On 12/09/2015 00:54, David Ford wrote:
We are also one of those services that will reject mail if DNS recordsdon't line up sufficiently to a) satisfy RFC requirements for DNS and b) are clearly mismatched with your DNS A/MX/PTR/SPF and who you pretend tobe in HELO/EHLOThose two simple rules block more than 92% of incoming spam attempts. "generics" tend to fall into that pit nearly 100% of the time. If yourDNS can simply say in MX/SPF that you are legit, you easily avoid that pit.Blocking the majority of spam is really easy if we simply require adherence to what is actually mandated in RFC and a pinch of sensible thinking about DNS.
+1these regex rules catch about 40% of rejects, (no A/PTRs' about 50% and RBL's 10%)
connect /.*[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\..*/ei //
connect /.*[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-.*/ei //
connect /.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\..*/ei //
Don't see much ipv6 traffic <1%, so I have plenty of times to rewrite
them to catch them as well :)
(I did have to whitelist one local CSP who defaulted to this kinda "GENERATE" dns rules for their hosts, no one there has a clue on how to change it, even my contact within said company told me their network staff are all clueless university fxxxxxxs and questions their degrees)
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
