> pjm> ... > pjm> if ( $hostname =~ /dsl./i ) > pjm> { > pjm> md_syslog("info","$MsgID - Host $hostname is a DSL > broadband client"); > pjm> return (0); > pjm> } > pjm> ... > > > So, you are rejecting messages from eg. mail.redslab.com that may be a > perfectly legitimate and well behaving mail server, aren't you?
Probably, yes. The code was a quick hack to investigate the principle, and doesn't take into account any number of possible false positives. The regex is also sub-optimal, but it was a quick and dirty check as a demo. Then again, in the last week, I've seen 1216 hosts which I've classed as broadband and rejected, and 566 unique hosts which successfully sent me mail. None of the rejected systems was a false positive - here's today's crop so far: adsl-ull-29-112.44-151.net24.it 3e70db70.adsl.enternet.hu 14-136-88-127.adslgp.cegetel.net 19.vnta6.xdsl.nauticom.net 22.wkln5.xdsl.nauticom.net 26.107.72.218.dsl.dynamic.hz.zj.cndata.com 58.fip-8.dsl.ozemail.com.au 60-244-118-113.vdslpro.static.apol.com.tw 61-59-244-109.adsl.static.seed.net.tw 62-31-204-40.cable.ubr05.live.blueyonder.co.uk 67-138-187-100.sdsl01.roc.ny.frontiernet.net 72-31-223-201.adsl.terra.cl 74-33-86-227.dsl1.jdn.mn.frontiernet.net 80-192-1-199.cable.ubr03.edin.blueyonder.co.uk 80.178.204.6.adsl.012.net.il 81-178-96-160.dsl.pipex.com 82-33-108-173.cable.ubr03.stav.blueyonder.co.uk 82.200.184.45.adsl.online.kz 83-131-140-65.adsl.net.t-com.hr 84-123-105-230.onocable.ono.com 84.232.95.82.novelda.cableworld.es 84.94.160.137.cable.012.net.il 84.95.125.145.cable.012.net.il 85-55-168-24.zar1.adsl.uni2.es 86-127-41-157.cable-modem.hdsnet.hu 87.68.41.193.cable.012.net.il 88-108-226-107.dynamic.dsl.as9105.com 171-21-161-212.DSL.ONCOLT.COM 180-88-223-201.adsl.terra.cl 186-196-dsl.coinfotech.com 200-232-192-96.dsl.telesp.net.br 200.146.106.81.adsl.gvt.net.br 200.175.212.78.adsl.gvt.net.br 200.95.143.139.cableonline.com.mx 201-236-122-62.adsl.tie.cl 201.10.180.2.cpece705.dsl.brasiltelecom.net.br 201.22.14.132.adsl.gvt.net.br 203-97-114-55.cable.telstraclear.net 210-64-245-206.adsl.dynamic.seed.net.tw 211-74-191-51.adsl.dynamic.seed.net.tw 212-127-180-48.cable.quicknet.nl 212.106.230.27.adsl.jazztel.es 216-129-114.0502.adsl.tele2.no 219-68-111-95.adsl.dynamic.giga.net.tw 221.112.46.212.dsl.getacom.de 53530FC7.cable.casema.nl In my case, this works. YMMV, and I would of course advise caution when implementing anything like this. In a corporate environment, I would expect the number of valid mail servers to be in the hundreds of thousands, and the broadband hosts seen to be of a similar size. My decision to do this was taken after seeing the growth of botnets which were hitting me with 50 connections at a time from one IP, all of which were greylisted, and all of which were then retried successfully a few minutes later, with all of the resulting messages being classified as spam with scores of over 10. A few minutes later, I'd see the same from a different IP. My mail server is designed for the volume I expected it to handle, and is over-specified for my very small needs - 500MHz P3, 384Mb RAM, 36Gb IDE disk, with legitimate mail volume of 6000 per week - so this sort of bandwidth- and CPU-intensive attack is something I want to put a stop to immediately. Basic principle - know your mail patterns, and filter based on this knowledge. Paul. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.5.2/329 - Release Date: 02/05/2006 _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang