Blackmilter is a flexible and efficient tool for blocking mail senders by IP address. It could be used to implement an almost unlimited variety of blocking policies, depending on how the IP blocklists and allowlists are generated, how entries expire, and so on.

Blackmilter is my second line of defense after sendmail itself. It blocks about 90% of the incoming mail while using very little CPU time.

The way I use it is to run some scripts every hour which look through the system's mail log file. These scripts check for a variety of anti-social behaviors, extract the IP addresses doing the bad things, and add them to a set of local short-term blocklists.

You have to be careful with IP-based blocklists because many people change their IP addresses fairly often (via DHCP). The risk is that someone doing a bad thing could get blocked, give up his IP address, and then someone else could come along and get the same address and still be blocked. I avoid this risk because of two things. One, my blocklists are short-term - addresses automatically expire out of them in a day or so. And two, I use the "-graylist" option on blockmilter to have it return temporary failure codes instead of permanent rejection codes. Because of this, any real mail that happens to get sent from a blocked IP address will get queued on the sending site, and a few days later it will get through.

Below are explanations of some of the blocklist-generating scripts. Sendmail's log format is fairly twisted, so these scripts are a little complicated. Not too bad. Some of them use ipizer, a little lex program, as a pre-processing filter.

Using the scripts has five steps:

1. Rotate the sendmail log file every hour, via newsyslog.
2. In a cron job that runs a couple of minutes past the hour, rotate a set of IP-address files for each script.
3. Create the hour's new IP-address files by running the last hour's sendmail log file through each script.
4. Concatenate all the IP-address files together to form a blocklist file.
5. Get blackmilter to re-load its blocklist - if you use the -autoupdate flag, this happens automatically.

This blocklist also includes IP addresses found by the Non-ClamAV viruses filter, which are collected by a separate script.

This one looks for the log messages generated by the greet_pause sendmail config option. Here's a sample log entry:

Jan 18 00:25:42 gate sm-mta[94688]: j0I8PgRj094688: rejecting commands from host34-34.pool8256.interbusiness.it [82.56.34.34] due to pre-greeting traffic

While the greet_pause check is fairly cheap, it does involve a multi-second delay, which means a sendmail process sitting aroung taking up memory for those seconds. By putting the misbehaving IP addresses into a blocklist, we can reject them immediately and save on memory.

The script looks like this:

egrep 'rejecting commands from .* due to pre-greeting traffic' |
  sed -e 's/.*\[//' -e 's/\] due to pre-greeting traffic.*//' |
  sort |
  uniq -c |
  awk '{ if ( $1 >= 5 ) print $2; }'

This blocklist keys off of the later, more expensive Bayesian filters. Any time the Bayesian layer finds an "egregious" spam message that scores the maximum, it logs the IP address. Those addresses are then gathered up and added to this list. The threshhold for inclusion is low, currently only 3 messages per hour.