New DNSBL designed for hMailServer

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-18 15:32

Greetings!

As anyone who manages an email service, I struggle against spammers. Since I started to use hMailServer, this task became much easier. Among the options I have tried, the amount of resources embedded on hMailServer to help decide if a message is legitimate has no match. However, when external information is needed, I found no suitable DNSBL to fulfil all subtlety hMailServer can provide. Most DNSBL only give a yes or no answer for a given IP. Moreover, one may need to cash negative DNS results in order to reduce bandwidth with DNSBL servers.
With those drawback in mind, two years ago I decided to build my own DNSBL from scratch. It has 7 levels of classification and always give a positive response.
Despite the fact it is still beta, I decided to open it to the public. So I am inviting those who wish to try it. More information on how to access the service is available at www.spamdonkey.com.

I hope you find it useful.

Eduardo
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-18 19:23

Love the name. How do you obtain IPs to score?

I just put it first in line of filters, but to send me a notification of what gets hit (not to reject - yet). Let's see how it works! :D
Top
User avatar
RvdH
Senior user
Senior user
Posts: 803
Joined: 2008-06-27 14:42
Location: Netherlands

Re: New DNSBL designed for hMailServer

Post by RvdH » 2019-07-19 00:16

I am a bit anxious to use it, as my own home private IP Address, whilst not on any blacklist, is listed as Level 5 in SpamDonkey :shock: :roll:

Wonder how this is scored?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-19 00:19

Me too. So far all my hits have mirrored spamassassin.
Top
User avatar
RvdH
Senior user
Senior user
Posts: 803
Joined: 2008-06-27 14:42
Location: Netherlands

Re: New DNSBL designed for hMailServer

Post by RvdH » 2019-07-19 00:25

If anyone likes to give it a go from within SpamAssassin (i kept the scores very low, for testing purposes)

21_spamdonkey.cf

Code: Select all

ifplugin Mail::SpamAssassin::Plugin::DNSEval

	# SpamDonkey
	header		__RCVD_IN_SPAMDONKEY eval:check_rbl('spamdonkey-lastexternal','dnsbl.spamdonkey.com.')
	describe	__RCVD_IN_SPAMDONKEY Sender listed in SpamDonkey
	tflags		__RCVD_IN_SPAMDONKEY net	
	reuse  		__RCVD_IN_SPAMDONKEY
	
	# SpamDonkey Whitelist level
	# The IP belongs to a serious and recognised email service which provides person to person communication and do not allow mass mailing through its servers.
	header		RCVD_IN_SPAMDONKEY_WL eval:check_rbl_sub('spamdonkey-lastexternal', '126.0.0.0')
	describe	RCVD_IN_SPAMDONKEY_WL Sender listed in SpamDonkey Whitelist level
	tflags		RCVD_IN_SPAMDONKEY_WL nice net
	reuse  		RCVD_IN_SPAMDONKEY_WL
	score		RCVD_IN_SPAMDONKEY_WL 0 -1.0 0 -1.0 # please adjust the score value
	
	# SpamDonkey Clean level
	# It means either there is no data about it or it belongs to someone who does not send mass mailing.
	header		RCVD_IN_SPAMDONKEY_CL eval:check_rbl_sub('spamdonkey-lastexternal', '127.0.0.0')
	describe	RCVD_IN_SPAMDONKEY_CL Sender listed in SpamDonkey Clean level
	tflags		RCVD_IN_SPAMDONKEY_CL nice net
	reuse  		RCVD_IN_SPAMDONKEY_CL
	score		RCVD_IN_SPAMDONKEY_CL 0 -0.1 0 -0.1 # please adjust the score value
	 
	# SpamDonkey Level 1
	# There was some report of unsolicited mail coming from this IP, but it should be safe to deliver its messages. 
	# The IP has not a spotless reputation, however, there is not enough evidence to classify it as a spammer
	header		RCVD_IN_SPAMDONKEY_L1 eval:check_rbl_sub('spamdonkey-lastexternal', '127.0.0.1')
	describe	RCVD_IN_SPAMDONKEY_L1 Sender listed in SpamDonkey Level-1
	tflags		RCVD_IN_SPAMDONKEY_L1 net
	reuse  		RCVD_IN_SPAMDONKEY_L1
	score		RCVD_IN_SPAMDONKEY_L1 0 0.1 0 0.1 # please adjust the score value
	 
	# SpamDonkey Level 2
	# The IP belongs to a service which sends legitimate mass emails and take care about spammers operating on their servers. 
	# Their clients are asked to use their own lists of emails and the service does care about how those addresses have been obtained. 
	# Some unsolicited mail may come from this source, but not as a rule and its messages cannot be classified as spam by this criteria alone. 
	# Social media email falls under this classification to.
	header		RCVD_IN_SPAMDONKEY_L2 eval:check_rbl_sub('spamdonkey-lastexternal', '127.0.0.2')
	describe	RCVD_IN_SPAMDONKEY_L2 Sender listed in SpamDonkey Level-2
	tflags		RCVD_IN_SPAMDONKEY_L2 net
	reuse  		RCVD_IN_SPAMDONKEY_L2
	score		RCVD_IN_SPAMDONKEY_L2 0 0.25 0 0.25 # please adjust the score value
	
	# SpamDonkey Level 3
	# The IP belongs to a email marketing service that sends both solicited and unsolicited advertisement. 
	# It is a threshold for spam. You must decide what to do with this level, but we recommend send it to the spam folder
	header		RCVD_IN_SPAMDONKEY_L3 eval:check_rbl_sub('spamdonkey-lastexternal', '127.0.0.3')
	describe	RCVD_IN_SPAMDONKEY_L3 Sender listed in SpamDonkey Level-3
	tflags		RCVD_IN_SPAMDONKEY_L3 net
	reuse  		RCVD_IN_SPAMDONKEY_L3
	score		RCVD_IN_SPAMDONKEY_L3 0 0.5 0 0.5 # please adjust the score value
	
	# SpamDonkey Level 4
	# The IP belongs to a mass email service that send mostly unsolicited advertisement. 
	# Messages coming from it should go to spam folder.
	header		RCVD_IN_SPAMDONKEY_L4 eval:check_rbl_sub('spamdonkey-lastexternal', '127.0.0.4')
	describe	RCVD_IN_SPAMDONKEY_L4 Sender listed in SpamDonkey Level-4
	tflags		RCVD_IN_SPAMDONKEY_L4 net
	reuse  		RCVD_IN_SPAMDONKEY_L4
	score		RCVD_IN_SPAMDONKEY_L4 0 1.0 0 1.0 # please adjust the score value
	
	# SpamDonkey Level 5
	# This is not a legitimate service and anything coming from this IP should be discarded without concern.
	header		RCVD_IN_SPAMDONKEY_L5 eval:check_rbl_sub('spamdonkey-lastexternal', '127.0.0.5')
	describe	RCVD_IN_SPAMDONKEY_L5 Sender listed in SpamDonkey Level-5
	tflags		RCVD_IN_SPAMDONKEY_L5 net
	reuse  		RCVD_IN_SPAMDONKEY_L5
	score		RCVD_IN_SPAMDONKEY_L5 0 1.1 0 1.1 # please adjust the score value

endif
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-19 10:08

I moved SpamDonkey check to last in line of connection filters in OnHELO in EventHandlers.vbs to see if it picks up anything unique that wasn't already on spamhaus. So far i have one hit for 195.28.201.78 which is clean on spamhaus. I tested the IP using the smtp dialogue on mxtoolbox.com which reports it as being a possible open relay.

I think that's a good sign there is original content.

195.28.201.78 was listed on the following blacklists according to mxtoolbox.com:

BARRACUDA, Hostkarma Black, ivmSIP, LASHBACK

Edit - after banning to the firewall, 195.28.201.78 attempted to connect again 72 times so far according to the firewall log. Au revoir, les spammeurs de relay ouvrir!

http://hmsfirewallbandemo.ddns.net/sear ... SpamDonkey
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-19 11:22

RvdH wrote:
2019-07-19 00:16
 I am a bit anxious to use it, as my own home private IP Address, whilst not on any blacklist, is listed as Level 5 in SpamDonkey :shock: :roll:

Wonder how this is scored?
All home IPs are automatically blocked by SpamDonkey. During the development of the service I notice that most email containing viruses or phishing messages were sent from domestic connections. Serious ISPs block port 25 to home users.

Eduardo
Top
User avatar
RvdH
Senior user
Senior user
Posts: 803
Joined: 2008-06-27 14:42
Location: Netherlands

Re: New DNSBL designed for hMailServer

Post by RvdH » 2019-07-19 11:36

EduardoFoltran wrote:
2019-07-19 11:22
RvdH wrote:
2019-07-19 00:16
 I am a bit anxious to use it, as my own home private IP Address, whilst not on any blacklist, is listed as Level 5 in SpamDonkey :shock: :roll:

Wonder how this is scored?
All home IPs are automatically blocked by SpamDonkey. During the development of the service I notice that most email containing viruses or phishing messages were sent from domestic connections. Serious ISPs block port 25 to home users.

Eduardo
That is weird and a bit harsh because not all home IP's are spammers, I pay my ISP quitte a bit to have a static home IP and to be allowed to run my own mailserver.
As SpamDonkey scores me with the highest possible ranking i think it is useless for me... spamhaus at least has an option to get home IP's running servers off their PBL
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-19 12:16

palinka wrote:
2019-07-18 19:23
 Love the name. How do you obtain IPs to score?
As anyone, I have spamtraps. Other than that, I collect intelligence about the IP. I check the PTR record, look if it matches with DNS record, check for SPF record, check WHOIS to see how old the domain is, check for key words on the domain, check if there is a website on that domain and what it does, etc. It is a long list of criteria I developed during the last 2 years. Moreover, the queries my algorithm can’t handle are saved for manual verification.
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-19 12:44

RvdH wrote:
2019-07-19 11:36
 That is weird and a bit harsh because not all home IP's are spammers, I pay my ISP quitte a bit to have a static home IP and to be allowed to run my own mailserver.
As SpamDonkey scores me with the highest possible ranking i think it is useless for me... spamhaus at least has an option to get home IP's running servers off their PBL
I aim for the PTR record to identify a home connections. You will not be blocked if your PTR record matches your DNS. But if you are using your IPS PTR as your server name, I am sorry but you will be blocked.

Tell me your IP address. I will check it manually and tell why it was blocked.
Top
User avatar
SorenR
Senior user
Senior user
Posts: 3210
Joined: 2006-08-21 15:38
Location: Denmark

Re: New DNSBL designed for hMailServer

Post by SorenR » 2019-07-19 13:16

EDIT ... I am aparently way too slow writing stuff here :mrgreen:
RvdH wrote:
2019-07-19 11:36
 That is weird and a bit harsh because not all home IP's are spammers, I pay my ISP quitte a bit to have a static home IP and to be allowed to run my own mailserver.
As SpamDonkey scores me with the highest possible ranking i think it is useless for me... spamhaus at least has an option to get home IP's running servers off their PBL
Interesting ... I have the same type of home xDSL subscriber with static IP and custom rDNS.

Code: Select all

C:\WINDOWS>nslookup (x).72.51.87.dnsbl.spamdonkey.com
Server:  bigbrother.acme.inc
Address:  192.168.0.50

Non-authoritative answer:
Name:    (x).72.51.87.dnsbl.spamdonkey.com
Address:  127.0.0.1
Perhaps the fact that I have a different rDNS (my domain) from all the rest of the subscriber base ?

Code: Select all

C:\WINDOWS>nslookup (x+1).72.51.87.dnsbl.spamdonkey.com
Server:  bigbrother.acme.inc
Address:  192.168.0.50

Non-authoritative answer:
Name:    (x+1).72.51.87.dnsbl.spamdonkey.com
Address:  127.0.0.5

Code: Select all

C:\WINDOWS>nslookup 87.51.72.(x+1)
Server:  bigbrother.acme.inc
Address:  192.168.0.50

Name:    87-51-72-(x+1)-static.dk.customer.tdc.net
Address:  87.51.72.(x+1)
Anyways, I have a "yellow" status on SORBS (127.0.0.10). I once tried to delist myself from their DUHL. :roll:

http://multirbl.valli.org/
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-19 14:32

SorenR wrote:
2019-07-19 13:16
Perhaps the fact that I have a different rDNS (my domain) from all the rest of the subscriber base ?
Yep! If your rDNS is your own domain, you will not be listed.
Top
User avatar
RvdH
Senior user
Senior user
Posts: 803
Joined: 2008-06-27 14:42
Location: Netherlands

Re: New DNSBL designed for hMailServer

Post by RvdH » 2019-07-19 16:26

EduardoFoltran wrote:
2019-07-19 12:44
RvdH wrote:
2019-07-19 11:36
 That is weird and a bit harsh because not all home IP's are spammers, I pay my ISP quitte a bit to have a static home IP and to be allowed to run my own mailserver.
As SpamDonkey scores me with the highest possible ranking i think it is useless for me... spamhaus at least has an option to get home IP's running servers off their PBL
I aim for the PTR record to identify a home connections. You will not be blocked if your PTR record matches your DNS. But if you are using your IPS PTR as your server name, I am sorry but you will be blocked.

Tell me your IP address. I will check it manually and tell why it was blocked.
That should be the case then i think, my server sended EHLO/HELO matches my (ISP) PTR though (check my signature to get my real IP ;) )

MultiRBL.valli.org FCrDNS Test

Code: Select all

rDNS for IP 62.xxx.46.221	
xxx.speed.planet.nl
OK

IP Addresses (A or AAAA records) for xxx.speed.planet.nl	
62.XXX.46.221
OK

At least one IP address of the DNS lookup for xxx.speed.planet.nl matches the original IP	
OK
But how do you check it?
Do you take the domain & tld part from the received e-mail FROM header? Next lookup the A-record for that domain and then check if the PTR-records contains the domain name from the FROM header?
Wow, that i pretty strict...

Maybe you add an additional check if the Received header contains the PTR...and score lower if it does
This makes it little less strict but could be a nice addition for people like me bound to use ISP PTR ;)
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Top
User avatar
SorenR
Senior user
Senior user
Posts: 3210
Joined: 2006-08-21 15:38
Location: Denmark

Re: New DNSBL designed for hMailServer

Post by SorenR » 2019-07-19 17:14

It's all in the DNS, A-record must match PTR ... FCrDNS ...

Your HELO/EHLO greeting must be a FQDN that resolve via the MX record to your receiving domain - but that is for totally different reasons than the RBL.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-19 17:22

RvdH wrote:
2019-07-19 16:26
But how do you check it?
Do you take the domain & tld part from the received e-mail FROM header? Next lookup the A-record for that domain and then check if the PTR-records contains the domain name from the FROM header?
I don’t have access to what the client said on the EHLO or HELO, neither to the message itself. The only thing I have is the IP and a database with thousands of IPSs PTRs. If your PTR matches any of the of the PTRs on the database, the IP will be listed. This is only one of the criteria, but, as a rule of thumb, if your IP address appears on the PTR, you get at least level 3.

You should ask you IPS to change the PTR to a proper domain of yours with a matching DNS.
Top
User avatar
RvdH
Senior user
Senior user
Posts: 803
Joined: 2008-06-27 14:42
Location: Netherlands

Re: New DNSBL designed for hMailServer

Post by RvdH » 2019-07-19 18:10

EduardoFoltran wrote:
2019-07-19 17:22
 You should ask you IPS to change the PTR to a proper domain of yours with a matching DNS.
They won't...they only allow/do this for business accounts

SpamDonkey is pretty much worthless this way, as i get a maximum score off 5 (why 5 and not 3?)

...think i'll trash it right away
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-19 18:53

EduardoFoltran wrote:
2019-07-19 17:22
RvdH wrote:
2019-07-19 16:26
But how do you check it?
Do you take the domain & tld part from the received e-mail FROM header? Next lookup the A-record for that domain and then check if the PTR-records contains the domain name from the FROM header?
I don’t have access to what the client said on the EHLO or HELO, neither to the message itself. The only thing I have is the IP and a database with thousands of IPSs PTRs. If your PTR matches any of the of the PTRs on the database, the IP will be listed. This is only one of the criteria, but, as a rule of thumb, if your IP address appears on the PTR, you get at least level 3.

You should ask you IPS to change the PTR to a proper domain of yours with a matching DNS.
Exactly what are the scoring criteria?
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-19 19:09

RvdH wrote:
2019-07-19 18:10
They won't...they only allow/do this for business accounts
I believe is better to be safe than sorry. The vast majority of emails on my spam trap with ransomware, phishing and scams come from home computers infected with all sorts of malware. Here in Brazil most IPS block port 25 on domestic connections for that same reason. If you are trying to run a legitimate SMTP server from your home, at least get an IPS that provides you with a proper PTR or get a business connection, otherwise there is no way to differentiate you from a malware.

For those who wish to try SpamDonkey on hMailServer, this is the antispam configuration I am using. I also lowered the SpamAssassin spam threshold to 3.

Code: Select all


-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2    Port:                 783
  Add X-HmailServer-Subject: False    Verify DKIM:        True - 2    Use SA score:        True

  Spam delete threshold: 15         Maximum message size: 1024

DNSBL ENTRIES:
              dnsbl.spamdonkey.com      Score: 1     Result: 127.0.0.1
              dnsbl.spamdonkey.com      Score: 2     Result: 127.0.0.2
              dnsbl.spamdonkey.com      Score: 5     Result: 127.0.0.3
              dnsbl.spamdonkey.com      Score: 10    Result: 127.0.0.4
              dnsbl.spamdonkey.com      Score: 15    Result: 127.0.0.5

SURBL ENTRIES:
                   multi.surbl.org      Score: 6

GREYLISTING:
  Greylisting:   True       Defer mins: 5       Days Unused: 1      Days Used: 36
                            Bypass SPF: True     Bypass A/MX: Falso

Greylist WHITELIST ENTRIES:
   No entries
Top
User avatar
RvdH
Senior user
Senior user
Posts: 803
Joined: 2008-06-27 14:42
Location: Netherlands

Re: New DNSBL designed for hMailServer

Post by RvdH » 2019-07-19 19:17

EduardoFoltran wrote:
2019-07-19 19:09
 I believe is better to be safe than sorry. The vast majority of emails on my spam trap with ransomware, phishing and scams come from home computers infected with all sorts of malware. Here in Brazil most IPS block port 25 on domestic connections for that same reason. If you are trying to run a legitimate SMTP server from your home, at least get an IPS that provides you with a proper PTR or get a business connection, otherwise there is no way to differentiate you from a malware.
Every other DNSBL can :? :roll:
I can live with the fact that my IP scored a Level 3 value, but the maximum of Level 5 without ever sending out a single spam mail just ain't right

My ISP used to block port 25 as well, but no longer... guess it has something to do with all those IOT devices in almost every household nowadays
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-19 20:09

RvdH wrote:
2019-07-19 19:17
 My ISP used to block port 25 as well, but no longer... guess it has something to do with all those IOT devices in almost every household nowadays
IoT devices should communicate via MQTT, not SMTP on port 25.
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-20 13:49

EduardoFoltran wrote:
2019-07-19 20:09
RvdH wrote:
2019-07-19 19:17
 My ISP used to block port 25 as well, but no longer... guess it has something to do with all those IOT devices in almost every household nowadays
IoT devices should communicate via MQTT, not SMTP on port 25.
I still have this set up last in line of filters to notify me of SpamDonkey level 5 hits (without any action). It hit on a message from my domain provider, who is certainly reputable and not a spammer. A few other hits were questionable too, although I did not do any research into them. Not to mention RvdH's situation.

Would you please explain ALL of your listing criteria for each level? It does not appear to be available on your website. The only one we know of is if rDNS fails it goes straight to level 5.
127.0.0.4 - Level 4 - The IP belongs to a mass email service that send mostly unsolicited advertisement. Messages coming from it should go to spam folder.
127.0.0.5 - Level 5 - This is not a legitimate service and anything coming from this IP should be discarded without concern.
Level 4 is REJECT MESSAGE. Level 5 is REJECT CONNECTION. Neither the message I received from my domain provider nor their mail server should fit either of those levels, yet it hit on level 5. I think your listing criteria is far too aggressive for the levels you defined. If you want people to use it - and ESPECIALLY if you want people to pay for it - you need to build trust in your userbase, which so far you have failed.
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-20 15:07

palinka wrote:
2019-07-20 13:49
 Would you please explain ALL of your listing criteria for each level? It does not appear to be available on your website. The only one we know of is if rDNS fails it goes straight to level 5.
I can’t tell you ALL my listing criteria. Most of them are fails I identified on the way spammers behave and if I make it public they certainly will avoid such practices.

As I said I have been working on this project for the last two years and I am sure there is still work to be done. The main reason I posted the service here is to have feedback such as RvdH’s and yours.

Please, tell me in private what is your domain provider and I will check what happend.
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-20 15:29

EduardoFoltran wrote:
2019-07-20 15:07
palinka wrote:
2019-07-20 13:49
 Would you please explain ALL of your listing criteria for each level? It does not appear to be available on your website. The only one we know of is if rDNS fails it goes straight to level 5.
I can’t tell you ALL my listing criteria. Most of them are fails I identified on the way spammers behave and if I make it public they certainly will avoid such practices.

As I said I have been working on this project for the last two years and I am sure there is still work to be done. The main reason I posted the service here is to have feedback such as RvdH’s and yours.

Please, tell me in private what is your domain provider and I will check what happend.
SpamDonkey hit: 207.38.69.194 - mail.dynu.com - United States at 2019-07-20 07:32:02.299 Zulu.

Time included is USA EDT (New York)
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-20 15:55

palinka wrote:
2019-07-20 15:29
 SpamDonkey hit: 207.38.69.194 - mail.dynu.com - United States at 2019-07-20 07:32:02.299 Zulu.

Time included is USA EDT (New York)
Yep. It is dynamic IP domain provider. I have 30 IPs listed under this domain and all have also hits on my spam traps.

I cleaned their servers listed on the SPF record, but any server you have sitting on a dynamic IP will be blocked because this is something a spammer does.

A spammer will never put too much money on their scams. So, if want one of my criteria, it is money. Domains that are granted for free will be blocked.

On the other hand, if you have their paid service, with a proper domain of your own, you will be clean even on a dynamic IP. Unless you are unlucky enough to get a already listed IP on your next change. But it is true also to SpamHaus and Barracuda.
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-20 16:21

EduardoFoltran wrote:
2019-07-20 15:55
palinka wrote:
2019-07-20 15:29
 SpamDonkey hit: 207.38.69.194 - mail.dynu.com - United States at 2019-07-20 07:32:02.299 Zulu.

Time included is USA EDT (New York)
Yep. It is dynamic IP domain provider. I have 30 IPs listed under this domain and all have also hits on my spam traps.

I cleaned their servers listed on the SPF record, but any server you have sitting on a dynamic IP will be blocked because this is something a spammer does.

A spammer will never put too much money on their scams. So, if want one of my criteria, it is money. Domains that are granted for free will be blocked.

On the other hand, if you have their paid service, with a proper domain of your own, you will be clean even on a dynamic IP. Unless you are unlucky enough to get a already listed IP on your next change. But it is true also to SpamHaus and Barracuda.
Dynamic IPs don't get listed on spamhaus unless it's associated with spam. Except of course on the PBL, but that is a different return code which mail administrators can choose to use or not.

Your setup is based on a gradation of escalating rules. If you policy block at any level, i don't have the choice to turn that off. And that is why RvdH was blocked. His ip should never be listed in a REJECT CONNECTION level unless you have absolute proof that he is sending spam.

Level 5 should be equivalent to spamhaus snowshoe or UCE protect level 1. You should never include policy blocks in a REJECT CONNECTION level. Especially when there is something wrong with the rules that causes legitimate non-spammer, non-dynamic ip servers to be rejected.

If you still plan to use a gradation of rule sets, you need to make damned sure the highest level contains ONLY IPs known to have sent spam. In other words, listed IPs should actually match the level description on your website.

As it is i can't even use this for scoring, much less rejection.
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-20 17:40

palinka wrote:
2019-07-20 16:21
 Dynamic IPs don't get listed on spamhaus unless it's associated with spam. Except of course on the PBL, but that is a different return code which mail administrators can choose to use or not.
Well, you have a point there! I am not SpamHaus. SpamHaus is too soft and that is the reason I build SpamDonkey. If SpamHaus or Barracuda were efficient enough to block what I needed to be blocked, I would never spent two years of my life creating this algorithm.

SpamDonkey is harsh by design. It is intended to identify legitimate sourcers of personal messages and reject all the rest. If one is toying with a SMTP server built with a RaspBerry Pi and a cell phone it would not expect to be listed as “Clean” on SpamDonkey.
palinka wrote:
2019-07-20 16:21
 Your setup is based on a gradation of escalating rules. If you policy block at any level, i don't have the choice to turn that off. And that is why RvdH was blocked. His ip should never be listed in a REJECT CONNECTION level unless you have absolute proof that he is sending spam.
My setup is a suggestion. It is how I use the service I created and you are in no way obligated to agree with me. If you think my level 5 is not worth of rejection, don’t do it! You are the lord and master of your server.
palinka wrote:
2019-07-20 16:21
 Level 5 should be equivalent to spamhaus snowshoe or UCE protect level 1. You should never include policy blocks in a REJECT CONNECTION level. Especially when there is something wrong with the rules that causes legitimate non-spammer, non-dynamic ip servers to be rejected.
SpamDonkey is intended as a DNSBL for people who want do make business with emails. My levels are referred to “services”. Not people, services. It means I expect to find a company behind that IP address. If RvdH were using a proper business connection instead of a domestic one, his server would be clean from the beginning. So, if one is using dynamic IPs, domestic connections, domains that are granted for free, with no proper PTR and DNS settings, so I give it a rejection.

You may disagree with my criteria. You may conclude that SpamDonkey is not for you. However, I have 3 companies (not individuals, companies) and one ISP using SpamDonkey with good results, and that is encouraging.

Take care!

Eduardo
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-20 18:24

EduardoFoltran wrote:
2019-07-20 17:40
 You may disagree with my criteria. You may conclude that SpamDonkey is not for you. However, I have 3 companies (not individuals, companies) and one ISP using SpamDonkey with good results, and that is encouraging.

Take care!

Eduardo
Well, I hope I never have to send mail to any of those companies.

Code: Select all

C:\Users\User>nslookup 14.43.228.66.dnsbl.spamdonkey.com
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    14.43.228.66.dnsbl.spamdonkey.com
Address:  127.0.0.5
That's my relay, SMTP2GO. I'm on a residential IP which is why I use a relay. I'm not worried about my IP. I'm not on any blacklists except for policy lists, but my mail gets through to everywhere except mail servers that reject using Spamdonkey, apparently.

Good luck with your project. Too many false positives for me to use.
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-20 19:18

palinka wrote:
2019-07-20 18:24
 That's my relay, SMTP2GO. I'm on a residential IP which is why I use a relay. I'm not worried about my IP. I'm not on any blacklists except for policy lists, but my mail gets through to everywhere except mail servers that reject using Spamdonkey, apparently.
I recommend you to find a better relay service. The PTR of the IP 66.228.43.14 resolves to li324-14.members.linode.com, with has no connection with SMTP2GO. This IP is not even listed on the linode.com SPF record, which ends with a -all statement. That means this server, according to Linode’s policy, is not supposed to send emails.

palinka wrote:
2019-07-20 18:24
 Good luck with your project. Too many false positives for me to use.
Well, it is working as I designed it to do. If people don't care about properly configure email servers, that is not of my concern. The only way to stop spam from propagate so easily is to be harsh on those who could do a better job but are too reckless about it. If Linode says to me such server is not supposed to send emails, who should I listen to? You? SMTP2GO? I prefer listen to Linode and you should demand your relay service to do a better job instead of hit on me for pointing out that there is a problem there.

I rest my case.
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-20 20:31

My apologies. It appears I used the wrong IP address. :oops:

a1i600.smtp2go.com 43.228.186.88 is one of their relay IPs.

Name: 88.186.228.43.dnsbl.spamdonkey.com
Address: 127.0.0.2

Still too many false positives for me. Good luck.
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-20 20:38

palinka wrote:
2019-07-20 20:31
 My apologies. It appears I used the wrong IP address. :oops:

a1i600.smtp2go.com 43.228.186.88 is one of their relay IPs.

Name: 88.186.228.43.dnsbl.spamdonkey.com
Address: 127.0.0.2

Still too many false positives for me. Good luck.
This is not a false positive. SMTP2GO sends messages for third parts. It has the same level of MailChimp, MailGun and others of this kind.

127.0.0.2 - Level 2 - The IP belongs to a service which sends legitimate mass emails and take care about spammers operating on their servers. Their clients are asked to use their own lists of emails and the service does care about how those addresses have been obtained. Some unsolicited mail may come from this source, but not as a rule and its messages cannot be classified as spam by this criteria alone. Social media email falls under this classification to.
Top
palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: New DNSBL designed for hMailServer

Post by palinka » 2019-07-20 22:09

I know that particular example is not a false positive. In general there are too many false positives, such as my dynu example and RvdH's listing. And i know you're arguing that RvdH is not a false positive, but only in the narrowest sense according to your ruleset. If it flags a non spamming IP, the rest of the email world would consider that a false positive.
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-21 12:58

I know personally four more people who disagree with you. They are my users. What you call a false positive I call an early detection of a threat. If someone is sending emails using the same tools as spammers do, such as domestic connections and dynamic domain names, they are not to be taken seriously. Moreover, the case of dynu.com only shows how efficient my algorithm is in detecting dynamic IP domain providers.

This approach of wait someone start to sending spam before taking action does not work anymore. Spam traps are not fast enough and with services like ZeroBounce around, they are no longer efficient. I can understand most Europeans will disagree. They must wait someone kills Charlie Hebdo’s entire crew first and only then ask why are those people carrying machine guns. Well, I don’t.

I am not going to stop you to continue toying with email and SMTP servers. Go ahead and have fun! But do not expect me to consider such configuration a serious solution for a business proposition.
Top
User avatar
SorenR
Senior user
Senior user
Posts: 3210
Joined: 2006-08-21 15:38
Location: Denmark

Re: New DNSBL designed for hMailServer

Post by SorenR » 2019-07-23 14:27

Logged almost 24 hours. I have a private domain with 5 users and a quest together with NameCheap to eradicate .icu SPAM. So far we have chased them to Turkey where they stopped sending from .icu domains and is using a common domain with a full 255 IP Address allocation.
So far we have closed 1000+ domains and I will be sending a new batch of 192 domains shortly to be closed. For each domain we close they open a new :roll: but they still have to pay for the new domains :wink:

FYI. forum posts are limited to 60,000 characters.

There are a number of "Level 1" connections that I regard as SPAM from experience as do other RBL's and I see some "N/A"s where SpamDonkey did not return a value.

Anyways, some explanation:

Normal email received.
IP connect, IDS Add = OnClientConnect, IDS Delete = OnAcceptMessage.

Code: Select all

"--- Connect ---	45.65.125.243   	25 	- Level 1       	rDNS"
"IDS Add        	45.65.125.243"
"IDS Delete     	45.65.125.243"
"IDS BAN" means to many connects and no actual mail received (IDS Add with no immediate following IDS Delete). Limit is 3 connects in 180 minutes and no mail = BAN. Handler is run every 1 minute so sometimes additional concurrent connects are registered before the BAN is in place.

"DISCONNECT" means a forced dropped connection, no status code sent, no message sent. Usually the result of a BAN.

"GEOBlock" means someone outside The Danish Realm is trying to log on either IMAPS or SMTPS. Result is a BAN.

Normal email received via Backup-MX

Code: Select all

"--- Connect ---	80.160.77.99    	25 	- Clean level   	backup-mx1.post.tele.dk"
"IDS Add        	80.160.77.99"
"WList HELO     	80.160.77.99    	   	                	backup-mx.post.tele.dk"
"IDS Delete     	80.160.77.99"
Mail from banned sender via Backup-MX = Mail is rejected.
"isBanned", IP Address, Banned IP Address, HELO/EHLO greeting.

Code: Select all

"--- Connect ---	80.160.77.99    	25 	- Clean level   	backup-mx1.post.tele.dk"
"IDS Add        	80.160.77.99"
"WList HELO     	80.160.77.99    	   	                	backup-mx.post.tele.dk"
"IDS Delete     	80.160.77.99"
"isBanned       	80.160.77.99    	   	193.31.119.133  	storageindulge.icu"

Code: Select all

3872		"2019-07-22 16:13:57.628"	"--- Connect ---	175.29.177.126  	25 	- Level 5"
3872		"2019-07-22 16:13:57.628"	"IDS Add        	175.29.177.126"
3872		"2019-07-22 16:13:57.800"	"SnowShoe       	175.29.177.126"
1012		"2019-07-22 16:13:59.066"	"--- Connect ---	95.79.109.7     	25 	- Level 5       	95x79x109x7.static-business.nn.ertelecom.ru"
1012		"2019-07-22 16:13:59.066"	"IDS Add        	95.79.109.7"
1012		"2019-07-22 16:13:59.160"	"SnowShoe       	95.79.109.7"
1012		"2019-07-22 16:14:00.644"	"DISCONNECT     	95.79.109.7"
3872		"2019-07-22 16:14:00.644"	"DISCONNECT     	175.29.177.126"
3392		"2019-07-22 16:34:13.621"	"--- Connect ---	191.53.52.88    	465	- Level 5       	191-53-52-88.vze-wr.mastercabo.com.br"
3392		"2019-07-22 16:34:13.683"	"GEOBlock       	191.53.52.88    	   	                	SMTPS"
3392		"2019-07-22 16:34:15.167"	"DISCONNECT     	191.53.52.88"
1012		"2019-07-22 16:39:08.683"	"--- Connect ---	45.65.125.243   	25 	- Level 1       	h4yresearch.com"
1012		"2019-07-22 16:39:08.683"	"IDS Add        	45.65.125.243"
2176		"2019-07-22 16:40:23.804"	"IDS Delete     	45.65.125.243"
2176		"2019-07-22 16:40:23.820"	"SPAM/RBL/SURBL 	45.65.125.243   	   	                	Tagged as Spam by SpamAssassin - (Score: 3)"
1012		"2019-07-22 16:45:04.523"	"--- Connect ---	31.131.88.68    	25 	- Level 4       	pigeonbd.com"
1012		"2019-07-22 16:45:04.523"	"IDS Add        	31.131.88.68"
2176		"2019-07-22 16:46:21.726"	"IDS Delete     	31.131.88.68"
2176		"2019-07-22 16:46:21.742"	"SPAM/RBL/SURBL 	31.131.88.68    	   	                	Tagged as Spam by SpamAssassin - (Score: 7)"
1012		"2019-07-22 16:52:23.628"	"--- Connect ---	185.253.60.219  	25 	- Level 4       	mx8.auctionbins.com"
1012		"2019-07-22 16:52:23.644"	"IDS Add        	185.253.60.219"
2176		"2019-07-22 16:53:39.378"	"IDS Delete     	185.253.60.219"
2176		"2019-07-22 16:53:39.394"	"SPAM/RBL/SURBL 	185.253.60.219  	   	                	Tagged as Spam by SpamAssassin - (Score: 3)"
1012		"2019-07-22 16:56:02.628"	"--- Connect ---	5.189.183.138   	25 	- Level 2       	vmi74527.contabo.host"
1012		"2019-07-22 16:56:02.628"	"IDS Add        	5.189.183.138"
2176		"2019-07-22 16:57:16.707"	"IDS Delete     	5.189.183.138"
1012		"2019-07-22 17:02:26.421"	"--- Connect ---	186.211.248.214 	25 	- Level 5       	186-211-248-214.commcorp.net.br"
1012		"2019-07-22 17:02:26.421"	"IDS Add        	186.211.248.214"
1012		"2019-07-22 17:02:26.593"	"SnowShoe       	186.211.248.214"
1012		"2019-07-22 17:02:28.062"	"DISCONNECT     	186.211.248.214"
3872		"2019-07-22 17:02:30.156"	"--- Connect ---	67.198.99.60    	25 	- Level 5       	67-198-99-60.static.grandenetworks.net"
3872		"2019-07-22 17:02:30.156"	"IDS Add        	67.198.99.60"
3872		"2019-07-22 17:02:30.203"	"SnowShoe       	67.198.99.60"
3872		"2019-07-22 17:02:31.687"	"DISCONNECT     	67.198.99.60"
3872		"2019-07-22 17:21:58.382"	"--- Connect ---	91.227.208.6    	25 	- Level 3       	rs-6.mta.anpdm.com"
3872		"2019-07-22 17:21:58.382"	"IDS Add        	91.227.208.6"
3872		"2019-07-22 17:23:13.148"	"--- Connect ---	13.111.11.59    	25 	- Clean level   	mta3.hulumail.com"
3872		"2019-07-22 17:23:13.148"	"IDS Add        	13.111.11.59"
2176		"2019-07-22 17:23:14.210"	"IDS Delete     	91.227.208.6"
3392		"2019-07-22 17:23:57.210"	"--- Connect ---	186.232.14.81   	465	- Level 5       	186-232-14-81.indnet.com.br"
3392		"2019-07-22 17:23:57.273"	"GEOBlock       	186.232.14.81   	   	                	SMTPS"
3392		"2019-07-22 17:23:58.757"	"DISCONNECT     	186.232.14.81"
2176		"2019-07-22 17:24:28.976"	"IDS Delete     	13.111.11.59"
3872		"2019-07-22 17:30:30.566"	"--- Connect ---	128.199.63.243  	25 	- Level 3"
3872		"2019-07-22 17:30:30.585"	"IDS Add        	128.199.63.243"
2176		"2019-07-22 17:31:45.644"	"IDS Delete     	128.199.63.243"
2176		"2019-07-22 17:31:45.660"	"SPAM/RBL/SURBL 	128.199.63.243  	   	                	Tagged as Spam by SpamAssassin - (Score: 6)"
3392		"2019-07-22 17:38:12.972"	"--- Connect ---	162.243.150.92  	465	- Level 3       	zg-0403-70.stretchoid.com"
3392		"2019-07-22 17:38:13.035"	"GEOBlock       	162.243.150.92  	   	                	SMTPS"
3392		"2019-07-22 17:38:14.519"	"DISCONNECT     	162.243.150.92"
3392		"2019-07-22 17:45:52.062"	"--- Connect ---	168.228.150.96  	465	- Level 5"
3392		"2019-07-22 17:45:52.125"	"GEOBlock       	168.228.150.96  	   	                	SMTPS"
3392		"2019-07-22 17:45:53.609"	"DISCONNECT     	168.228.150.96"
3872		"2019-07-22 18:02:20.757"	"--- Connect ---	173.212.204.173 	25 	- Level 4       	ping0.clackamasbookkeeping.com"
3872		"2019-07-22 18:02:20.757"	"IDS Add        	173.212.204.173"
3872		"2019-07-22 18:03:10.539"	"--- Connect ---	193.31.119.99   	25 	- Level 2       	hostmaster.netbudur.com"
3872		"2019-07-22 18:03:10.539"	"IDS Add        	193.31.119.99"
1012		"2019-07-22 18:03:33.289"	"Reject HELO    	193.31.119.99   	   	                	usestar.icu"
1012		"2019-07-22 18:03:34.773"	"DISCONNECT     	193.31.119.99"
2176		"2019-07-22 18:03:36.664"	"IDS Delete     	173.212.204.173"
2176		"2019-07-22 18:03:36.679"	"SPAM/RBL/SURBL 	173.212.204.173 	   	                	RBL - Rejected by Spamhaus - (Score: 5)"
2176		"2019-07-22 18:03:36.679"	"SPAM/RBL/SURBL 	173.212.204.173 	   	                	Tagged as Spam by SpamAssassin - (Score: 10)"
3872		"2019-07-22 18:03:37.492"	"--- Connect ---	80.160.77.99    	25 	- Clean level   	backup-mx1.post.tele.dk"
3872		"2019-07-22 18:03:37.492"	"IDS Add        	80.160.77.99"
3872		"2019-07-22 18:03:37.523"	"WList HELO     	80.160.77.99    	   	                	backup-mx.post.tele.dk"
2176		"2019-07-22 18:03:50.023"	"IDS Delete     	80.160.77.99"
2176		"2019-07-22 18:03:50.039"	"isBanned       	80.160.77.99    	   	193.31.119.99   	usestar.icu"
3392		"2019-07-22 18:06:45.742"	"--- Connect ---	177.87.220.173  	465	- Level 5"
3392		"2019-07-22 18:06:45.804"	"GEOBlock       	177.87.220.173  	   	                	SMTPS"
3392		"2019-07-22 18:06:47.289"	"DISCONNECT     	177.87.220.173"
3872		"2019-07-22 18:07:59.476"	"--- Connect ---	218.4.239.146   	25 	- Level 5"
3872		"2019-07-22 18:07:59.476"	"IDS Add        	218.4.239.146"
3872		"2019-07-22 18:07:59.539"	"SnowShoe       	218.4.239.146"
3872		"2019-07-22 18:08:01.023"	"DISCONNECT     	218.4.239.146"
3872		"2019-07-22 18:09:46.632"	"--- Connect ---	195.98.77.53    	25 	- Level 5"
3872		"2019-07-22 18:09:46.632"	"IDS Add        	195.98.77.53"
3872		"2019-07-22 18:09:46.679"	"SnowShoe       	195.98.77.53"
3872		"2019-07-22 18:09:48.164"	"DISCONNECT     	195.98.77.53"
3872		"2019-07-22 18:10:29.554"	"--- Connect ---	108.174.3.196   	25 	- Level 2       	maile-ad.linkedin.com"
3872		"2019-07-22 18:10:29.554"	"IDS Add        	108.174.3.196"
2176		"2019-07-22 18:11:44.835"	"IDS Delete     	108.174.3.196"
3872		"2019-07-22 18:12:35.992"	"--- Connect ---	217.128.99.11   	25 	- Level 5       	lputeaux-657-1-69-11.w217-128.abo.wanadoo.fr"
3872		"2019-07-22 18:12:35.992"	"IDS Add        	217.128.99.11"
3872		"2019-07-22 18:12:36.085"	"SnowShoe       	217.128.99.11"
3872		"2019-07-22 18:12:37.570"	"DISCONNECT     	217.128.99.11"
3872		"2019-07-22 18:15:38.820"	"--- Connect ---	82.166.184.188  	25 	- Level 5"
3872		"2019-07-22 18:15:38.820"	"IDS Add        	82.166.184.188"
3424		"2019-07-22 18:15:43.507"	"--- Connect ---	5.189.183.138   	25 	- Level 2       	vmi74527.contabo.host"
3424		"2019-07-22 18:15:43.507"	"IDS Add        	5.189.183.138"
2176		"2019-07-22 18:16:57.484"	"IDS Delete     	5.189.183.138"
3392		"2019-07-22 18:28:42.671"	"--- Connect ---	177.23.73.70    	465	- Level 5       	177-23-73-70.interminas.com.br"
3392		"2019-07-22 18:28:42.734"	"GEOBlock       	177.23.73.70    	   	                	SMTPS"
3392		"2019-07-22 18:28:44.218"	"DISCONNECT     	177.23.73.70"
3424		"2019-07-22 18:36:38.742"	"--- Connect ---	204.232.178.184 	25 	- Clean level   	web1.valentus.com"
3424		"2019-07-22 18:36:38.742"	"IDS Add        	204.232.178.184"
2176		"2019-07-22 18:37:53.820"	"IDS Delete     	204.232.178.184"
3424		"2019-07-22 18:48:58.117"	"--- Connect ---	5.189.183.138   	25 	- Level 2       	vmi74527.contabo.host"
3424		"2019-07-22 18:48:58.132"	"IDS Add        	5.189.183.138"
3392		"2019-07-22 18:49:18.773"	"--- Connect ---	193.31.119.100  	25 	- Level 2       	hostmaster.netbudur.com"
3392		"2019-07-22 18:49:18.773"	"IDS Add        	193.31.119.100"
3424		"2019-07-22 18:49:39.820"	"Reject HELO    	193.31.119.100  	   	                	doughnew.icu"
3424		"2019-07-22 18:49:41.320"	"DISCONNECT     	193.31.119.100"
3392		"2019-07-22 18:49:44.617"	"--- Connect ---	80.160.77.115   	25 	- Clean level   	backup-mx2.post.tele.dk"
3392		"2019-07-22 18:49:44.632"	"IDS Add        	80.160.77.115"
3392		"2019-07-22 18:49:44.695"	"WList HELO     	80.160.77.115   	   	                	backup-mx.post.tele.dk"
2176		"2019-07-22 18:50:01.726"	"IDS Delete     	80.160.77.115"
2176		"2019-07-22 18:50:01.742"	"isBanned       	80.160.77.115   	   	193.31.119.100  	doughnew.icu"
2176		"2019-07-22 18:50:12.976"	"IDS Delete     	5.189.183.138"
3392		"2019-07-22 19:19:50.710"	"--- Connect ---	5.189.183.138   	25 	- Level 2       	vmi74527.contabo.host"
3392		"2019-07-22 19:19:50.710"	"IDS Add        	5.189.183.138"
2176		"2019-07-22 19:21:08.023"	"IDS Delete     	5.189.183.138"
3392		"2019-07-22 19:31:19.273"	"--- Connect ---	192.161.151.8   	25 	- Clean level   	outbyoip8.pod13.usw2.zdsys.com"
3392		"2019-07-22 19:31:19.273"	"IDS Add        	192.161.151.8"
2176		"2019-07-22 19:32:35.976"	"IDS Delete     	192.161.151.8"
3392		"2019-07-22 19:48:44.570"	"--- Connect ---	187.1.36.241    	465	- Level 5       	187.1.36.241.svt1.com.br"
3392		"2019-07-22 19:48:44.648"	"GEOBlock       	187.1.36.241    	   	                	SMTPS"
3392		"2019-07-22 19:48:46.132"	"DISCONNECT     	187.1.36.241"
3392		"2019-07-22 19:49:54.195"	"--- Connect ---	191.53.248.137  	465	- Level 5       	191-53-248-137.nvs-wr.mastercabo.com.br"
3392		"2019-07-22 19:49:54.273"	"GEOBlock       	191.53.248.137  	   	                	SMTPS"
3392		"2019-07-22 19:49:55.757"	"DISCONNECT     	191.53.248.137"
3392		"2019-07-22 19:57:02.218"	"--- Connect ---	198.46.135.194  	25 	- Level 1       	bdservice-alt3.bdeservices.com"
3392		"2019-07-22 19:57:02.218"	"IDS Add        	198.46.135.194"
2176		"2019-07-22 19:58:08.765"	"IDS Delete     	198.46.135.194"
2176		"2019-07-22 19:58:08.781"	"SPAM/RBL/SURBL 	198.46.135.194  	   	                	RBL - Rejected by Barracuda Reputation Block List - (Score: 5)"
2176		"2019-07-22 19:58:08.781"	"SPAM/RBL/SURBL 	198.46.135.194  	   	                	Tagged as Spam by SpamAssassin - (Score: 9)"
2176		"2019-07-22 19:58:08.781"	"SPAM/RBL/SURBL 	198.46.135.194  	   	                	URIBL - Rejected by Spamhaus - (Score: 5)"
3392		"2019-07-22 20:01:54.046"	"--- Connect ---	85.158.142.1    	25 	- Clean level   	mail1.bemta26.messagelabs.com"
3392		"2019-07-22 20:01:54.062"	"IDS Add        	85.158.142.1"
2176		"2019-07-22 20:03:02.406"	"IDS Delete     	85.158.142.1"
3392		"2019-07-22 20:11:12.750"	"--- Connect ---	193.31.119.102  	25 	- Level 2       	hostmaster.netbudur.com"
3392		"2019-07-22 20:11:12.750"	"IDS Add        	193.31.119.102"
3640		"2019-07-22 20:11:33.828"	"Reject HELO    	193.31.119.102  	   	                	vrimetap.icu"
3640		"2019-07-22 20:11:35.312"	"DISCONNECT     	193.31.119.102"
3392		"2019-07-22 20:11:35.765"	"--- Connect ---	80.160.77.99    	25 	- Clean level   	backup-mx1.post.tele.dk"
3392		"2019-07-22 20:11:35.765"	"IDS Add        	80.160.77.99"
3392		"2019-07-22 20:11:35.859"	"WList HELO     	80.160.77.99    	   	                	backup-mx.post.tele.dk"
2176		"2019-07-22 20:11:40.906"	"IDS Delete     	80.160.77.99"
2176		"2019-07-22 20:11:40.921"	"isBanned       	80.160.77.99    	   	193.31.119.102  	vrimetap.icu"
3392		"2019-07-22 20:18:47.148"	"--- Connect ---	200.23.235.111  	465	- Level 5"
3392		"2019-07-22 20:18:47.179"	"... GEOLookup  	200.23.235.111  	   	                	zz"
3392		"2019-07-22 20:18:47.195"	"IDS Add        	200.23.235.111"
3392		"2019-07-22 20:18:55.117"	"--- Connect ---	189.89.213.203  	465	- Level 5       	189-089-213-203.static.stratus.com.br"
3392		"2019-07-22 20:18:55.179"	"GEOBlock       	189.89.213.203  	   	                	SMTPS"
3392		"2019-07-22 20:18:56.664"	"DISCONNECT     	189.89.213.203"
3392		"2019-07-22 20:22:43.367"	"--- Connect ---	109.245.214.49  	25 	- Level 5       	net49-214-245-109.customer.telenor.rs"
3392		"2019-07-22 20:22:43.382"	"IDS Add        	109.245.214.49"
3392		"2019-07-22 20:22:43.851"	"SnowShoe       	109.245.214.49"
3392		"2019-07-22 20:22:45.335"	"DISCONNECT     	109.245.214.49"
3424		"2019-07-22 20:25:15.835"	"--- Connect ---	162.243.146.89  	993	- Level 3"
3424		"2019-07-22 20:25:15.851"	"GEOBlock       	162.243.146.89  	   	                	IMAPS"
3424		"2019-07-22 20:25:17.320"	"DISCONNECT     	162.243.146.89"
3392		"2019-07-22 20:26:45.460"	"--- Connect ---	103.194.242.254 	25 	- Level 5"
3392		"2019-07-22 20:26:45.460"	"IDS Add        	103.194.242.254"
3392		"2019-07-22 20:26:45.507"	"SnowShoe       	103.194.242.254"
3392		"2019-07-22 20:26:46.992"	"DISCONNECT     	103.194.242.254"
3392		"2019-07-22 20:31:06.882"	"--- Connect ---	177.74.182.192  	465	N/A"
3392		"2019-07-22 20:31:06.960"	"GEOBlock       	177.74.182.192  	   	                	SMTPS"
3872		"2019-07-22 20:31:08.007"	"--- Connect ---	168.228.149.223 	465	- Level 5"
3872		"2019-07-22 20:31:08.054"	"GEOBlock       	168.228.149.223 	   	                	SMTPS"
3392		"2019-07-22 20:31:09.539"	"DISCONNECT     	177.74.182.192"
3872		"2019-07-22 20:31:11.023"	"DISCONNECT     	168.228.149.223"
3392		"2019-07-22 20:54:38.726"	"--- Connect ---	78.196.158.50   	25 	- Level 3       	mhu85-1-78-196-158-50.fbx.proxad.net"
3392		"2019-07-22 20:54:38.726"	"IDS Add        	78.196.158.50"
3392		"2019-07-22 20:54:38.992"	"LashBack       	78.196.158.50"
3392		"2019-07-22 20:54:40.476"	"DISCONNECT     	78.196.158.50"
3392		"2019-07-22 20:57:33.023"	"--- Connect ---	177.125.163.46  	25 	- Level 5       	46-163-125-177.clickturbo.com.br"
3392		"2019-07-22 20:57:33.023"	"IDS Add        	177.125.163.46"
3392		"2019-07-22 20:57:33.914"	"SnowShoe       	177.125.163.46"
3392		"2019-07-22 20:57:35.398"	"DISCONNECT     	177.125.163.46"
3872		"2019-07-22 21:08:17.085"	"--- Connect ---	200.3.31.242    	465	- Level 5"
3872		"2019-07-22 21:08:17.148"	"GEOBlock       	200.3.31.242    	   	                	SMTPS"
3872		"2019-07-22 21:08:18.632"	"DISCONNECT     	200.3.31.242"
3392		"2019-07-22 21:16:16.750"	"--- Connect ---	201.20.82.102   	25 	- Level 5       	201-20-82-102.mobile.mobtelecom.com.br"
3392		"2019-07-22 21:16:16.765"	"IDS Add        	201.20.82.102"
3392		"2019-07-22 21:16:16.875"	"SnowShoe       	201.20.82.102"
3392		"2019-07-22 21:16:18.359"	"DISCONNECT     	201.20.82.102"
3872		"2019-07-22 21:16:20.265"	"--- Connect ---	138.94.193.44   	25 	- Level 5       	customer-138-94-193-44.agtnet.com.br"
3872		"2019-07-22 21:16:20.265"	"IDS Add        	138.94.193.44"
3872		"2019-07-22 21:16:20.328"	"SnowShoe       	138.94.193.44"
3872		"2019-07-22 21:16:21.812"	"DISCONNECT     	138.94.193.44"
3872		"2019-07-22 21:22:31.312"	"--- Connect ---	170.246.206.31  	465	- Level 5"
3872		"2019-07-22 21:22:31.406"	"GEOBlock       	170.246.206.31  	   	                	SMTPS"
3872		"2019-07-22 21:22:32.890"	"DISCONNECT     	170.246.206.31"
3872		"2019-07-22 21:56:05.609"	"--- Connect ---	77.40.92.215    	465	- Level 5       	215.92.pppoe.mari-el.ru"
3872		"2019-07-22 21:56:05.671"	"GEOBlock       	77.40.92.215    	   	                	SMTPS"
3872		"2019-07-22 21:56:07.171"	"DISCONNECT     	77.40.92.215"
3872		"2019-07-22 22:06:16.218"	"--- Connect ---	159.203.176.183 	25 	- Level 1"
3872		"2019-07-22 22:06:16.234"	"IDS Add        	159.203.176.183"
2176		"2019-07-22 22:07:22.875"	"IDS Delete     	159.203.176.183"
2176		"2019-07-22 22:07:22.890"	"SPAM/RBL/SURBL 	159.203.176.183 	   	                	RBL - Rejected by Barracuda Reputation Block List - (Score: 5)"
3872		"2019-07-22 22:26:17.226"	"--- Connect ---	80.160.77.115   	25 	- Clean level   	backup-mx2.post.tele.dk"
3872		"2019-07-22 22:26:17.226"	"IDS Add        	80.160.77.115"
3872		"2019-07-22 22:26:17.304"	"WList HELO     	80.160.77.115   	   	                	backup-mx.post.tele.dk"
2176		"2019-07-22 22:26:26.523"	"IDS Delete     	80.160.77.115"
2176		"2019-07-22 22:26:26.617"	"WList X-From   	69.171.232.142  	   	                	security@mail.instagram.com"
3872		"2019-07-22 22:36:41.687"	"--- Connect ---	213.142.157.136 	25 	- Level 1       	vpsnode14.webstudio28.com"
3872		"2019-07-22 22:36:41.687"	"IDS Add        	213.142.157.136"
2176		"2019-07-22 22:37:47.062"	"IDS Delete     	213.142.157.136"
2176		"2019-07-22 22:37:47.078"	"SPAM/RBL/SURBL 	213.142.157.136 	   	                	RBL - Rejected by Barracuda Reputation Block List - (Score: 5)"
2176		"2019-07-22 22:37:47.078"	"SPAM/RBL/SURBL 	213.142.157.136 	   	                	URIBL - Rejected by Spamhaus - (Score: 5)"
2176		"2019-07-22 22:37:47.078"	"SPAM/RBL/SURBL 	213.142.157.136 	   	                	RBL - Rejected by Spamhaus - (Score: 5)"
2176		"2019-07-22 22:37:47.078"	"SPAM/RBL/SURBL 	213.142.157.136 	   	                	URIBL - Rejected by SURBL - (Score: 5)"
2176		"2019-07-22 22:37:47.078"	"SPAM/RBL/SURBL 	213.142.157.136 	   	                	Tagged as Spam by SpamAssassin - (Score: 12)"
3872		"2019-07-22 22:41:48.171"	"--- Connect ---	187.109.56.117  	465	- Level 5       	187-109-56-117.agyonet.com.br"
3872		"2019-07-22 22:41:48.234"	"GEOBlock       	187.109.56.117  	   	                	SMTPS"
3872		"2019-07-22 22:41:49.718"	"DISCONNECT     	187.109.56.117"
3872		"2019-07-22 22:55:12.140"	"--- Connect ---	171.234.184.215 	25 	- Level 5       	dynamic-adsl.viettel.vn"
3872		"2019-07-22 22:55:12.140"	"IDS Add        	171.234.184.215"
3872		"2019-07-22 22:55:12.421"	"LashBack       	171.234.184.215"
3872		"2019-07-22 22:55:13.906"	"DISCONNECT     	171.234.184.215"
3872		"2019-07-22 23:01:02.710"	"--- Connect ---	191.53.19.238   	465	- Level 5       	191-53-19-238.vga-wr.mastercabo.com.br"
3872		"2019-07-22 23:01:02.789"	"GEOBlock       	191.53.19.238   	   	                	SMTPS"
3872		"2019-07-22 23:01:04.273"	"DISCONNECT     	191.53.19.238"
3872		"2019-07-22 23:11:20.382"	"--- Connect ---	131.221.48.86   	25 	- Level 5"
3872		"2019-07-22 23:11:20.382"	"IDS Add        	131.221.48.86"
3872		"2019-07-22 23:11:20.804"	"LashBack       	131.221.48.86"
3872		"2019-07-22 23:11:22.289"	"DISCONNECT     	131.221.48.86"
3872		"2019-07-22 23:14:31.632"	"--- Connect ---	191.53.193.137  	465	- Level 5       	191-53-193-137.dvl-wr.mastercabo.com.br"
3872		"2019-07-22 23:14:31.695"	"GEOBlock       	191.53.193.137  	   	                	SMTPS"
3872		"2019-07-22 23:14:33.179"	"DISCONNECT     	191.53.193.137"
3872		"2019-07-22 23:20:21.734"	"--- Connect ---	180.240.201.1   	25 	- Level 5       	core-idc.telin.co.id"
3872		"2019-07-22 23:20:21.734"	"IDS Add        	180.240.201.1"
3872		"2019-07-22 23:20:21.812"	"SnowShoe       	180.240.201.1"
3872		"2019-07-22 23:20:23.296"	"DISCONNECT     	180.240.201.1"
3392		"2019-07-22 23:20:26.484"	"--- Connect ---	103.106.32.226  	25 	- Level 5"
3392		"2019-07-22 23:20:26.500"	"IDS Add        	103.106.32.226"
3392		"2019-07-22 23:20:26.578"	"SnowShoe       	103.106.32.226"
3392		"2019-07-22 23:20:28.062"	"DISCONNECT     	103.106.32.226"
3392		"2019-07-22 23:33:16.187"	"--- Connect ---	193.31.119.105  	25 	- Level 2       	hostmaster.netbudur.com"
3392		"2019-07-22 23:33:16.187"	"IDS Add        	193.31.119.105"
3392		"2019-07-22 23:33:16.343"	"SnowShoe       	193.31.119.105"
3392		"2019-07-22 23:33:17.828"	"DISCONNECT     	193.31.119.105"
3392		"2019-07-22 23:42:03.851"	"--- Connect ---	213.142.157.138 	25 	- Level 1       	vpsnode14.webstudio28.com"
3392		"2019-07-22 23:42:03.867"	"IDS Add        	213.142.157.138"
2176		"2019-07-22 23:43:18.414"	"IDS Delete     	213.142.157.138"
2176		"2019-07-22 23:43:18.429"	"SPAM/RBL/SURBL 	213.142.157.138 	   	                	RBL - Rejected by Barracuda Reputation Block List - (Score: 5)"
2176		"2019-07-22 23:43:18.429"	"SPAM/RBL/SURBL 	213.142.157.138 	   	                	URIBL - Rejected by SURBL - (Score: 5)"
2176		"2019-07-22 23:43:18.429"	"SPAM/RBL/SURBL 	213.142.157.138 	   	                	Tagged as Spam by SpamAssassin - (Score: 9)"
3872		"2019-07-22 23:58:02.859"	"--- Connect ---	131.100.76.72   	465	- Level 5       	72-76-100-131.internetcentral.com.br"
3872		"2019-07-22 23:58:03.015"	"GEOBlock       	131.100.76.72   	   	                	SMTPS"
3872		"2019-07-22 23:58:04.507"	"DISCONNECT     	131.100.76.72"
2844		"2019-07-23 00:10:11.796"	"--- Connect ---	200.33.90.169   	465	- Level 5"
2844		"2019-07-23 00:10:11.874"	"GEOBlock       	200.33.90.169   	   	                	SMTPS"
2844		"2019-07-23 00:10:13.421"	"DISCONNECT     	200.33.90.169"
2844		"2019-07-23 00:20:57.057"	"--- Connect ---	168.228.151.76  	465	- Level 5"
2844		"2019-07-23 00:20:57.197"	"GEOBlock       	168.228.151.76  	   	                	SMTPS"
2844		"2019-07-23 00:20:58.682"	"DISCONNECT     	168.228.151.76"
3084		"2019-07-23 00:41:30.001"	"--- Connect ---	213.142.157.142 	25 	- Level 1       	vpsnode14.webstudio28.com"
3084		"2019-07-23 00:41:30.001"	"IDS Add        	213.142.157.142"
3208		"2019-07-23 00:42:42.111"	"IDS Delete     	213.142.157.142"
3208		"2019-07-23 00:42:42.126"	"SPAM/RBL/SURBL 	213.142.157.142 	   	                	RBL - Rejected by Barracuda Reputation Block List - (Score: 5)"
3208		"2019-07-23 00:42:42.126"	"SPAM/RBL/SURBL 	213.142.157.142 	   	                	URIBL - Rejected by SURBL - (Score: 5)"
3208		"2019-07-23 00:42:42.126"	"SPAM/RBL/SURBL 	213.142.157.142 	   	                	Tagged as Spam by SpamAssassin - (Score: 8)"
3084		"2019-07-23 00:43:15.111"	"--- Connect ---	37.49.230.178   	25 	- Level 5"
3084		"2019-07-23 00:43:15.111"	"IDS Add        	37.49.230.178"
3084		"2019-07-23 00:51:47.388"	"--- Connect ---	185.177.8.3     	25 	- Level 5       	host-185-177-8-3.netiq.sk"
3084		"2019-07-23 00:51:47.388"	"IDS Add        	185.177.8.3"
3084		"2019-07-23 00:51:47.451"	"SnowShoe       	185.177.8.3"
2420		"2019-07-23 00:51:48.467"	"--- Connect ---	95.169.213.76   	25 	- Level 5"
2420		"2019-07-23 00:51:48.467"	"IDS Add        	95.169.213.76"
2420		"2019-07-23 00:51:48.530"	"SnowShoe       	95.169.213.76"
3084		"2019-07-23 00:51:50.013"	"DISCONNECT     	185.177.8.3"
2420		"2019-07-23 00:51:51.499"	"DISCONNECT     	95.169.213.76"
2420		"2019-07-23 00:53:15.842"	"--- Connect ---	193.31.119.107  	25 	- Level 2       	hostmaster.netbudur.com"
2420		"2019-07-23 00:53:15.842"	"IDS Add        	193.31.119.107"
2420		"2019-07-23 00:53:36.810"	"Reject HELO    	193.31.119.107  	   	                	fortunereptile.icu"
2420		"2019-07-23 00:53:38.294"	"DISCONNECT     	193.31.119.107"
2420		"2019-07-23 00:53:40.387"	"--- Connect ---	80.160.77.99    	25 	- Clean level   	backup-mx1.post.tele.dk"
2420		"2019-07-23 00:53:40.387"	"IDS Add        	80.160.77.99"
2420		"2019-07-23 00:53:40.467"	"WList HELO     	80.160.77.99    	   	                	backup-mx.post.tele.dk"
3208		"2019-07-23 00:53:46.060"	"IDS Delete     	80.160.77.99"
3208		"2019-07-23 00:53:46.092"	"isBanned       	80.160.77.99    	   	193.31.119.107  	fortunereptile.icu"
2420		"2019-07-23 00:56:42.872"	"--- Connect ---	1.69.2.22       	25 	- Level 5"
2420		"2019-07-23 00:56:42.872"	"IDS Add        	1.69.2.22"
2420		"2019-07-23 00:56:42.903"	"SnowShoe       	1.69.2.22"
2420		"2019-07-23 00:56:44.386"	"DISCONNECT     	1.69.2.22"
2420		"2019-07-23 01:13:39.255"	"--- Connect ---	37.49.230.178   	25 	- Level 5"
2420		"2019-07-23 01:13:39.270"	"IDS Add        	37.49.230.178"
2844		"2019-07-23 01:41:00.761"	"--- Connect ---	191.53.194.167  	465	- Level 5       	191-53-194-167.dvl-wr.mastercabo.com.br"
2844		"2019-07-23 01:41:00.854"	"GEOBlock       	191.53.194.167  	   	                	SMTPS"
2844		"2019-07-23 01:41:02.338"	"DISCONNECT     	191.53.194.167"
2420		"2019-07-23 01:43:19.557"	"--- Connect ---	37.49.230.178   	25 	- Level 5"
2420		"2019-07-23 01:43:19.571"	"IDS Add        	37.49.230.178"
4000		"2019-07-23 01:44:00.321"	"IDS BAN        	37.49.230.178"
2420		"2019-07-23 01:47:14.086"	"--- Connect ---	185.82.65.153   	25 	- Level 5"
2420		"2019-07-23 01:47:14.102"	"IDS Add        	185.82.65.153"
2420		"2019-07-23 01:47:14.148"	"SnowShoe       	185.82.65.153"
2420		"2019-07-23 01:47:15.632"	"DISCONNECT     	185.82.65.153"
2420		"2019-07-23 01:59:18.769"	"--- Connect ---	85.93.252.55    	25 	- Level 5       	252-55.neasonline.no"
2420		"2019-07-23 01:59:18.769"	"IDS Add        	85.93.252.55"
2420		"2019-07-23 01:59:18.878"	"SnowShoe       	85.93.252.55"
2420		"2019-07-23 01:59:20.362"	"DISCONNECT     	85.93.252.55"
3076		"2019-07-23 01:59:22.098"	"--- Connect ---	177.124.102.135 	25 	- Level 5       	177-124-102-135.provedordigitalnet.net.br"
3076		"2019-07-23 01:59:22.098"	"IDS Add        	177.124.102.135"
3076		"2019-07-23 01:59:22.190"	"SnowShoe       	177.124.102.135"
3076		"2019-07-23 01:59:23.675"	"DISCONNECT     	177.124.102.135"
2844		"2019-07-23 02:02:50.923"	"--- Connect ---	143.208.248.74  	465	- Level 5       	74.248.208.143.radiustelecomunicacoes.com.br"
2844		"2019-07-23 02:02:51.034"	"GEOBlock       	143.208.248.74  	   	                	SMTPS"
2844		"2019-07-23 02:02:52.518"	"DISCONNECT     	143.208.248.74"
3076		"2019-07-23 02:06:52.142"	"--- Connect ---	103.194.89.214  	25 	- Level 5"
3076		"2019-07-23 02:06:52.157"	"IDS Add        	103.194.89.214"
3076		"2019-07-23 02:06:52.204"	"SnowShoe       	103.194.89.214"
3076		"2019-07-23 02:06:53.687"	"DISCONNECT     	103.194.89.214"
3076		"2019-07-23 02:07:14.062"	"--- Connect ---	119.76.190.126  	25 	- Level 5       	ppp-119-76-190-126.revip17.asianet.co.th"
3076		"2019-07-23 02:07:14.062"	"IDS Add        	119.76.190.126"
3076		"2019-07-23 02:07:14.157"	"SnowShoe       	119.76.190.126"
3076		"2019-07-23 02:07:15.641"	"DISCONNECT     	119.76.190.126"
3720		"2019-07-23 02:07:16.657"	"--- Connect ---	139.255.113.243 	25 	- Level 5       	ln-static-139-255-113-243.link.net.id"
3720		"2019-07-23 02:07:16.672"	"IDS Add        	139.255.113.243"
3720		"2019-07-23 02:07:16.734"	"SnowShoe       	139.255.113.243"
3720		"2019-07-23 02:07:18.220"	"DISCONNECT     	139.255.113.243"
3720		"2019-07-23 02:08:11.234"	"--- Connect ---	193.31.119.108  	25 	- Level 2       	hostmaster.netbudur.com"
3720		"2019-07-23 02:08:11.234"	"IDS Add        	193.31.119.108"
2844		"2019-07-23 02:08:32.157"	"Reject HELO    	193.31.119.108  	   	                	depositunaware.icu"
2844		"2019-07-23 02:08:33.641"	"DISCONNECT     	193.31.119.108"
3720		"2019-07-23 02:08:36.907"	"--- Connect ---	80.160.77.99    	25 	- Clean level   	backup-mx1.post.tele.dk"
3720		"2019-07-23 02:08:36.921"	"IDS Add        	80.160.77.99"
3720		"2019-07-23 02:08:37.000"	"WList HELO     	80.160.77.99    	   	                	backup-mx.post.tele.dk"
3208		"2019-07-23 02:08:41.655"	"IDS Delete     	80.160.77.99"
3208		"2019-07-23 02:08:41.687"	"isBanned       	80.160.77.99    	   	193.31.119.108  	depositunaware.icu"
3720		"2019-07-23 02:14:18.341"	"--- Connect ---	177.73.107.174  	25 	- Level 5"
3720		"2019-07-23 02:14:18.356"	"IDS Add        	177.73.107.174"
3720		"2019-07-23 02:14:18.419"	"SnowShoe       	177.73.107.174"
3720		"2019-07-23 02:14:19.903"	"DISCONNECT     	177.73.107.174"
3720		"2019-07-23 02:33:32.302"	"--- Connect ---	91.112.99.78    	25 	- Level 5"
3720		"2019-07-23 02:33:32.302"	"IDS Add        	91.112.99.78"
3720		"2019-07-23 02:33:32.380"	"SnowShoe       	91.112.99.78"
3720		"2019-07-23 02:33:33.866"	"DISCONNECT     	91.112.99.78"
2844		"2019-07-23 02:41:24.471"	"--- Connect ---	191.53.250.150  	465	- Level 5       	191-53-250-150.nvs-wr.mastercabo.com.br"
2844		"2019-07-23 02:41:24.549"	"GEOBlock       	191.53.250.150  	   	                	SMTPS"
2844		"2019-07-23 02:41:26.035"	"DISCONNECT     	191.53.250.150"
3720		"2019-07-23 02:55:18.576"	"--- Connect ---	193.31.119.130  	25 	- Level 2       	hostmaster.netbudur.com"
3720		"2019-07-23 02:55:18.576"	"IDS Add        	193.31.119.130"
3720		"2019-07-23 02:55:39.779"	"Reject HELO    	193.31.119.130  	   	                	delivervoucher.icu"
3720		"2019-07-23 02:55:41.248"	"DISCONNECT     	193.31.119.130"
3720		"2019-07-23 02:55:45.466"	"--- Connect ---	80.160.77.115   	25 	- Clean level   	backup-mx2.post.tele.dk"
3720		"2019-07-23 02:55:45.482"	"IDS Add        	80.160.77.115"
3720		"2019-07-23 02:55:45.512"	"WList HELO     	80.160.77.115   	   	                	backup-mx.post.tele.dk"
3208		"2019-07-23 02:55:48.951"	"IDS Delete     	80.160.77.115"
3208		"2019-07-23 02:55:48.966"	"isBanned       	80.160.77.115   	   	193.31.119.130  	delivervoucher.icu"
2844		"2019-07-23 03:12:58.038"	"--- Connect ---	191.53.239.186  	465	- Level 5       	191-53-239-186.ptu-wr.mastercabo.com.br"
2844		"2019-07-23 03:12:58.116"	"GEOBlock       	191.53.239.186  	   	                	SMTPS"
2844		"2019-07-23 03:12:59.600"	"DISCONNECT     	191.53.239.186"
3720		"2019-07-23 03:28:25.422"	"--- Connect ---	106.75.106.221  	25 	- Level 5"
3720		"2019-07-23 03:28:25.422"	"IDS Add        	106.75.106.221"
2844		"2019-07-23 03:28:32.890"	"--- Connect ---	106.75.106.221  	25 	- Level 5"
2844		"2019-07-23 03:28:32.890"	"IDS Add        	106.75.106.221"
3084		"2019-07-23 03:28:38.672"	"--- Connect ---	106.75.106.221  	25 	- Level 5"
3084		"2019-07-23 03:28:38.672"	"IDS Add        	106.75.106.221"
3076		"2019-07-23 03:28:46.657"	"--- Connect ---	106.75.106.221  	25 	- Level 5"
3076		"2019-07-23 03:28:46.657"	"IDS Add        	106.75.106.221"
2420		"2019-07-23 03:28:54.422"	"--- Connect ---	106.75.106.221  	25 	- Level 5"
2420		"2019-07-23 03:28:54.438"	"IDS Add        	106.75.106.221"
3716		"2019-07-23 03:29:00.360"	"IDS BAN        	106.75.106.221"
2844		"2019-07-23 03:44:59.353"	"--- Connect ---	177.129.206.114 	465	- Level 5"
2844		"2019-07-23 03:44:59.448"	"GEOBlock       	177.129.206.114 	   	                	SMTPS"
2844		"2019-07-23 03:45:00.931"	"DISCONNECT     	177.129.206.114"
2420		"2019-07-23 03:58:18.646"	"--- Connect ---	193.31.119.131  	25 	- Level 2       	hostmaster.netbudur.com"
2420		"2019-07-23 03:58:18.646"	"IDS Add        	193.31.119.131"
2420		"2019-07-23 03:58:39.676"	"Reject HELO    	193.31.119.131  	   	                	quarterwarrant.icu"
2420		"2019-07-23 03:58:41.161"	"DISCONNECT     	193.31.119.131"
2420		"2019-07-23 03:58:41.411"	"--- Connect ---	80.160.77.115   	25 	- Clean level   	backup-mx2.post.tele.dk"
2420		"2019-07-23 03:58:41.426"	"IDS Add        	80.160.77.115"
2420		"2019-07-23 03:58:41.458"	"WList HELO     	80.160.77.115   	   	                	backup-mx.post.tele.dk"
3208		"2019-07-23 03:58:44.411"	"IDS Delete     	80.160.77.115"
3208		"2019-07-23 03:58:44.458"	"isBanned       	80.160.77.115   	   	193.31.119.131  	quarterwarrant.icu"
2844		"2019-07-23 04:04:04.815"	"--- Connect ---	177.38.4.103    	465	- Level 5       	177-038-004-103.pontocomnet.com.br"
2844		"2019-07-23 04:04:04.892"	"GEOBlock       	177.38.4.103    	   	                	SMTPS"
2844		"2019-07-23 04:04:06.377"	"DISCONNECT     	177.38.4.103"
2420		"2019-07-23 04:12:58.342"	"--- Connect ---	181.64.238.189  	25 	- Level 5"
2420		"2019-07-23 04:12:58.359"	"IDS Add        	181.64.238.189"
2420		"2019-07-23 04:12:58.703"	"LashBack       	181.64.238.189"
2420		"2019-07-23 04:13:00.203"	"DISCONNECT     	181.64.238.189"
2420		"2019-07-23 04:29:23.243"	"--- Connect ---	192.254.121.91  	25 	- Clean level   	o10.email.yotpo.com"
2420		"2019-07-23 04:29:23.258"	"IDS Add        	192.254.121.91"
3208		"2019-07-23 04:30:28.710"	"IDS Delete     	192.254.121.91"
2844		"2019-07-23 04:32:35.725"	"--- Connect ---	191.53.220.165  	465	- Level 5       	191-53-220-165.dvl-wr.mastercabo.com.br"
2844		"2019-07-23 04:32:35.867"	"GEOBlock       	191.53.220.165  	   	                	SMTPS"
2844		"2019-07-23 04:32:37.350"	"DISCONNECT     	191.53.220.165"
2844		"2019-07-23 04:53:36.109"	"--- Connect ---	177.44.183.184  	465	- Level 5       	177-44-183-184.provedorarenanet.com.br"
2844		"2019-07-23 04:53:36.187"	"GEOBlock       	177.44.183.184  	   	                	SMTPS"
2844		"2019-07-23 04:53:37.671"	"DISCONNECT     	177.44.183.184"
2844		"2019-07-23 04:55:28.873"	"--- Connect ---	107.170.203.106 	465	- Level 3       	zg-0301f-26.stretchoid.com"
2844		"2019-07-23 04:55:28.951"	"GEOBlock       	107.170.203.106 	   	                	SMTPS"
2844		"2019-07-23 04:55:30.435"	"DISCONNECT     	107.170.203.106"
2420		"2019-07-23 04:58:06.529"	"--- Connect ---	123.20.213.94   	25 	- Level 5"
2420		"2019-07-23 04:58:06.529"	"IDS Add        	123.20.213.94"
2420		"2019-07-23 04:58:06.794"	"LashBack       	123.20.213.94"
2420		"2019-07-23 04:58:08.263"	"DISCONNECT     	123.20.213.94"
2420		"2019-07-23 05:28:06.939"	"--- Connect ---	45.80.131.6     	25 	- Level 4       	bear0.allfunbear.com"
2420		"2019-07-23 05:28:06.939"	"IDS Add        	45.80.131.6"
2420		"2019-07-23 05:29:02.205"	"--- Connect ---	171.60.144.21   	25 	- Level 5       	abts-mp-dynamic-x-21.144.60.171.airtelbroadband.in"
2420		"2019-07-23 05:29:02.205"	"IDS Add        	171.60.144.21"
3208		"2019-07-23 05:29:27.033"	"IDS Delete     	45.80.131.6"
3208		"2019-07-23 05:29:27.048"	"SPAM/RBL/SURBL 	45.80.131.6     	   	                	Tagged as Spam by SpamAssassin - (Score: 8)"
3208		"2019-07-23 05:30:07.470"	"IDS Delete     	171.60.144.21"
3208		"2019-07-23 05:30:07.484"	"Extortion      	171.60.144.21   	   	                	abts-mp-dynamic-x-21.144.60.171.airtelbroadband.in"
3208		"2019-07-23 05:30:07.484"	"SPAM/RBL/SURBL 	171.60.144.21   	   	                	RBL - Rejected by Spamhaus - (Score: 5)"
3208		"2019-07-23 05:30:07.484"	"SPAM/RBL/SURBL 	171.60.144.21   	   	                	RBL - Rejected by Barracuda Reputation Block List - (Score: 5)"
3208		"2019-07-23 05:30:07.484"	"SPAM/RBL/SURBL 	171.60.144.21   	   	                	Tagged as Spam by SpamAssassin - (Score: 24)"
2420		"2019-07-23 05:32:43.531"	"--- Connect ---	87.120.179.74   	25 	- Level 5"
2420		"2019-07-23 05:32:43.531"	"IDS Add        	87.120.179.74"
2420		"2019-07-23 05:32:43.593"	"SnowShoe       	87.120.179.74"
2420		"2019-07-23 05:32:45.093"	"DISCONNECT     	87.120.179.74"
2844		"2019-07-23 05:38:57.841"	"--- Connect ---	198.108.66.32   	465	- Level 4       	worker-02.sfj.corp.censys.io"
2844		"2019-07-23 05:38:57.904"	"GEOBlock       	198.108.66.32   	   	                	SMTPS"
2844		"2019-07-23 05:38:59.388"	"DISCONNECT     	198.108.66.32"
2420		"2019-07-23 05:48:07.181"	"--- Connect ---	45.80.131.7     	25 	- Level 5       	agon0.arcagon.com"
2420		"2019-07-23 05:48:07.181"	"IDS Add        	45.80.131.7"
3208		"2019-07-23 05:49:13.337"	"IDS Delete     	45.80.131.7"
3208		"2019-07-23 05:49:13.369"	"SPAM/RBL/SURBL 	45.80.131.7     	   	                	Tagged as Spam by SpamAssassin - (Score: 8)"
2420		"2019-07-23 05:58:49.505"	"--- Connect ---	122.47.180.89   	25 	- Level 5"
2420		"2019-07-23 05:58:49.505"	"IDS Add        	122.47.180.89"
2420		"2019-07-23 05:58:49.599"	"SnowShoe       	122.47.180.89"
2420		"2019-07-23 05:58:51.083"	"DISCONNECT     	122.47.180.89"
2420		"2019-07-23 05:59:21.380"	"--- Connect ---	122.47.180.89   	25 	- Level 5"
2420		"2019-07-23 05:59:21.380"	"IDS Add        	122.47.180.89"
2420		"2019-07-23 05:59:21.380"	"SnowShoe       	122.47.180.89"
2420		"2019-07-23 05:59:22.865"	"DISCONNECT     	122.47.180.89"
2844		"2019-07-23 06:08:56.814"	"--- Connect ---	191.53.249.213  	465	- Level 5       	191-53-249-213.nvs-wr.mastercabo.com.br"
2844		"2019-07-23 06:08:56.892"	"GEOBlock       	191.53.249.213  	   	                	SMTPS"
2844		"2019-07-23 06:08:58.376"	"DISCONNECT     	191.53.249.213"
2844		"2019-07-23 06:09:11.189"	"--- Connect ---	170.239.42.196  	465	- Level 5       	170-239-42-196.teleflex.net.br"
2844		"2019-07-23 06:09:11.251"	"GEOBlock       	170.239.42.196  	   	                	SMTPS"
2844		"2019-07-23 06:09:12.736"	"DISCONNECT     	170.239.42.196"
2420		"2019-07-23 06:19:13.279"	"--- Connect ---	89.104.206.40   	25 	- Clean level   	smtp-out12.electric.net"
2420		"2019-07-23 06:19:13.294"	"IDS Add        	89.104.206.40"
3208		"2019-07-23 06:20:18.435"	"IDS Delete     	89.104.206.40"
2420		"2019-07-23 06:26:37.339"	"--- Connect ---	45.65.124.44    	25 	N/A             	d2.digiyear.com"
2420		"2019-07-23 06:26:37.353"	"IDS Add        	45.65.124.44"
3208		"2019-07-23 06:27:41.650"	"IDS Delete     	45.65.124.44"
3208		"2019-07-23 06:27:41.666"	"SPAM/RBL/SURBL 	45.65.124.44    	   	                	Tagged as Spam by SpamAssassin - (Score: 3)"
2420		"2019-07-23 06:30:57.556"	"--- Connect ---	185.215.49.5    	25 	- Clean level   	susanhopman.com"
2420		"2019-07-23 06:30:57.570"	"IDS Add        	185.215.49.5"
3208		"2019-07-23 06:32:02.898"	"IDS Delete     	185.215.49.5"
3208		"2019-07-23 06:32:02.929"	"SPAM/RBL/SURBL 	185.215.49.5    	   	                	RBL - Rejected by Spamhaus - (Score: 5)"
3208		"2019-07-23 06:32:02.929"	"SPAM/RBL/SURBL 	185.215.49.5    	   	                	Tagged as Spam by SpamAssassin - (Score: 8)"
2844		"2019-07-23 06:37:13.162"	"--- Connect ---	187.85.214.31   	465	- Level 5"
2844		"2019-07-23 06:37:13.224"	"GEOBlock       	187.85.214.31   	   	                	SMTPS"
2844		"2019-07-23 06:37:14.710"	"DISCONNECT     	187.85.214.31"
2420		"2019-07-23 06:44:32.535"	"--- Connect ---	169.255.9.18    	25 	- Level 5"
2420		"2019-07-23 06:44:32.535"	"IDS Add        	169.255.9.18"
2420		"2019-07-23 06:44:32.613"	"SnowShoe       	169.255.9.18"
2420		"2019-07-23 06:44:34.097"	"DISCONNECT     	169.255.9.18"
2420		"2019-07-23 06:44:42.082"	"--- Connect ---	210.245.51.2    	25 	- Level 5       	210-245-51-office-net-static-ip.fpt.vn"
2420		"2019-07-23 06:44:42.082"	"IDS Add        	210.245.51.2"
2420		"2019-07-23 06:44:42.144"	"SnowShoe       	210.245.51.2"
2420		"2019-07-23 06:44:43.628"	"DISCONNECT     	210.245.51.2"
2420		"2019-07-23 06:48:09.845"	"--- Connect ---	193.31.119.133  	25 	- Level 2       	hostmaster.netbudur.com"
2420		"2019-07-23 06:48:09.845"	"IDS Add        	193.31.119.133"
2420		"2019-07-23 06:48:33.673"	"Reject HELO    	193.31.119.133  	   	                	storageindulge.icu"
2420		"2019-07-23 06:48:35.142"	"DISCONNECT     	193.31.119.133"
2420		"2019-07-23 06:50:06.501"	"--- Connect ---	52.88.240.252   	25 	- Level 3       	mta1a1.kayak-m.sparkpostelite.com"
2420		"2019-07-23 06:50:06.501"	"IDS Add        	52.88.240.252"
3208		"2019-07-23 06:51:13.611"	"IDS Delete     	52.88.240.252"
2844		"2019-07-23 06:56:46.326"	"--- Connect ---	168.228.151.106 	465	- Level 5"
2844		"2019-07-23 06:56:46.390"	"GEOBlock       	168.228.151.106 	   	                	SMTPS"
2844		"2019-07-23 06:56:47.873"	"DISCONNECT     	168.228.151.106"
2420		"2019-07-23 06:58:47.013"	"--- Connect ---	80.160.77.99    	25 	- Clean level   	backup-mx1.post.tele.dk"
2420		"2019-07-23 06:58:47.013"	"IDS Add        	80.160.77.99"
2420		"2019-07-23 06:58:47.060"	"WList HELO     	80.160.77.99    	   	                	backup-mx.post.tele.dk"
3208		"2019-07-23 06:58:49.466"	"IDS Delete     	80.160.77.99"
3208		"2019-07-23 06:58:49.513"	"isBanned       	80.160.77.99    	   	193.31.119.133  	storageindulge.icu"
2420		"2019-07-23 07:07:41.417"	"--- Connect ---	77.37.130.53    	25 	- Level 5       	broadband-77-37-130-53.ip.moscow.rt.ru"
2420		"2019-07-23 07:07:41.417"	"IDS Add        	77.37.130.53"
2420		"2019-07-23 07:07:41.478"	"SnowShoe       	77.37.130.53"
2420		"2019-07-23 07:07:42.964"	"DISCONNECT     	77.37.130.53"
2844		"2019-07-23 07:07:44.322"	"--- Connect ---	188.168.96.34   	25 	- Level 5       	tmh-service.kz.ttknn.net"
2844		"2019-07-23 07:07:44.339"	"IDS Add        	188.168.96.34"
2844		"2019-07-23 07:07:44.400"	"SnowShoe       	188.168.96.34"
2844		"2019-07-23 07:07:45.884"	"DISCONNECT     	188.168.96.34"
2844		"2019-07-23 07:12:28.398"	"--- Connect ---	45.11.192.21    	25 	- Level 3       	haveyoursayafrica.com"
2844		"2019-07-23 07:12:28.398"	"IDS Add        	45.11.192.21"
2844		"2019-07-23 07:13:05.929"	"--- Connect ---	67.205.151.71   	25 	- Level 1"
2844		"2019-07-23 07:13:05.945"	"IDS Add        	67.205.151.71"
3208		"2019-07-23 07:13:49.945"	"IDS Delete     	45.11.192.21"
3208		"2019-07-23 07:13:49.960"	"SPAM/RBL/SURBL 	45.11.192.21    	   	                	Tagged as Spam by SpamAssassin - (Score: 3)"
3208		"2019-07-23 07:13:49.960"	"SPAM/RBL/SURBL 	45.11.192.21    	   	                	RBL - Rejected by Barracuda Reputation Block List - (Score: 5)"
3208		"2019-07-23 07:14:13.585"	"IDS Delete     	67.205.151.71"
3208		"2019-07-23 07:14:13.601"	"SPAM/RBL/SURBL 	67.205.151.71   	   	                	Tagged as Spam by SpamAssassin - (Score: 5)"
3208		"2019-07-23 07:14:13.601"	"SPAM/RBL/SURBL 	67.205.151.71   	   	                	RBL - Rejected by Barracuda Reputation Block List - (Score: 5)"
2844		"2019-07-23 07:15:18.257"	"--- Connect ---	37.49.227.11    	25 	- Level 5"
2844		"2019-07-23 07:15:18.257"	"IDS Add        	37.49.227.11"
2844		"2019-07-23 07:21:17.974"	"--- Connect ---	52.11.191.219   	25 	- Level 3       	1.mail2.vente-exclusive.com"
2844		"2019-07-23 07:21:17.974"	"IDS Add        	52.11.191.219"
3208		"2019-07-23 07:22:24.488"	"IDS Delete     	52.11.191.219"
2844		"2019-07-23 07:25:31.457"	"--- Connect ---	37.49.227.11    	25 	- Level 5"
2844		"2019-07-23 07:25:31.457"	"IDS Add        	37.49.227.11"
3084		"2019-07-23 07:26:13.222"	"BAD HELO       	37.49.227.11    	   	                	87.51.72.165"
3084		"2019-07-23 07:26:14.691"	"DISCONNECT     	37.49.227.11"
2844		"2019-07-23 07:30:52.455"	"--- Connect ---	167.250.217.222 	465	- Level 5       	167-250-217-222.teleflex.net.br"
2844		"2019-07-23 07:30:52.517"	"GEOBlock       	167.250.217.222 	   	                	SMTPS"
2844		"2019-07-23 07:30:54.001"	"DISCONNECT     	167.250.217.222"
2844		"2019-07-23 07:38:29.888"	"--- Connect ---	106.105.218.106 	25 	- Level 5       	106.105.218.106.adsl.dynamic.seed.net.tw"
2844		"2019-07-23 07:38:29.888"	"IDS Add        	106.105.218.106"
2844		"2019-07-23 07:38:30.044"	"SnowShoe       	106.105.218.106"
2844		"2019-07-23 07:38:31.529"	"DISCONNECT     	106.105.218.106"
2844		"2019-07-23 07:41:24.060"	"--- Connect ---	159.253.178.99  	25 	- Clean level   	cluster1073.monopost.com"
2844		"2019-07-23 07:41:24.076"	"IDS Add        	159.253.178.99"
3208		"2019-07-23 07:42:30.091"	"IDS Delete     	159.253.178.99"
2844		"2019-07-23 07:42:37.402"	"--- Connect ---	187.109.58.233  	465	- Level 5       	187-109-58-233.agyonet.com.br"
2844		"2019-07-23 07:42:37.466"	"GEOBlock       	187.109.58.233  	   	                	SMTPS"
2844		"2019-07-23 07:42:38.949"	"DISCONNECT     	187.109.58.233"
2844		"2019-07-23 08:16:22.734"	"--- Connect ---	45.80.131.45    	25 	- Level 5       	street0.arclightfourthstreet.com"
2844		"2019-07-23 08:16:22.734"	"IDS Add        	45.80.131.45"
3208		"2019-07-23 08:17:29.421"	"IDS Delete     	45.80.131.45"
3208		"2019-07-23 08:17:29.437"	"SPAM/RBL/SURBL 	45.80.131.45    	   	                	URIBL - Rejected by Spamhaus - (Score: 5)"
3208		"2019-07-23 08:17:29.437"	"SPAM/RBL/SURBL 	45.80.131.45    	   	                	Tagged as Spam by SpamAssassin - (Score: 12)"
2844		"2019-07-23 08:51:54.220"	"--- Connect ---	168.228.149.7   	465	- Level 5"
2844		"2019-07-23 08:51:54.283"	"GEOBlock       	168.228.149.7   	   	                	SMTPS"
2844		"2019-07-23 08:51:55.767"	"DISCONNECT     	168.228.149.7"
2844		"2019-07-23 08:52:45.345"	"--- Connect ---	195.158.23.227  	25 	- Level 5"
2844		"2019-07-23 08:52:45.361"	"IDS Add        	195.158.23.227"
2844		"2019-07-23 08:52:45.486"	"SnowShoe       	195.158.23.227"
2844		"2019-07-23 08:52:46.970"	"DISCONNECT     	195.158.23.227"
2844		"2019-07-23 08:58:06.984"	"--- Connect ---	91.227.208.160  	25 	- Level 3       	rs-160.mta.anpdm.com"
2844		"2019-07-23 08:58:06.984"	"IDS Add        	91.227.208.160"
3208		"2019-07-23 08:59:13.498"	"IDS Delete     	91.227.208.160"
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde
Top
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: New DNSBL designed for hMailServer

Post by EduardoFoltran » 2019-07-24 14:19

SorenR wrote:
2019-07-23 14:27
 "IDS BAN" means to many connects and no actual mail received (IDS Add with no immediate following IDS Delete). Limit is 3 connects in 180 minutes and no mail = BAN. Handler is run every 1 minute so sometimes additional concurrent connects are registered before the BAN is in place.
That is an excellent way to avoid services like ZeroBounce to sneak into your server. I have a similar algorithm on my spam traps. Too many connections counts as a catch.
Top
Post Reply

Return to “Off-topic discussions”