Re: [spamdyke-users] spamdyke +ip-in-rdns-keyword-blacklist-entry option
For me it looks as if the message is being blocked because it contains the country code and ip in the rdns and his setup has reject-ip-in-cc-rdns enabled. In the FAQ it says it will check reject-ip-in-cc-rdns before looking at the rdns whitelist. I'm not sure if reject-ip-in-cc-rdns would reject on spot even if it would match in the next filter (rdns whitelist). Arthur Citando Sam Clippinger [EMAIL PROTECTED]: It looks like you're trying to use keywords in your rDNS whitelist file; those files don't work that way. In an rDNS whitelist file, you can either give complete rDNS names or you can give partial names (starting with a dot) that will match the end of an rDNS name. For example: fully.qualified.domain.name.example.com Will match only one rDNS name (i.e. the entire name fully.qualified.domain.name.example.com). To match all names within a domain (or subdomain): .name.example.com Will match rDNS names that end with .name.example.com (e.g. fully.qualified.domain.name.example.com, silly.domain.name.example.com or short.name.example.com). This file format is documented here: http://www.spamdyke.org/documentation/README_rdns_file_format.html -- Sam Clippinger [EMAIL PROTECTED] wrote: Hi list! I run spamdyke 4.0.5 on Debian. I have this in my whitelist_rdns: .static. static. .dedicated. dedicated. But spamdyke reject emails: 10/16/2008 15:03:52 LOG OUTPUT DENIED_IP_IN_CC_RDNS from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: xxx.xxx.xxx.xxx origin_rdns: port-xxx-xxx-xxx-xxx.static.qsc.de auth: (unknown) 10/16/2008 15:03:52 FROM REMOTE TO CHILD: 6 bytes DATA 10/16/2008 15:03:52 FROM SPAMDYKE TO REMOTE: 82 bytes 554 Refused. Your reverse DNS entry contains your IP address and a country code. 10/16/2008 15:03:52 FROM REMOTE TO CHILD: 6 bytes RSET 10/16/2008 15:03:52 FROM SPAMDYKE TO REMOTE: 82 bytes 554 Refused. Your reverse DNS entry contains your IP address and a country code. 10/16/2008 15:03:52 FROM REMOTE TO CHILD: 6 bytes QUIT 10/16/2008 15:03:52 FROM SPAMDYKE TO REMOTE: 82 bytes 221 Refused. Your reverse DNS entry contains your IP address and a country code. 10/16/2008 15:03:52 CLOSED Should .static. not match port-xxx-xxx-xxx-xxx.static.qsc.de normally? Is this the same issue what Erald report or a new problem or did I think in s.th. wrong? Gruss, Peter ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke +ip-in-rdns-keyword-blacklist-entry option
Peter, can you try the following based on Sam's reply Scenario 1 -- simply use static dedicated on your White list or Scenario 2 -- static. .static. dedicated. .dedicated. I am not sure of the sanity of the keywords, as simply static dedicated should work and they are in increasing keyword length (from shortest to longest) as Sam suggested. Thanks. Erald Troja [EMAIL PROTECTED] wrote: Hi list! I run spamdyke 4.0.5 on Debian. I have this in my whitelist_rdns: .static. static. .dedicated. dedicated. But spamdyke reject emails: 10/16/2008 15:03:52 LOG OUTPUT DENIED_IP_IN_CC_RDNS from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: xxx.xxx.xxx.xxx origin_rdns: port-xxx-xxx-xxx-xxx.static.qsc.de auth: (unknown) 10/16/2008 15:03:52 FROM REMOTE TO CHILD: 6 bytes DATA 10/16/2008 15:03:52 FROM SPAMDYKE TO REMOTE: 82 bytes 554 Refused. Your reverse DNS entry contains your IP address and a country code. 10/16/2008 15:03:52 FROM REMOTE TO CHILD: 6 bytes RSET 10/16/2008 15:03:52 FROM SPAMDYKE TO REMOTE: 82 bytes 554 Refused. Your reverse DNS entry contains your IP address and a country code. 10/16/2008 15:03:52 FROM REMOTE TO CHILD: 6 bytes QUIT 10/16/2008 15:03:52 FROM SPAMDYKE TO REMOTE: 82 bytes 221 Refused. Your reverse DNS entry contains your IP address and a country code. 10/16/2008 15:03:52 CLOSED Should .static. not match port-xxx-xxx-xxx-xxx.static.qsc.de normally? Is this the same issue what Erald report or a new problem or did I think in s.th. wrong? Gruss, Peter ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke +ip-in-rdns-keyword-blacklist-entry option
Am 15.10.2008 15:20 Uhr, Tim Mancour schrieb: Sam, There is a set of POSIX compatible regular expression functions available in C. The functions regcomp() and regexec() are both used by qmail to provide regexp testing for the control/badx files. I jusrt wrote a similar mail, as I was wondering why NOT to use regexes in spamdyke, my only idea was that it could hurt performance. There is the PCRE library which enable parsing of perl compatible regular expressions, which have IMHO the cleanest and most widely used regex syntax. It's also very easy to test those regexes using perl. Regards, Tim -- Felix -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Clippinger Sent: Wednesday, October 15, 2008 12:57 AM To: spamdyke users Subject: Re: [spamdyke-users] spamdyke +ip-in-rdns-keyword-blacklist-entry option The kind of wildcards you're asking for (especially *.*) would not be easy to implement. However, the code that requires a keyword to be surrounded by non-alphanumeric characters could be easily removed if you want to test the results. In filter.c, just remove the if() block from lines 697 to 706 (in version 4.0.5). Rerun make and install the new binary. My instinct says you won't like the new behavior but I could easily be wrong. In the long run, the best solution is probably to add support for regular expressions. They're much more flexible and powerful and the documentation would be much simpler as well, since many tutorials already exist for regexps. Several people have asked for regular expression support and it's on my list (though it's not high priority at the moment). -- Sam Clippinger Youri V. Kravatsky wrote: Hello Sam, BTW, spamdyke won't find a keyword like dyn in the middle of other text like dynamic. In order to match, a keyword must (1) be at the beginning of the name, (2) be surrounded with non-alphanumeric characters (i.e. dots or dashes) AND include the rDNS name's TLD (e.g. example would not be found in 11.22.33.44.example.com) or (3) the keyword must begin with a dot AND match the entire end of the rDNS name (e.g. .example.com would match 11.22.33.44.example.com). This logic exists to prevent a keyword like dynamic from matching 11.22.33.44.notdynamic.example.com. Well, it is not good really, I know that correctly work on wildcards is not easy work in C, unlike, perl, but it would be very good to use file like .*dynamic.* .dynamic*.* .broadband*.* .*broadband.* .*cable.* .cable*.* .*pppoe.* .pppoe*.* Or else we will read log for a full days to find out all possible home-dynamic-cable-broadband providers all over the world... ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke +ip-in-rdns-keyword-blacklist-entry option
Sam, There is a set of POSIX compatible regular expression functions available in C. The functions regcomp() and regexec() are both used by qmail to provide regexp testing for the control/badx files. Regards, Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Clippinger Sent: Wednesday, October 15, 2008 12:57 AM To: spamdyke users Subject: Re: [spamdyke-users] spamdyke +ip-in-rdns-keyword-blacklist-entry option The kind of wildcards you're asking for (especially *.*) would not be easy to implement. However, the code that requires a keyword to be surrounded by non-alphanumeric characters could be easily removed if you want to test the results. In filter.c, just remove the if() block from lines 697 to 706 (in version 4.0.5). Rerun make and install the new binary. My instinct says you won't like the new behavior but I could easily be wrong. In the long run, the best solution is probably to add support for regular expressions. They're much more flexible and powerful and the documentation would be much simpler as well, since many tutorials already exist for regexps. Several people have asked for regular expression support and it's on my list (though it's not high priority at the moment). -- Sam Clippinger Youri V. Kravatsky wrote: Hello Sam, BTW, spamdyke won't find a keyword like dyn in the middle of other text like dynamic. In order to match, a keyword must (1) be at the beginning of the name, (2) be surrounded with non-alphanumeric characters (i.e. dots or dashes) AND include the rDNS name's TLD (e.g. example would not be found in 11.22.33.44.example.com) or (3) the keyword must begin with a dot AND match the entire end of the rDNS name (e.g. .example.com would match 11.22.33.44.example.com). This logic exists to prevent a keyword like dynamic from matching 11.22.33.44.notdynamic.example.com. Well, it is not good really, I know that correctly work on wildcards is not easy work in C, unlike, perl, but it would be very good to use file like .*dynamic.* .dynamic*.* .broadband*.* .*broadband.* .*cable.* .cable*.* .*pppoe.* .pppoe*.* Or else we will read log for a full days to find out all possible home-dynamic-cable-broadband providers all over the world... ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
I live in Italy and your 'cable' keyword is 'dynamic' here. I use this: # cat /var/db/spamdyke/rdns_blacklist.txt .*dynamic.* and it works! d. 2008/10/13 Erald Troja [EMAIL PROTECTED]: Davide, no go. Other host names containing 'cable' keyword such as 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk are properly being rejected with the right error message. Erald Troja Davide D'Amico wrote: Please try with: *.cable.* d. 2008/10/13 Erald Troja [EMAIL PROTECTED]: Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Are you sure that really works? Asterisks are not valid in blacklist files, nor are trailing dots. If it does work, it's a bug. :) -- Sam Clippinger Davide D'Amico wrote: I live in Italy and your 'cable' keyword is 'dynamic' here. I use this: # cat /var/db/spamdyke/rdns_blacklist.txt .*dynamic.* and it works! d. 2008/10/13 Erald Troja [EMAIL PROTECTED]: Davide, no go. Other host names containing 'cable' keyword such as 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk are properly being rejected with the right error message. Erald Troja Davide D'Amico wrote: Please try with: *.cable.* d. 2008/10/13 Erald Troja [EMAIL PROTECTED]: Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Sam, i'm going back to this thread as I believe something is not working right still. Here's what's going on. 1)Here's a snippet of the log file entry which contains the error, ip, and rDNS of the connection DENIED_GRAYLISTED 89.141.38.150 89.141.38.150.dyn.user.ono.com 2)Here' our ip-in-rdns-keyword-blacklist-file entries adsl cable dsl dyn dynamic ip kabel mtu nat pool ppp pppoe user .veloxzone.com.br .virtua.com.br xdsl 3)as you'd see, at least 2 entries should hit the above hostname namely user or dyn keywords. None of them does. When I remove those and simply leave the ip-in-rdns-keyword-blacklist-file with just 2 entries namely dyn user we're able to fully block the connections. There's no white space or anything weird in the file I've noticed this behaviour many times with different keywords, which act up if the size of the ip-in-rdns-keyword-blacklist-file increases. What's the logic behind the keyword filtering and would it help if we ran it with full-logging? Thanks. Erald Troja [EMAIL PROTECTED] 646.528.6671 Sam Clippinger wrote: In order to block this connection with the ip-in-rdns filter, the IP address must appear in the rDNS name. In this case, the rDNS name does not contain the text 80.6.107.90 or 80-6-107-90 or 080006107090 or any of the other formats spamdyke searches for. That's why the filter won't trigger, no matter what keywords you put in the file. What you need is a filter that will block connections based on finding arbitrary keywords in the rDNS name, which is a feature spamdyke does not provide. I've considered adding it in the past but I believe it would cause more problems than it solved. For instance, blocking cable would stop residential cable modems but it would also stop legitimatesender.staticip.cable.example.com. I think you'd spend more time troubleshooting false positives than you would save by using the filter. In your case, if you want to block all connections ending in cable.ntl.com, simply add the following entry to your rDNS blacklist: .cable.ntl.com -- Sam Clippinger Erald Troja wrote: Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
2)Here' our ip-in-rdns-keyword-blacklist-file entries adsl cable dsl dyn dynamic ip kabel mtu nat pool ppp pppoe user .veloxzone.com.br .virtua.com.br xdsl Does dyn not match dynamic also? and adsl dsl also? Is it not double? Gruss, Peter ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke +ip-in-rdns-keyword-blacklist-entry option
Peter, If it is, it is not working not even once ;-) There's something really quirky with this issue, and it comes to play when one starts to add keywords. We dump all in one file as we feel necessary, and let a script sort them and uniquely list them. But again, even when manually jumping from 2 lines to 3 lines I've seen that the pattern matching starts to break down. The most efficient way I've seen we can block is via the following pattern dynamic .com dynamic .net Which successfuly catches any 'dynamic' keywords on the .net + .com TLDs. - Erald Troja [EMAIL PROTECTED] 646.528.6671 -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wed, 15 Oct 2008 00:42:40 To: spamdyke usersspamdyke-users@spamdyke.org Subject: Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option 2)Here' our ip-in-rdns-keyword-blacklist-file entries adsl cable dsl dyn dynamic ip kabel mtu nat pool ppp pppoe user .veloxzone.com.br .virtua.com.br xdsl Does dyn not match dynamic also? and adsl dsl also? Is it not double? Gruss, Peter ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke +ip-in-rdns-keyword-blacklist-entry option
This is definitely a bug. spamdyke isn't correctly terminating the keyword value after loading it into memory, so when it searches the rDNS name for the keyword the search goes too far (tries to match the garbage in memory to text in the rDNS name). Like most uninitialized buffer errors, it behaves differently depending on how spamdyke was compiled and the system running it. For example, I can reproduce this on Mac OS X but not on OpenBSD or Fedora Core 4. Since those last two are my primary test platforms, this one slipped through. For now, you should be able to work around this bug by reordering your keyword file so the entries are listed in order of increasing length (e.g. put dyn before cable). This bug will be fixed correctly in 4.0.6. Thanks for reporting this (and insisting on it)! BTW, spamdyke won't find a keyword like dyn in the middle of other text like dynamic. In order to match, a keyword must (1) be at the beginning of the name, (2) be surrounded with non-alphanumeric characters (i.e. dots or dashes) AND include the rDNS name's TLD (e.g. example would not be found in 11.22.33.44.example.com) or (3) the keyword must begin with a dot AND match the entire end of the rDNS name (e.g. .example.com would match 11.22.33.44.example.com). This logic exists to prevent a keyword like dynamic from matching 11.22.33.44.notdynamic.example.com. -- Sam Clippinger Erald Troja wrote: Peter, If it is, it is not working not even once ;-) There's something really quirky with this issue, and it comes to play when one starts to add keywords. We dump all in one file as we feel necessary, and let a script sort them and uniquely list them. But again, even when manually jumping from 2 lines to 3 lines I've seen that the pattern matching starts to break down. The most efficient way I've seen we can block is via the following pattern dynamic .com dynamic .net Which successfuly catches any 'dynamic' keywords on the .net + .com TLDs. - Erald Troja [EMAIL PROTECTED] 646.528.6671 -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wed, 15 Oct 2008 00:42:40 To: spamdyke usersspamdyke-users@spamdyke.org Subject: Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option 2)Here' our ip-in-rdns-keyword-blacklist-file entries adsl cable dsl dyn dynamic ip kabel mtu nat pool ppp pppoe user .veloxzone.com.br .virtua.com.br xdsl Does dyn not match dynamic also? and adsl dsl also? Is it not double? Gruss, Peter ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke +ip-in-rdns-keyword-blacklist-entry option
The kind of wildcards you're asking for (especially *.*) would not be easy to implement. However, the code that requires a keyword to be surrounded by non-alphanumeric characters could be easily removed if you want to test the results. In filter.c, just remove the if() block from lines 697 to 706 (in version 4.0.5). Rerun make and install the new binary. My instinct says you won't like the new behavior but I could easily be wrong. In the long run, the best solution is probably to add support for regular expressions. They're much more flexible and powerful and the documentation would be much simpler as well, since many tutorials already exist for regexps. Several people have asked for regular expression support and it's on my list (though it's not high priority at the moment). -- Sam Clippinger Youri V. Kravatsky wrote: Hello Sam, BTW, spamdyke won't find a keyword like dyn in the middle of other text like dynamic. In order to match, a keyword must (1) be at the beginning of the name, (2) be surrounded with non-alphanumeric characters (i.e. dots or dashes) AND include the rDNS name's TLD (e.g. example would not be found in 11.22.33.44.example.com) or (3) the keyword must begin with a dot AND match the entire end of the rDNS name (e.g. .example.com would match 11.22.33.44.example.com). This logic exists to prevent a keyword like dynamic from matching 11.22.33.44.notdynamic.example.com. Well, it is not good really, I know that correctly work on wildcards is not easy work in C, unlike, perl, but it would be very good to use file like .*dynamic.* .dynamic*.* .broadband*.* .*broadband.* .*cable.* .cable*.* .*pppoe.* .pppoe*.* Or else we will read log for a full days to find out all possible home-dynamic-cable-broadband providers all over the world... ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Sam, thanks. Seems I've misunderstood how that feature works. Is there another feature of Spamdyke which we can use to blacklist only on reverse DNS keywords, without having to define IP's to match? Thus, we want to skip connecting to a mail server so long as their rDNS resolves to something includes one of our 'banned keywords' Thanks. Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Davide, no go. Other host names containing 'cable' keyword such as 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk are properly being rejected with the right error message. Erald Troja Davide D'Amico wrote: Please try with: *.cable.* d. 2008/10/13 Erald Troja [EMAIL PROTECTED]: Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
From Sam's earlier post - spamdyke must find the keyword and the entire IP address in the rDNS name. 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk does contain the IP address (i.e. 77.96.122.40) while the rdns name cpc1-west2-0-0-cust857.brnt.cable.ntl.com does not include a complete IP address so it is not filtered. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erald Troja Sent: Monday, October 13, 2008 1:01 PM To: spamdyke users Subject: Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option Davide, no go. Other host names containing 'cable' keyword such as 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk are properly being rejected with the right error message. Erald Troja Davide D'Amico wrote: Please try with: *.cable.* d. 2008/10/13 Erald Troja [EMAIL PROTECTED]: Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword -blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Maybe it's just the particular order spamdyke is running the filters? I would try to set the blacklist-ip by IP-Range, if it catches before the Greylist. Look at the FAQ wich says the following: Does spamdyke run its filters in any particular order? Yes. spamdyke evaluates its filters in the following order (of course a filter is skipped if it's disabled): Check if mail is being accepted or filtered at all Check for an rDNS name Check for an IP address in a country code rDNS name Check for an rDNS whitelist entry Check for an rDNS blacklist entry Check for an IP whitelist entry Check for an IP blacklist entry *Check for an IP address and keyword in the rDNS name* Check if the rDNS name resolves Check DNS whitelists Check right-hand-side whitelists Check DNS RBLs Check right-hand-side blacklists Check for earlytalkers The intent is to order the filters from least-to-most expensive, so connections will be rejected as quickly as possible. In a typical setup, DNS queries are more expensive than file searches, pattern matching is more expensive than simply checking for a file's existence, etc. The remaining filters are all checked during the SMTP conversation. Limit the number of recipients Block unqualified recipient addresses Block relaying from unauthorized remote hosts Check for sender's domain MX record *Graylisting* Check sender whitelists Check sender blacklists Check right-hand-side whitelists for the sender's domain name Check right-hand-side blacklists for the sender's domain name Check recipient whitelists Check recipient blacklists Erald Troja schrieb: Davide, no go. Other host names containing 'cable' keyword such as 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk are properly being rejected with the right error message. Erald Troja Davide D'Amico wrote: Please try with: *.cable.* d. 2008/10/13 Erald Troja [EMAIL PROTECTED]: Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Tim, well understood now. Being some reverse DNS is not setup to allow Spamdyke to filter what's the next option one would try to ban such malicious connections? Obviously not every DNS admin is neat enough to go via the xxx.xxx.xxx.xxx.domainname.tld convention of setting up rDNS host names. Thanks. Erald Troja Tim Mancour wrote: From Sam's earlier post - spamdyke must find the keyword and the entire IP address in the rDNS name. 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk does contain the IP address (i.e. 77.96.122.40) while the rdns name cpc1-west2-0-0-cust857.brnt.cable.ntl.com does not include a complete IP address so it is not filtered. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erald Troja Sent: Monday, October 13, 2008 1:01 PM To: spamdyke users Subject: Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option Davide, no go. Other host names containing 'cable' keyword such as 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk are properly being rejected with the right error message. Erald Troja Davide D'Amico wrote: Please try with: *.cable.* d. 2008/10/13 Erald Troja [EMAIL PROTECTED]: Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword -blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
In order to block this connection with the ip-in-rdns filter, the IP address must appear in the rDNS name. In this case, the rDNS name does not contain the text 80.6.107.90 or 80-6-107-90 or 080006107090 or any of the other formats spamdyke searches for. That's why the filter won't trigger, no matter what keywords you put in the file. What you need is a filter that will block connections based on finding arbitrary keywords in the rDNS name, which is a feature spamdyke does not provide. I've considered adding it in the past but I believe it would cause more problems than it solved. For instance, blocking cable would stop residential cable modems but it would also stop legitimatesender.staticip.cable.example.com. I think you'd spend more time troubleshooting false positives than you would save by using the filter. In your case, if you want to block all connections ending in cable.ntl.com, simply add the following entry to your rDNS blacklist: .cable.ntl.com -- Sam Clippinger Erald Troja wrote: Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Sam, understood. Thanks to Tim and you I am now aware of how this mechanism works. Erald Troja Sam Clippinger wrote: In order to block this connection with the ip-in-rdns filter, the IP address must appear in the rDNS name. In this case, the rDNS name does not contain the text 80.6.107.90 or 80-6-107-90 or 080006107090 or any of the other formats spamdyke searches for. That's why the filter won't trigger, no matter what keywords you put in the file. What you need is a filter that will block connections based on finding arbitrary keywords in the rDNS name, which is a feature spamdyke does not provide. I've considered adding it in the past but I believe it would cause more problems than it solved. For instance, blocking cable would stop residential cable modems but it would also stop legitimatesender.staticip.cable.example.com. I think you'd spend more time troubleshooting false positives than you would save by using the filter. In your case, if you want to block all connections ending in cable.ntl.com, simply add the following entry to your rDNS blacklist: .cable.ntl.com -- Sam Clippinger Erald Troja wrote: Sam/others, I've re-read the documentation for this feature over and over and as far as I can understand we've done all possible to stop the following. Here's an entry log from a SPAMMER's address we'd like to reject via the ip-in-rdns-keyword-blacklist-entry feature. Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: (unknown) our ip-in-rdns-keyword-blacklist-entry referenced file contains the following cable .cable.ntl.com .ntl.com cable .ntl.com Seems none of the 4 potential keyword entries we're providing is matching the above host name. The hostname should be rejected with DENIED_IP_IN_RDNS rather than DENIED_GRAYLISTED What are we doing wrong? Or is this a un-discovered bug? Thanks. Erald Troja Erald Troja wrote: Sam, I'm reading your reply again, and perhaps I misunderstood what you're saying. Here's the entry log for one of the rDNS's I'd like to reject the connection. Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) As you will see, there is an IP address for their rDNS. Are you saying that the ip-in-rdns-keyword-blacklist-entry file should also contain the IP address of the originating connection, or as long as their IP resolves to a numeric address, all is necessary to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? Can anyone clarify this please? Erald Troja Sam Clippinger wrote: In order for the keyword filter to block connections, spamdyke must find the keyword and the entire IP address in the rDNS name. The two examples you gave don't appear to contain whole IP addresses. Also, the second example contains the keyword cablelink, not cable; spamdyke will not match keywords within other text. -- Sam Clippinger Erald Troja wrote: Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org
[spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry option
Hello Folks, We are slowly building up on the many swiss army knife features that Spamdyke offers. One of them is the ip-in-rdns-keyword-blacklist-entry feature http://spamdyke.org/documentation/README.html#RDNS In essence, we notice many, next to say almost all connections connecting to port 25 of our servers, with the keyword 'cable' are of SPAMMY nature and we'd like to stop them. So, we have Spamdyke configured with ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file with one line containing just the keyword cable We do notice logging of a handful of connections yet for example DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net are Graylisted instead of being denied connectivity. Can anyone pass along some documentation on Spamdyke + keyword processing? Thanks. -- Erald Troja ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users