Thanks Sam >You're right about the first one (164.177.131.207) -- the rDNS name exists, so >the "reject-empty-rdns" filter doesn't stop it. But the rDNS name doesn't >have an A record, so the "reject-unresolvable-rdns" filter blocks it. Unless >I'm missing something, this is how those filters are supposed to work. Good, that was a sanity check really.
>From my testing, the second example you gave (38.127.167.2) seems to work. >spamdyke chases down the CNAME correctly and finds "rodan.lastpass.com". That >name has an A record, so it should work. Was that scenario a one-time >rejection or does it happen every time? yes, this fails every time, I had to whitelist the server to get the messages through. I'll continue to test... Regards Lawrence On 4 Feb 2014, at 18:03, Sam Clippinger <s...@silence.org> wrote: > You're right about the first one (164.177.131.207) -- the rDNS name exists, > so the "reject-empty-rdns" filter doesn't stop it. But the rDNS name doesn't > have an A record, so the "reject-unresolvable-rdns" filter blocks it. Unless > I'm missing something, this is how those filters are supposed to work. > > From my testing, the second example you gave (38.127.167.2) seems to work. > spamdyke chases down the CNAME correctly and finds "rodan.lastpass.com". > That name has an A record, so it should work. Was that scenario a one-time > rejection or does it happen every time? > > If you want an easy way to see exactly what spamdyke's doing, you can run > these tests from the command line without having to wait for those servers to > reconnect. First, recompile spamdyke with excessive output: > ./configure --with-excessive-output > make > (You don't have to install the new binary, you can just run it where it is.) > Then, set your IP address to the one you want to test (assuming a bash shell > here): > export TCPREMOTEIP=164.177.131.207 > Then start the recompiled spamdyke from the command line. It'll do all of > its rDNS lookups before it expects any input, so you can just hit CTRL-C when > you see the "220" greeting from qmail: > ./spamdyke --log-target stderr -lexcessive -r -R > /var/qmail/bin/qmail-smtpd > > Most of the output will be from the DNS code -- you should be able to see > exactly what packets spamdyke sends to which nameservers and what the > responses are. > > -- Sam Clippinger > > > > > On Feb 3, 2014, at 7:09 AM, Lawrence <spamdyke.ad...@freeman.me.uk> wrote: > >> Gents. >> I have also been troubleshooting a couple of legitimate hosts that are being >> blocked. >> >> Just to clarify my process can I test the following with the group? >> >> Scenario A >> I think this is a valid denied. >> >> LOG section: >> Jan 28 12:01:35 flobix spamdyke[1841]: FILTER_RDNS_RESOLVE ip: >> 164.177.131.207 rdns: 398878-prod-batch01.oyster.tfl.gov.uk >> Jan 28 12:01:35 flobix spamdyke[1841]: DENIED_RDNS_RESOLVE from: >> autorespo...@tfl.gov.uk to: xxxremove...@freeman.me.uk origin_ip: >> 164.177.131.207 origin_rdns: 398878-prod-batch01.oyster.tfl.gov.uk auth: >> (unknown) encryption: (none) reason: (empty) >> >> Here are the results of the test done manually; >> Reverse test >> >nslookup 164.177.131.207 RESULT 207.131.177.164.in-addr.arpa >> name = 398878-prod-batch01.Oyster.tfl.gov.uk. OKAY >> Forward test >> >nslookup 398878-prod-batch01.Oyster.tfl.gov.uk RESULT ** server can't >> >find 398878-prod-batch01.Oyster.tfl.gov.uk: NXDOMAIN FAILED >> >> So I assume the denied was the follup forward after reverse? (I have email >> tfl and rackspace about their missing a records) >> I have temporarily whitelisted the server to receive this mail.... >> >> Scenario B >> I think this is a false positive. >> >> Log Section: >> Jan 28 21:46:05 flobix spamdyke[8024]: DENIED_RDNS_MISSING from: >> www-d...@lastpass.com to: xxxremove...@freeman.me.uk origin_ip: 38.127.167.2 >> origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) >> >> Results of manual testing; >> >nslookup 38.127.167.2 >> RESULT >> Non-authoritative answer: >> 2.167.127.38.in-addr.arpa canonical name = 38.127.167.2.LastPass.com. >> 38.127.167.2.LastPass.com name = rodan.LastPass.com. >> >> >nslookup rodan.LastPass.com >> RESULT >> Non-authoritative answer: >> Name: rodan.LastPass.com >> Address: 38.127.167.2 >> >> Now this dies resolve but to a cname record but that is quite common these >> days for telplate based dns services and might also be the case if you have >> a load balance mail server setup that has 2 nodes but uses a cnmae of >> mail.blablabla.com >> So why is this failing? >> >> >> My Config: >> filter-level=normal >> greeting-delay-secs=2 >> max-recipients=5 >> reject-empty-rdns >> reject-ip-in-cc-rdns >> reject-sender=no-mx >> reject-unresolvable-rdns >> dns-level=normal >> log-level=verbose >> #config-dir=/etc/spamdyke.d >> idle-timeout-secs=120 >> reject-recipient=same-as-sender >> ip-blacklist-file=/etc/spamdyke/blacklist_ip >> recipient-blacklist-file=/etc/spamdyke/recipient_blacklist >> sender-blacklist-file=/etc/spamdyke/sender_blacklist >> ip-in-rdns-keyword-blacklist-entry=dynamic >> ip-whitelist-entry=80.177.27.115 >> ip-whitelist-entry=83.244.151.218 >> ip-whitelist-file=/etc/spamdyke/whitelist_ip >> dns-blacklist-entry=zen.spamhaus.org >> dns-blacklist-entry=bl.spamcop.net >> qmail-rcpthosts-file=/var/qmail/control/rcpthosts >> dns-max-retries-primary=5 >> ip-relay-entry=80.177.27.115 >> >> p.s. I have a new addition of tailling the maillog, is this normal, will it >> pass? :) >> >> Regards >> Lawrence >> >> _______________________________________________ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
