Maybe it's just the particular order spamdyke is running the filters?
I would try to set the blacklist-ip by IP-Range, if it catches before
the Greylist.
Look at the FAQ wich says the following:
Does spamdyke run its filters in any particular order?
Yes. spamdyke evaluates its filters in the following order (of course a
filter is skipped if it's disabled):
Check if mail is being accepted or filtered at all
Check for an rDNS name
Check for an IP address in a country code rDNS name
Check for an rDNS whitelist entry
Check for an rDNS blacklist entry
Check for an IP whitelist entry
Check for an IP blacklist entry
*Check for an IP address and keyword in the rDNS name*
Check if the rDNS name resolves
Check DNS whitelists
Check right-hand-side whitelists
Check DNS RBLs
Check right-hand-side blacklists
Check for earlytalkers
The intent is to order the filters from least-to-most expensive, so
connections will be rejected as quickly as possible. In a typical setup,
DNS queries are more expensive than file searches, pattern matching is
more expensive than simply checking for a file's existence, etc.
The remaining filters are all checked during the SMTP conversation.
Limit the number of recipients
Block unqualified recipient addresses
Block relaying from unauthorized remote hosts
Check for sender's domain MX record
*Graylisting*
Check sender whitelists
Check sender blacklists
Check right-hand-side whitelists for the sender's domain name
Check right-hand-side blacklists for the sender's domain name
Check recipient whitelists
Check recipient blacklists
Erald Troja schrieb:
Davide,
no go.
Other host names containing 'cable' keyword such as
77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk are properly
being rejected with the right error message.
------------------------
Erald Troja
Davide D'Amico wrote:
Please try with:
*.cable.*
d.
2008/10/13 Erald Troja <[EMAIL PROTECTED]>:
Sam/others,
I've re-read the documentation for this feature over and over
and as far as I can understand we've done all possible to stop
the following.
Here's an entry log from a SPAMMER's address we'd like to reject via the
ip-in-rdns-keyword-blacklist-entry feature.
Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth:
(unknown)
our ip-in-rdns-keyword-blacklist-entry referenced file contains the
following
cable
.cable.ntl.com
.ntl.com
cable .ntl.com
Seems none of the 4 potential keyword entries we're providing
is matching the above host name.
The hostname should be rejected with DENIED_IP_IN_RDNS rather
than DENIED_GRAYLISTED
What are we doing wrong? Or is this a un-discovered bug?
Thanks.
------------------------
Erald Troja
Erald Troja wrote:
Sam,
I'm reading your reply again, and perhaps I misunderstood what
you're saying.
Here's the entry log for one of the rDNS's I'd like to reject the
connection.
Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth:
(unknown)
Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39
origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown)
As you will see, there is an IP address for their rDNS.
Are you saying that the ip-in-rdns-keyword-blacklist-entry file should
also contain the IP address of the originating connection, or as long as
their IP resolves to a numeric address, all is necessary to have is the
keyword in the ip-in-rdns-keyword-blacklist-entry ?
Can anyone clarify this please?
------------------------
Erald Troja
Sam Clippinger wrote:
In order for the keyword filter to block connections, spamdyke must
find the keyword and the entire IP address in the rDNS name. The two
examples you gave don't appear to contain whole IP addresses. Also,
the second example contains the keyword "cablelink", not "cable";
spamdyke will not match keywords within other text.
-- Sam Clippinger
Erald Troja wrote:
Hello Folks,
We are slowly building up on the many swiss army knife features
that Spamdyke offers.
One of them is the ip-in-rdns-keyword-blacklist-entry feature
http://spamdyke.org/documentation/README.html#RDNS
In essence, we notice many, next to say almost all connections
connecting to port 25 of our servers, with the keyword 'cable' are
of SPAMMY nature and we'd like to stop them.
So, we have Spamdyke configured with
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file
and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file
with one line containing just the keyword
cable
We do notice logging of a handful of connections yet for example
DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com
DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net
are Graylisted instead of being denied connectivity. Can anyone
pass along some documentation on Spamdyke + keyword processing?
Thanks.
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
