Re: [spamdyke-users] problems with DENIED_IP_IN_CC_RDNS

Tue, 22 Apr 2008 07:28:21 -0700 

This behavior is correct.  The "reject-ip-in-cc-rdns" option will only 
block a connection if it meets two criteria:
    1) The IP address must be part of the rDNS name.
    2) The rDNS name must end in a two-character country code.
That's why you're seeing some connections being blocked -- their rDNS 
names end in country codes like ".tr", ".md" and ".ar".

Other connections are not being blocked because their rDNS names don't 
end in country codes.  Instead, they use three-character TLDs like 
".com" and ".net".  If you want to block those connections as well, use 
the "ip-in-rdns-keyword-file" option and put ".com" and ".net" in the 
keyword file.

-- Sam Clippinger

Marcin Orlowski wrote:
> Hi,
>
> I am running latest spamdyke on couple of boxes with just plain
> config like:
>
> log-level=2
> reject-empty-rdns
> reject-unresolvable-rdns
> reject-ip-in-cc-rdns
> greeting-delay-secs=5
>
> but when I check the logs i see that DENIED_IP_IN_CC_RDNS does
> not work as expected. At the same time I see entries like:
>
> Apr 22 00:53:12 b1 spamdyke[24736]: DENIED_IP_IN_CC_RDNS from: 
> [EMAIL PROTECTED] to: XXXXXX origin_ip: 
> 85.107.109.226 origin_rdns: dsl85-107-28130.ttnet.net.tr auth: (unknown)
> Apr 22 00:53:12 b1 spamdyke[24732]: DENIED_IP_IN_CC_RDNS from: 
> [EMAIL PROTECTED] to: XXXXXX origin_ip: 87.248.169.195 
> origin_rdns: 87-248-169-195.starnet.md auth: (unknown)
> Apr 22 00:53:27 b1 spamdyke[24738]: DENIED_IP_IN_CC_RDNS from: 
> [EMAIL PROTECTED] to: XXXXXX origin_ip: 190.55.105.219 origin_rdns: 
> cpe-190-55-105-219.telecentro.com.ar auth: (unknown)
> Apr 22 00:53:29 b1 spamdyke[24740]: DENIED_IP_IN_CC_RDNS from: 
> [EMAIL PROTECTED] to: XXXXXX origin_ip: 190.173.222.12 origin_rdns: 
> 190-173-222-12.speedy.com.ar auth: (unknown)
> Apr 22 00:53:52 b1 spamdyke[24743]: DENIED_IP_IN_CC_RDNS from: 
> [EMAIL PROTECTED] to: XXXXXX origin_ip: 190.55.105.219 origin_rdns: 
> cpe-190-55-105-219.telecentro.com.ar auth: (unknown)
>
> but also these:
>
> Apr 22 00:51:30 b1 spamdyke[23611]: ALLOWED from: [EMAIL PROTECTED] to: 
> XXXXXX  origin_ip: 68.38.167.167 origin_rdns: 
> c-68-38-167-167.hsd1.nj.comcast.net auth: (unknown)
> Apr 22 00:51:31 b1 spamdyke[23612]: ALLOWED from: [EMAIL PROTECTED] 
> to: XXXXXX  origin_ip: 65.83.199.240 origin_rdns: 
> adsl-83-199-240.asm.bellsouth.net auth: (unknown)
> Apr 22 00:51:39 b1 spamdyke[23742]: ALLOWED from: [EMAIL PROTECTED] 
> to: XXXXXX  origin_ip: 64.237.158.67 origin_rdns: 
> adsl-64-237-158-67.prtc.net auth: (unknown)
> Apr 22 00:51:42 b1 spamdyke[23744]: ALLOWED from: (unknown) to: XXXXXX 
>   origin_ip: 146.82.152.68 origin_rdns: mman.smacek.com auth: (unknown)
> Apr 22 00:52:21 b1 spamdyke[23999]: ALLOWED from: 
> [EMAIL PROTECTED] to: XXXXXX origin_ip: 
> 72.82.207.15 origin_rdns: pool-72-82-207-15.cmdnnj.east.verizon.net 
> auth: (unknown)
>
> whose, to my underdstanding should be already trapped in 
> DENIED_IP_IN_CC_RDNS but passed. It looks as spamdyke gets fooled 
> sometimes when, perhaps, there is a letter prefix with dash prior the ip 
> in rdns? Bug or feature?
>
> Thanks,
> Marcin
> _______________________________________________
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>   
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to