Part of the reason we moved away from our old (failing) solution was that it was failing to filter effectively. We were getting hit by spam-blasts very frequently throughout the day, and the filtering solution was unable to effectively handle the problem. Each blast comes from a handful of closely-knit IP addresses, then goes away, and rarely comes back. As these blasts cycled over a few weeks, I noted that, while the blasts would come from a different set of IP addresses each time, there would often be a 'new' set of hosts within the same Class C network as others from the past. In fact, any spam from a 'new' Class C almost always guaranteed additional spam from that network for about a week or two.
Once I put EFA in place, these almost completely vanished. Only today did I realize what was saving us: sqlgrey! Users often complain about any kind of delay to incoming email, so when I ran across ways to help automate whitelisting within sqlgrey, I figured it didn't hurt to give it a shot: viewtopic.php?f=14&t=1240#p4484
Good idea in theory, but it didn't work out well. We doubled our typical spam-load for the day within 4 hours, and I had so much spam bleeding through I thought we were back to our old failing appliance. Turns out the assumption that spammers don't always have SPF records isn't wrong, but the hardcore spammers do have SPF, and using that as a white-list may get you buried under a deluge of spam!
Some messages were picked off as spam, but far too many were flagged as legitimate. They hit hard and fast with these dump-and-run campaigns. Once they've used an IP block for a few minutes, they rarely come back from those exact addresses.
Here are some of the domains that slammed us over just the last 2 hours:
Code: Select all
184.173.202.31 -- healthinfo.newhealthyupdates.net
184.173.202.28 -- roofinstall.onlinegreatnewinstalls.net
89.46.133.251 -- ninetythreefivemodernopportunities.com
184.173.218.237 -- readupdates.enrolldeadlineextension.net
184.173.206.23 -- yourreward.getthelatestshoppingrewards.net
184.173.218.239 -- newscans.onlineaccuratescaninfo.net
Code: Select all
v=spf1 a mx -all
Is there some method to craft a rule that could see X or more 'spam' and/or Y or more 'high-scoring spam' from a given IP over Z seconds, then blacklist and/or greylist that IP... for Q amount of time?
Such as 10+ spam, or 3+ high-spam within 30 seconds gets you booted from my EFA for 12 hours.
The other problem is that I've almost never seen these IP addresses on any RBL. Makes it hard to determine what to do!
Thanks in advance!