Re: rules for IP addresses without reverse DNS records?
Correct me if I'm wrong, but would a rule like the following one of mine not do the trick regardless of how the MTA writes the Received header, and be less prone (actually not prone at all) to spoofing? headerJF_NO_PTRX-Spam-Relays-Untrusted =~ /^\[ ip=[^ ]* rdns= helo=/ describeJF_NO_PTRNo reverse lookup for sender IP in X-Spam-Relays-Untrusted scoreJF_NO_PTR0.5 It's simply searching for a blank "rdns=" string (without quotes of course) in the X-Spam-Relays-Untrusted pseudoheader. It should only search the very first line in this pseudoheader, ie. the one that relates to the most recent untrusted relay as per http://wiki.apache.org/spamassassin/TrustedRelays. I'm guessing, from what I've learnt at http://wiki.apache.org/spamassassin/TrustedRelays, that a blank "rdns=" string, ie. followed directly by a space, indicates a lack of a PTR record? The reason why I think this would be better than searching within the Received header, is that in theory the info in an older Received header could be spoofed by the spammer so that it includes the name of your MTA. Perhaps this is unlikely, I dunno, but at least using X-Spam-Relays-Untrusted means you don't have that risk at all, right??! Can anyone see any exceptions or issues with doing it this way? Cheers, Jeremy "Matthias Fuhrmann" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Sat, 18 Mar 2006, Dave Augustus wrote: > >> >> Anyone point me in the right direction? >> >> I am just thinking of increasing the spam level counter based on whether >> they have a reverse IP address. I have tried to reject these outiright >> based on this criteria but that would cause too many false positives. > > this thread will help you: > http://www.gossamer-threads.com/lists/spamassassin/users/11783?search_string=Reverse%20DNS%20Check;#11783 > > just have a look at the rule named: MY_NO_PTR > > regards, > Matthias
RE: rules for IP addresses without reverse DNS records?
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > > I had the same problem. I wound up implementing > milter-greylist in a way that > greylists these hosts, but lets most systems past. I'm not > sure if you're using > sendmail or not, but I found this VERY helpful. > I do something similar -- and using Exim to run the greylist test I add a header for each of these criteria which can cause greylisting. So it is possible to either right a rule against these added headers (when later SA checks the emails that pass greylisting) or perhaps just consider that these will count in the Bayes weight. -- Herb Martin
Re: rules for IP addresses without reverse DNS records?
mouss wrote: > Matt Kettler a écrit : >> I had the same problem. I wound up implementing milter-greylist in a way that >> greylists these hosts, but lets most systems past. I'm not sure if you're >> using >> sendmail or not, but I found this VERY helpful. >> >> The selective greylisting is possible due to milter-greylist's use of ACLs, >> and >> a configurable default action. Most folks whitelist certain hosts, and use a >> default of greylist. I do the opposite. I greylist selected patterns, then >> whitelist the rest. > > You can also greylist and/or greetpause hosts with a hostname that looks > dynamic. I find this safer than using a dul list. you can also restrict > dul lookup to hosts that look dynamic (which is helpful in the case of > sirbs duhl, which lists static IPs). Yes, I do that too. I greylist: no RDNS RDNS looks dynamic IP in APNIC IP in LACNIC RDNS ends in selected country codes "troublesome" IP blocks that can't be blacklisted due to containing some legitimate mail sources. See: http://xanadu.evi-inc.com/greylist.conf.censored Note: I censored out a lot of semi-sensitive stuff, such as whitelists based on business relationships, spamtrap addresses, etc with X's. (I'll probably pull that file down after a few days, so if you really want to look at it, do so now)
Re: rules for IP addresses without reverse DNS records?
Matt Kettler a écrit : > I had the same problem. I wound up implementing milter-greylist in a way that > greylists these hosts, but lets most systems past. I'm not sure if you're > using > sendmail or not, but I found this VERY helpful. > > The selective greylisting is possible due to milter-greylist's use of ACLs, > and > a configurable default action. Most folks whitelist certain hosts, and use a > default of greylist. I do the opposite. I greylist selected patterns, then > whitelist the rest. You can also greylist and/or greetpause hosts with a hostname that looks dynamic. I find this safer than using a dul list. you can also restrict dul lookup to hosts that look dynamic (which is helpful in the case of sirbs duhl, which lists static IPs).
Re: rules for IP addresses without reverse DNS records?
Dave Augustus wrote:
> Anyone point me in the right direction?
>
> I am just thinking of increasing the spam level counter based on whether
> they have a reverse IP address. I have tried to reject these outiright
> based on this criteria but that would cause too many false positives.
Slightly OT, as I don't have a SA based solution off the top of my head:
I had the same problem. I wound up implementing milter-greylist in a way that
greylists these hosts, but lets most systems past. I'm not sure if you're using
sendmail or not, but I found this VERY helpful.
The selective greylisting is possible due to milter-greylist's use of ACLs, and
a configurable default action. Most folks whitelist certain hosts, and use a
default of greylist. I do the opposite. I greylist selected patterns, then
whitelist the rest.
This simple bit of milter-greylist config will do it:
# enable posix extended regex syntax instead of posix basic syntax
extendedregex
#greylist unresolvable hosts
acl greylist domain /\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/
# set a default to whitelist anything not grelyisted
acl whitelist default
I also find it helpful to start off whitelisting all my servers and clients,
then follow up with a greylist of anything with an envelope from of my domain.
This knocks down a lot of viruses. Since milter-greylist applies it's ACL's in
order, you can do white-grey-default white.
If anyone wants to see my config I can post it up somewhere (with the whitelist
bits censored out)
Re: rules for IP addresses without reverse DNS records?
On Sat, 18 Mar 2006, Dave Augustus wrote: > > Anyone point me in the right direction? > > I am just thinking of increasing the spam level counter based on whether > they have a reverse IP address. I have tried to reject these outiright > based on this criteria but that would cause too many false positives. this thread will help you: http://www.gossamer-threads.com/lists/spamassassin/users/11783?search_string=Reverse%20DNS%20Check;#11783 just have a look at the rule named: MY_NO_PTR regards, Matthias
rules for IP addresses without reverse DNS records?
Anyone point me in the right direction? I am just thinking of increasing the spam level counter based on whether they have a reverse IP address. I have tried to reject these outiright based on this criteria but that would cause too many false positives. I am already using alot of rules via rules_du_jour. Thanks, Dave
