Gossamer Introduces Dynamic Email Blacklists

Over the past year, Gossamer has deployed additional filtering for SPAM offenders which automatically traverse our log files and updates our tcp.smtp file to block any IP address that is guilty of sending 5 or more  SPAM messages in a 2-3 week period.

This program was initiated when we noted that the vast majority of SPAM we received were addressed to email accounts that did not exist. While we would prefer that Qmail and its associated filters would automatically reject email addressed to a non-existent user, this is not the case.

While this program meet with some success, the log files we traversed can grow to be quite large (GB) which created enough disk I/O to slow things down. More importantly, the program did not include those IPs responsible for sending thousands of viruses our way.

As users of CLAMAV know, each time a virus is detected an email is sent to the system administrator to notify of the event.  In the past it was sufficient to configure a rule in Outlook to automatically delete these messages. But as of late, thousands of the email messages have been generated each day which cause Outlook to run out of resources and fail to delete the notifications. This was tying up Outlook for an hour each morning processing literally thousands of messages.

So Gossamer has modified this program to parse a log file that contains both notifications of SPAM and VIRUSES and runs in seconds rather than minutes. Our tcp.smtp file is now automatically updated via the magic of cron every ten minutes to blacklist any IP address that sends 3 or more SPAM or VIRUS files our way during the last 3 day period.

Gossamer expects this new program to improve the performance of our server and we will be closely monitoring the effectiveness of the program to provide further refinements if neccessary.

Leave a Reply