OK, what doesn't make sense to me is as to why to differentiate
between .com/.net etc. and .de/.uk? If a dialup host sends spam it
shouldn't matter if his RDNS is .com or .de ...
I think most spam should be blocked by simple rules without requiering
RBL lookups and the latency required to do so.
Some stats show me, that while most spam from country TLDs is blocked
by the IP_IN_CC_DNS rule, most com/net/org spam gets blocked by RBL or
custom RDNS rules:
348007 DENIED_IP_IN_CC_RDNS
-- Top 5 TLD --
53.17% ru
10.08% tr
6.61% br
2.59% il
2.42% de
------------
168360 DENIED_RBL_MATCH
-- by RBL --
77.60% zen.spamhaus.org
14.08% ix.dnsbl.manitu.net
8.32% bl.spamcop.net
------------
-- Top 5 TLD --
42.11% net
21.07% ru
13.99% com
5.04% pl
2.60% de
------------
7008 DENIED_IP_IN_RDNS
-- Top 5 TLD --
60.57% net
38.53% com
0.86% org
0.03% arpa
0.01% edu
------------
4833 DENIED_BLACKLIST_NAME
-- Top 5 TLD --
100.00% net
------------
-- Felix
Am 19.09.2008 um 17:36 schrieb Sam Clippinger:
> No, the "reject-ip-in-cc-rdns" filter won't stop these names because
> they end in ".net", which is a three-character TLD. If they ended
> in a
> two-character TLD like ".us", it would work.
>
> -- Sam Clippinger
>
> Felix Bünemann wrote:
>> Hello Sam,
>>
>> I assumed this should be blocked by the IP_IN_CC_RDNS rule, but
>> apparently it isn't.
>>
>> -- Felix
>>
>> Am 19.09.2008 um 00:47 schrieb Sam Clippinger:
>>
>>
>>> That rDNS name should be blocked, assuming that your keyword file
>>> contains at least one of the following entries:
>>> dip
>>> .t-dialin.net
>>> .dip.t-dialin.net
>>>
>>> -- Sam Clippinger
>>>
>>> Felix Bünemann wrote:
>>>
>>>> I just took a look at the code and found a segment which should
>>>> already take care of this:
>>>>
>>>> /*
>>>> * This block looks for the IP address as a sequence of hex
>>>> bytes.
>>>> * For example, if the IP is 85.135.72.234, this block looks for
>>>> * 5080d7e3.
>>>> */
>>>> if (!return_value)
>>>> {
>>>> tmp_strlen = snprintf(tmp_ip, MAX_IP, "%.2x%.2x%.2x%.2x",
>>>> ip_ints[0], ip_ints[1], ip_ints[2], ip_ints[3]);
>>>>
>>>> SPAMDYKE_LOG_EXCESSIVE(current_settings,
>>>> LOG_DEBUGX_IP_IN_RDNS,
>>>> tmp_strlen, tmp_ip, strlen_target_name, target_name);
>>>> if (strstr(target_name, tmp_ip) != NULL)
>>>> return_value = 1;
>>>> }
>>>> }
>>>>
>>>>
>>>> So I wonder why the host listed below was matched by
>>>> FILTER_BLACKLIST_NAME. I was under the impression that
>>>> FILTER_IP_IN_CC_RDNS has a higher precedence than the blacklist
>>>> file,
>>>> but I might be misatken.
>>>>
>>>> Please shed some light on this Sam.
>>>>
>>>> -- Felix
>>>>
>>>> Am 19.09.2008 um 00:16 schrieb Felix Bünemann:
>>>>
>>>>
>>>>
>>>>> Hello,
>>>>>
>>>>> I noticed that spamdyke 4.0.4 is not blocking dialup hosts which
>>>>> use
>>>>> hex-encoded ip-adress in their RDNS.
>>>>>
>>>>> T-Online, the biggeste German internet provider uses this scheme:
>>>>>
>>>>> 87.150.36.222 rdns: p579624de.dip.t-dialin.net
>>>>>
>>>>> 87=0x57 150=0x96 36=0x24 222=0xDE
>>>>>
>>>>> Should be pretty easy to add support for this.
>>>>>
>>>>> -- Felix Buenemann
>>>>>
>>>>> _______________________________________________
>>>>> spamdyke-dev mailing list
>>>>> spamdyke-dev@spamdyke.org
>>>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-dev
>>>>>
>>>>>
>>>> _______________________________________________
>>>> spamdyke-dev mailing list
>>>> spamdyke-dev@spamdyke.org
>>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-dev
>>>>
>>>>
>>> _______________________________________________
>>> spamdyke-dev mailing list
>>> spamdyke-dev@spamdyke.org
>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-dev
>>>
>>
>> _______________________________________________
>> spamdyke-dev mailing list
>> spamdyke-dev@spamdyke.org
>> http://www.spamdyke.org/mailman/listinfo/spamdyke-dev
>>
> _______________________________________________
> spamdyke-dev mailing list
> spamdyke-dev@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-dev
_______________________________________________
spamdyke-dev mailing list
spamdyke-dev@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-dev
