12-30 14:54:55.101" "212.143.81.62" "RECEIVED: EHLO vpn.press-sense.com"
"SMTPD" 1668 539 "2013-12-30 14:54:55.101" "212.143.81.62" "SENT: 250-69-165-220-221.dsl.teksavvy.com[nl]250-SIZE 20480000[nl]250 AUTH LOGIN"
"SMTPD" 3608 539 "2013-12-30 14:54:55.273" "212.143.81.62" "RECEIVED: MAIL FROM: <marcianoes1@larkspurandhawk.com> BODY=7BIT"
"SMTPD" 3608 539 "2013-12-30 14:54:55.273" "212.143.81.62" "SENT: 250 OK"
"SMTPD" 2184 539 "2013-12-30 14:54:55.429" "212.143.81.62" "RECEIVED: RCPT TO:<doesnotexist@snork.ca>"
"SMTPD" 2184 539 "2013-12-30 14:54:55.476" "212.143.81.62" "SENT: 451 Please try again later." [ Greylisting Enabled ]
"SMTPD" 2184 539 "2013-12-30 14:54:55.476" "212.143.81.62" "SENT: 451 Please try again later."
"SMTPD" 3052 543 "2013-12-30 15:00:55.993" "212.143.81.62" "SENT: 220 mail.snork.ca ESMTP NO UCE WASSUP"
"SMTPD" 2184 543 "2013-12-30 15:00:56.164" "212.143.81.62" "RECEIVED: EHLO vpn.press-sense.com"
"SMTPD" 2184 543 "2013-12-30 15:00:56.164" "212.143.81.62" "SENT: 250-69-165-220-221.dsl.teksavvy.com[nl]250-SIZE 20480000[nl]250 AUTH LOGIN"
"SMTPD" 2184 543 "2013-12-30 15:00:56.320" "212.143.81.62" "RECEIVED: MAIL FROM: <mbga7@exami.net> BODY=7BIT"
"SMTPD" 2184 543 "2013-12-30 15:00:56.336" "212.143.81.62" "SENT: 250 OK"
"SMTPD" 1772 543 "2013-12-30 15:00:56.492" "212.143.81.62" "RECEIVED: RCPT TO:<doesnotexist@snork.ca>"
"SMTPD" 1772 543 "2013-12-30 15:00:56.539" "212.143.81.62" "SENT: 451 Please try again later." [ Greylisting Enabled ]
"SMTPD" 1772 543 "2013-12-30 15:00:56.539" "212.143.81.62" "SENT: 451 Please try again later."
"SMTPD" 3052 546 "2013-12-30 15:06:57.820" "212.143.81.62" "SENT: 220 mail.snork.ca ESMTP NO UCE WASSUP"
"SMTPD" 2320 546 "2013-12-30 15:06:57.976" "212.143.81.62" "RECEIVED: EHLO vpn.press-sense.com"
"SMTPD" 2320 546 "2013-12-30 15:06:57.976" "212.143.81.62" "SENT: 250-69-165-220-221.dsl.teksavvy.com[nl]250-SIZE 20480000[nl]250 AUTH LOGIN"
"SMTPD" 4428 546 "2013-12-30 15:06:58.147" "212.143.81.62" "RECEIVED: MAIL FROM: <chidingl4@semoinsurance.com> BODY=7BIT"
"SMTPD" 4428 546 "2013-12-30 15:06:58.147" "212.143.81.62" "SENT: 250 OK"
"SMTPD" 2184 546 "2013-12-30 15:06:58.303" "212.143.81.62" "RECEIVED: RCPT TO:<doesnotexist@snork.ca>"
"SMTPD" 2184 546 "2013-12-30 15:06:58.350" "212.143.81.62" "SENT: 451 Please try again later." [ Greylisting Enabled ]
"SMTPD" 2184 546 "2013-12-30 15:06:58.350" "212.143.81.62" "SENT: 451 Please try again later."
When this kind of thing happens I would like to just stop accepting connections from this IP address for a while. Unfortunately I don't think this will be a popular request because frankly most admins don't spend their days nosing through log files looking for this kind of garbage.

I see this kind of configuration setting as potentially useful in two different scenarios. First, if an IP is trying numerous TO: addresses [address harvesting] it would slow them down greatly. Second, if an IP is trying numerous FROM: addresses [trying to get past spam detection] it could help keep that spam from getting through without load on your spam detection software and could reduce overall bandwidth use (even if just a little). I think that either of these kinds of options could be useful:

Code: Select all

If IP tries to send from X domains in Y minutes then ban for duration Z

Code: Select all

If message is determined to be spam then ban originating IP for duration X
Google Apps shouldn't ever get flagged even though they may send for many domains, because they send from a very wide range of addresses (even minutes apart for the same message). A whitelist option (similar to what hMailServer has for greylisting) could be used to ensure that certain mail providers, webmail servers, and backup MX hosts are able to deliver mail even if a spam message slips through. In my logs I also see a lot of repeated attempts to deliver mail to addresses I don't have, so I would also like to see an option such as:

Code: Select all

If IP tries to send mail to address@domain.com then ban for duration X
Anybody else have any thoughts they'd like to put forward?

S.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Autoban on breaching spam delete threshold

Post by percepts » 2013-12-31 02:49

Possibly better to use following just because hmail isn't a spam checker and relies on external products for that. What you are suggesting is the thin end of the wedge which would significantly change what hmail is all about.

http://www.magicvillage.de/~Fritz_Borgs ... -8000001C/

With greylisting, SPF checks, spamassassin/ASSP and dns/surbl lookups the vast majority of spam should be stopped.

User avatar
Snorkasaurus
Normal user
Normal user
Posts: 188
Joined: 2010-08-29 16:32
Location: Canada
Contact:

Re: Autoban on breaching spam delete threshold

Post by Snorkasaurus » 2013-12-31 03:29

percepts wrote:Possibly better to use following just because hmail isn't a spam checker and relies on external products for that. What you are suggesting is the thin end of the wedge which would significantly change what hmail is all about.

http://www.magicvillage.de/~Fritz_Borgs ... -8000001C/

With greylisting, SPF checks, spamassassin/ASSP and dns/surbl lookups the vast majority of spam should be stopped.
Hey percepts,

I don't see the requested feature as being any more of a "spam checking mechanism" than greylisting, dnsbl, surbl, SPF, DKIM, autoban, etc. which are all currently supported natively by hMailServer. I certainly can't see the requested feature as changing what hMailServer is all about. Hell, there is an Anti-spam heading right in the GUI and the requested feature would only be a small part of hMailServer's current anti-spam abilities.

I tried ASSP some time ago and absolutely hated it... just my preference I guess.

Ultimately, greylisting and a default install of SpamAssassin would stop the vast majority of spam, but I don't think we should let that stop anyone from trying to improve hMailServer.

S.

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Autoban on breaching spam delete threshold

Post by Bill48105 » 2013-12-31 04:05

Dang this request is OLD! Just glancing at this it looks like it smacks of using scripting.. I'm for adding some goodies that don't break RFC's or how email works if they are useful to enough people but it's tough to agree to do it if it can be done already using a little effort, such as with scripting & rules.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
Snorkasaurus
Normal user
Normal user
Posts: 188
Joined: 2010-08-29 16:32
Location: Canada
Contact:

Re: Autoban on breaching spam delete threshold

Post by Snorkasaurus » 2013-12-31 04:17

Hey Bill,
Bill48105 wrote:Dang this request is OLD!
I do it 'cause I know it makes you happy. :-)
Bill48105 wrote:if it can be done already using a little effort, such as with scripting & rules
I admit that my scripting is about one notch down from awful, but I will fiddle with some script/rule stuff and see if I can accomplish something close to the above. This oughtta be good for a laugh.

S.

Bill48105
Developer
Developer
Posts: 6189
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Autoban on breaching spam delete threshold

Post by Bill48105 » 2013-12-31 04:23

Snorkasaurus wrote:Hey Bill,
Bill48105 wrote:Dang this request is OLD!
I do it 'cause I know it makes you happy. :-)
Bill48105 wrote:if it can be done already using a little effort, such as with scripting & rules
I admit that my scripting is about one notch down from awful, but I will fiddle with some script/rule stuff and see if I can accomplish something close to the above. This oughtta be good for a laugh.

S.
lol yeah is what I live for. :P
I'd take a look at this script:
http://www.hmailserver.com/forum/viewto ... 20&t=13824
I realize it's not the same thing but in a way it is. It tracks something over time & acts on it.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Autoban on breaching spam delete threshold

Post by percepts » 2013-12-31 04:46

Just to be contradictory, I think this one would be a better guide.

A new table to log incoming emails and then you would need to add a single read for each incoming mail, if found then update and/or rject etc. If not found insert new row for IP etc.

Using file system is slow as file has to be opened, searched and closed for each mail and the mail bombs you are trying to stop are pssibly thousands of mails. DB access wil be faster I think if its properly indexed as whole record can be in index. i.e. in memory.

http://www.hmailserver.com/forum/viewto ... 20&t=13890

User avatar
Snorkasaurus
Normal user
Normal user
Posts: 188
Joined: 2010-08-29 16:32
Location: Canada
Contact:

Re: Autoban on breaching spam delete threshold

Post by Snorkasaurus » 2014-08-28 03:35

Snorkasaurus wrote:

Code: Select all

"SMTPD" 3052 539 "2013-12-30 14:54:54.930" "212.143.81.62" "SENT: 220 mail.snork.ca ESMTP NO UCE WASSUP"
"SMTPD" 3608 539 "2013-12-30 14:54:55.273" "212.143.81.62" "SENT: 250 OK"
"SMTPD" 2184 539 "2013-12-30 14:54:55.429" "212.143.81.62" "RECEIVED: RCPT TO:<doesnotexist@snork.ca>"
"SMTPD" 2184 539 "2013-12-30 14:54:55.476" "212.143.81.62" "SENT: 451 Please try again later." [ Greylisting Enabled ]
Awesome... Now I am getting pounded with attempts to deliver to this [completely fictional] email address. If nothing else, this should serve as a warning that spammers are scraping these forums for addresses, but are almost eight months behind on their scraping. LAWL!

S.

Post Reply