On 4/26/12 10:53 PM, Christopher Chan wrote:
On Thursday, April 26, 2012 08:30 PM, Gary Gendel wrote:
On 4/26/12 5:01 AM, Christopher Chan wrote:
On 26/04/12 12:17 AM, Gary Gendel wrote:
That isn't what spamdyke is trying to accomplish here. This checks to
see if the sender is trying to spoof the MTA. What spamdyke is
trying to
do is to blacklist emails based upon the ip address embedded in the
sending domain name. For example:
If I get mail from 208.1.48.3 and it's reverse domain lookup
resolves to
customer.208.001_48.3.sample.com and sample.com is on my list it is
blocked.
Again, it's available with the following configuration parameter:
check_reverse_client_hostname_access type:table
Table should have key "sample.com" and RHS = REJECT, blah
Table details:
http://www.postfix.org/access.5.html
Chris, I'm still unclear on how to do this. How could you write a
regular express to check to see if the connecting ip address is
buried in the reverse dns lookup.
In my example, spamdyke would reject
customer.208.001_48.3.sample.com, but
customer.108.001_48.3.sample.com would not be rejected because it
doesn't match the ip address of the sending MTA. This prevents
rejecting reverse dns names with strings of arbitrary numbers in them.
Gary,
I am sorry, but things are a bit unclear here. Is it "don't block
misconfigured clients but do block clients with proper rdns in this
domain"?
What do you mean by "customer.108.001_48.3.sample.com would not be
rejected because it doesn't match the ip address of the sending MTA"?
That customer.108.001_48.3.sample.com A would not map back to the ip
of server whose PTR record points to customer.108.001_48.3.sample.com?
This is the scenario...
I get a connection from ip address 1.2.3.4. The reverse DNS lookup
returns foo.001_002-3_4.example.com.
If I have .example.com in an ip-in-rdns-keyword-blacklist option list,
spamdyke will scan the reverse domain looking for the ip address in the
reverse domain list, find it, and reject the mail. Notice that it does
a contextual scan so it recognizes that 001 is the same as 1, the
elements can be separated by various symbols, etc.
Now, if I have a connection 1.2.3.4 and the reverse DNS lookup returns
foo.43.1.23.4.example.com spamdyke will let that pass since the specific
ip address would not be found.
All I was saying is that using regular expressions, I can't see how you
could do this distinction. The worst case would be if I did something
draconian like putting ".net" on the list. Regular expressions would
reject anything with the appropriate sequence of arbitrary numbers and
punctuation whereas Spamdyke would limit it to an sequence that matches
the sending ip. Spamdyke has a option to automatically do this for
domains that end in country codes. A regular expression would be overly
optimistic and potentially reject a lot of good sending MTAs.
I also have a honeypot set up. Any email that is received by that does
some analysis and automatically puts it in a spamdyke blacklist, where
it will remain as long as it isn't renewed (sent to the honeypot) before
an expiration time is met.
I have built up a lot of infrastructure using spamdyke that gives me a
superior spam rejection with no reported false positives. Bottom line
is that I'm not ready to lose this capability until I have a replacement
for spamdyke's menu of options, ease of configuration and performance.
Gary
_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
