I have successfully set up DNS blacklisting on our server. The blacklisted sites are unable to send us mail.
I have noticed a new phenomenon, however: Though the spam servers are blacklisted, they can still attempt to connect to pass mail. I’d like to start adding servers that are found in DNS blacklists to the “Deny Connections from” list.
I’m considering an agent of some sort to periodically parse the notes log for the phrase
“02/11/2003 04:25:11 AM SMTP Server: Remote host 111.222.333.444 (blah.blah.com) found in DNS blacklist at bl.blacklist.com”.
From there, add the IP address of the offender to a list of blacklisted IPs, then take the list, compare to the list in the server’s “Deny Connections” list, add the missing entries to “Deny Connection”, and save the server document.
Sounds easy enough, but I’m sorta new to Domino programming. Am I using Lotus Script or Formula for this, and would parsing the server log be efficient enough to get the job done? Or is there a way to dynamically pick up these entries as they show up on the console, eliminating the need for searching the entire log file?
Why would you want to list locally IPs that are blocked by your blacklist filter anyway?
Also, if you do this, you will fill up the Deny Connections field rather quickly (max 32k). Sounds a lot but there are 2^32 addresses in IPV4, so even a tiny proportion of them expressed as [www.xxx.yyy.zzz] make an awful lot of bytes…
Why would you want to list locally IPs that are blocked by your blacklist filter anyway?Because I want to block the servers from connecting at all, not just waiting until they are found in a blacklist then disconnected. Seems more effiecient to maintain a local IP blocklist so the DNS lookups aren’t as frequently necessary.
Also, if you do this, you will fill up the Deny Connections field rather quickly (max 32k). Sounds a lot but there are 2^32 > addresses in IPV4, so even a tiny proportion of them expressed as [www.xxx.yyy.zzz] make an awful lot of bytes…
My real reasoning is the actual local blocklist will be held in a separate small database where every entry is timestamped. After a predetermined amount of time, entries are removed from the list (via periodic agent) based on how long they’ve been there. Then the “Deny Connections” field is updated with the most recent entries.
The main goal is to add another layer of defense against spammers who leave their servers attempting to connect multiple times, thereby wasting precious threads on our servers on an IP already found in a DNS blacklist before. This also allows some to be put on permanent block and still have some rotating on time.