subject:"\[spamdyke\-users\] spam with rDNS resolving to \"localhost\""

Re: [spamdyke-users] spam with rDNS resolving to "localhost"

2016-08-12 Thread Faris Raouf via spamdyke-users

Thanks Sam and BC.

 

We aren't using reject-unresolvable-rdns on this particular system.

 

I wonder if that's what's different about this particular setup? We use it
on most (or even all .. not sure) our other systems.

 

I think I'll whitelist 127.0.0.1 and blacklist localhost then and see what
happens. 

 

Thanks again!

 

 

 

From: spamdyke-users [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf
Of Sam Clippinger via spamdyke-users
Sent: 10 August 2016 13:42
To: spamdyke users <spamdyke-users@spamdyke.org>
Subject: Re: [spamdyke-users] spam with rDNS resolving to "localhost"

 

Adding "localhost" to your rDNS blacklist should work exactly as you expect
-- *any* connection that resolves to "localhost" will be blocked.  To allow
connections from the real local host, you could either whitelist 127.0.0.1
or, if you wanted other filters to remain active for local connections, use
a config-dir to remove "localhost" from the blacklist for 127.0.0.1.

 

Incidentally, are you using the reject-unresolvable-rdns filter?  That
filter has a special exception for "localhost" to allow that name for
127.0.0.1 but block it for all other IPs.


-- Sam Clippinger

 

 

 

 

On Aug 9, 2016, at 5:02 AM, Faris Raouf via spamdyke-users
<spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org> > wrote:





Dear all,

 

We're having problems with spam being allowed in from IPs with rDNS
resolving to "localhost".

This gets past the reject-empty-rdns filter.

 

Initially I thought these IPs has no rDNS - using dnsstuff, I get no result
(normally meaning no rDNS). But using host or dig I see the IPs really do
reverse resolve to localhost.

 

**

Example log entry:

 

spamdyke[24468]: ALLOWED from: sqozt...@vnnic.net.vn
<mailto:sqozt...@vnnic.net.vn>  to: redac...@redacted.tld origin_ip:
113.168.188.219 origin_rdns: localhost auth: (unknown) encryption: (none)
reason: 250_ok_1470423419_qp_24501

 

 

***

Check rDNS:

 

# host 113.168.188.219

219.188.168.113.in-addr.arpa domain name pointer localhost.

 

 

# dig -x 113.168.188.219

 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 113.168.188.219

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15578

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;219.188.168.113.in-addr.arpa.  IN  PTR

 

;; ANSWER SECTION:

219.188.168.113.in-addr.arpa. 21599 IN  PTR localhost.

 

;; Query time: 325 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Tue Aug  9 10:41:58 2016

;; MSG SIZE  rcvd: 69

 

***

 

 

Is figure that it is not safe to add "localhost" in our rdns blacklist file.
Wouldn't our real, local, localhost 127.0.0.1 potentially get blacklisted? 

 

Any suggestions as to what to do about this would be much appreciated!

 

Errmm.. in the back of my head there is a dim bell ringing about this issue
and so it might have been discussed before. Sorry if I'm asking something
that's already been covered at some point. Google hasn't helped in this
case.

 

 

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] spam with rDNS resolving to "localhost"

2016-08-10 Thread Sam Clippinger via spamdyke-users

Adding "localhost" to your rDNS blacklist should work exactly as you expect -- 
*any* connection that resolves to "localhost" will be blocked.  To allow 
connections from the real local host, you could either whitelist 127.0.0.1 or, 
if you wanted other filters to remain active for local connections, use a 
config-dir to remove "localhost" from the blacklist for 127.0.0.1.

Incidentally, are you using the reject-unresolvable-rdns filter?  That filter 
has a special exception for "localhost" to allow that name for 127.0.0.1 but 
block it for all other IPs.

-- Sam Clippinger




On Aug 9, 2016, at 5:02 AM, Faris Raouf via spamdyke-users 
 wrote:

> Dear all,
>  
> We’re having problems with spam being allowed in from IPs with rDNS resolving 
> to “localhost”.
> This gets past the reject-empty-rdns filter.
>  
> Initially I thought these IPs has no rDNS – using dnsstuff, I get no result 
> (normally meaning no rDNS). But using host or dig I see the IPs really do 
> reverse resolve to localhost.
>  
> **
> Example log entry:
>  
> spamdyke[24468]: ALLOWED from: sqozt...@vnnic.net.vn to: 
> redac...@redacted.tld origin_ip: 113.168.188.219 origin_rdns: localhost auth: 
> (unknown) encryption: (none) reason: 250_ok_1470423419_qp_24501
>  
>  
> ***
> Check rDNS:
>  
> # host 113.168.188.219
> 219.188.168.113.in-addr.arpa domain name pointer localhost.
>  
>  
> # dig -x 113.168.188.219
>  
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 113.168.188.219
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15578
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;219.188.168.113.in-addr.arpa.  IN  PTR
>  
> ;; ANSWER SECTION:
> 219.188.168.113.in-addr.arpa. 21599 IN  PTR localhost.
>  
> ;; Query time: 325 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Tue Aug  9 10:41:58 2016
> ;; MSG SIZE  rcvd: 69
>  
> ***
>  
>  
> Is figure that it is not safe to add “localhost” in our rdns blacklist file. 
> Wouldn’t our real, local, localhost 127.0.0.1 potentially get blacklisted?
>  
> Any suggestions as to what to do about this would be much appreciated!
>  
> Errmm.. in the back of my head there is a dim bell ringing about this issue 
> and so it might have been discussed before. Sorry if I’m asking something 
> that’s already been covered at some point. Google hasn’t helped in this case.
>  
>  
> ___
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] spam with rDNS resolving to "localhost"

2016-08-09 Thread BC via spamdyke-users



I've got 127.0.0.1 in my "blacklist_ip" file and the system seems to 
be working fine.


On 8/9/2016 4:02 AM, Faris Raouf via spamdyke-users wrote:


Dear all,

We’re having problems with spam being allowed in from IPs with rDNS 
resolving to “localhost”.


This gets past the reject-empty-rdns filter.

Initially I thought these IPs has no rDNS – using dnsstuff, I get no 
result (normally meaning no rDNS). But using host or dig I see the 
IPs really do reverse resolve to localhost.


**

Example log entry:

spamdyke[24468]: ALLOWED from: sqozt...@vnnic.net.vn to: 
redac...@redacted.tld origin_ip: 113.168.188.219 origin_rdns: 
localhost auth: (unknown) encryption: (none) reason: 
250_ok_1470423419_qp_24501





___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] spam with rDNS resolving to "localhost"

2016-08-09 Thread Faris Raouf via spamdyke-users

Dear all,

 

We're having problems with spam being allowed in from IPs with rDNS
resolving to "localhost".

This gets past the reject-empty-rdns filter.

 

Initially I thought these IPs has no rDNS - using dnsstuff, I get no result
(normally meaning no rDNS). But using host or dig I see the IPs really do
reverse resolve to localhost.

 

**

Example log entry:

 

spamdyke[24468]: ALLOWED from: sqozt...@vnnic.net.vn to:
redac...@redacted.tld origin_ip: 113.168.188.219 origin_rdns: localhost
auth: (unknown) encryption: (none) reason: 250_ok_1470423419_qp_24501

 

 

***

Check rDNS:

 

# host 113.168.188.219

219.188.168.113.in-addr.arpa domain name pointer localhost.

 

 

# dig -x 113.168.188.219

 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 113.168.188.219

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15578

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;219.188.168.113.in-addr.arpa.  IN  PTR

 

;; ANSWER SECTION:

219.188.168.113.in-addr.arpa. 21599 IN  PTR localhost.

 

;; Query time: 325 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Tue Aug  9 10:41:58 2016

;; MSG SIZE  rcvd: 69

 

***

 

 

Is figure that it is not safe to add "localhost" in our rdns blacklist file.
Wouldn't our real, local, localhost 127.0.0.1 potentially get blacklisted? 

 

Any suggestions as to what to do about this would be much appreciated!

 

Errmm.. in the back of my head there is a dim bell ringing about this issue
and so it might have been discussed before. Sorry if I'm asking something
that's already been covered at some point. Google hasn't helped in this
case.

 

 

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] spam with rDNS resolving to "localhost"

Re: [spamdyke-users] spam with rDNS resolving to "localhost"

Re: [spamdyke-users] spam with rDNS resolving to "localhost"

[spamdyke-users] spam with rDNS resolving to "localhost"

4 matches

Site Navigation

Mail list logo

Footer information