Hi,
I'm working on a project to combine mail log analysis and SpamAssassin
(spamd) scoring to rank the spamminess of a connecting IP address. I
haven't found any standard metrics so I'm guessing at what might be
useful, such as %spam per unit time {15-minutes, hour, day, week} per
unit network {/32, /28, /24}.
The intent is to generate this metric quickly and place all the
hosts/networks that exceed some threshold on a local access list or
DNSBL. I'd rather not use SpamAssassin's scores directly when generating
the metric because I'd rather the metric be package-neutral.
I've done a little research into this, probably not nearly enough, and
I'd rather not redo work (badly) that someone else has already done.
spamhammerd (http://n0rp.chemlab.org/spamhammer/spamhammerd) comes
closest to what I'm looking for, though it's meant more to defend
against dictionary attacks.
Anyone have a weighting scheme & threshold they're willing to share?
Thanks,
-- Bob
I'm working on a project to combine mail log analysis and SpamAssassin
(spamd) scoring to rank the spamminess of a connecting IP address. I
haven't found any standard metrics so I'm guessing at what might be
useful, such as %spam per unit time {15-minutes, hour, day, week} per
unit network {/32, /28, /24}.
The intent is to generate this metric quickly and place all the
hosts/networks that exceed some threshold on a local access list or
DNSBL. I'd rather not use SpamAssassin's scores directly when generating
the metric because I'd rather the metric be package-neutral.
I've done a little research into this, probably not nearly enough, and
I'd rather not redo work (badly) that someone else has already done.
spamhammerd (http://n0rp.chemlab.org/spamhammer/spamhammerd) comes
closest to what I'm looking for, though it's meant more to defend
against dictionary attacks.
Anyone have a weighting scheme & threshold they're willing to share?
Thanks,
-- Bob