On Sun, Jan 18, 2009 at 03:45:25PM +0100, mouss wrote: > Henrik K a écrit : > > On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote: > >> Benny Pedersen wrote: > >> > >>> i have changed to use BadRelay from > >>> http://sa.hege.li/BadRelay.pm > >>> http://sa.hege.li/BadRelay.cf > >> After reading BadRelay.pm I see that it does not really replace Botnet. > >> > >> Some of the differences in what is checked are due to Botnet doing > >> DNS-lookups while BadRelay avoids that. That's fair enough since one of > >> the points of BadRelay is to avoid those lookups. It does mean that > >> BadRelay has less info to base decisions on than Botnet though. > > > > Less info only if you are running a sad MTA, that doesn't properly resolve. > > not completely true. > > $ host 220.174.1.163 > 163.1.174.220.in-addr.arpa domain name pointer > 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn. > $ host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn > Host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn not found: 3(NXDOMAIN) > > if you get a message from this IP, postfix will set the name to > "unknown". so you won't detect that the PTR is dynamic. > > and "unknown" is also used if there is a dns failure, or if the PTR > doesn't "confirm" (ip -> ptr -> different IP). so you can't treat all > "unknown" similarly. > > I know you can block the IP in postfix (I block the whole > dynamic.163data.com.cn), but this is just an example (I'm too lazy to > look for a better one), and I hope you see my point.
Well, for what it matters, unknown is fine by mine. I greylist all of them. I block unknowns that are in any BLs. I don't directly block hostnames with dynamic content (only known bad isps), but I do block dynamic helos. I don't see any problems on what you said.
