You're right about the first one (164.177.131.207) -- the rDNS name exists, so the "reject-empty-rdns" filter doesn't stop it. But the rDNS name doesn't have an A record, so the "reject-unresolvable-rdns" filter blocks it. Unless I'm missing something, this is how those filters are supposed to work.
From my testing, the second example you gave (38.127.167.2) seems to work. spamdyke chases down the CNAME correctly and finds "rodan.lastpass.com". That name has an A record, so it should work. Was that scenario a one-time rejection or does it happen every time? If you want an easy way to see exactly what spamdyke's doing, you can run these tests from the command line without having to wait for those servers to reconnect. First, recompile spamdyke with excessive output: ./configure --with-excessive-output make (You don't have to install the new binary, you can just run it where it is.) Then, set your IP address to the one you want to test (assuming a bash shell here): export TCPREMOTEIP=164.177.131.207 Then start the recompiled spamdyke from the command line. It'll do all of its rDNS lookups before it expects any input, so you can just hit CTRL-C when you see the "220" greeting from qmail: ./spamdyke --log-target stderr -lexcessive -r -R /var/qmail/bin/qmail-smtpd Most of the output will be from the DNS code -- you should be able to see exactly what packets spamdyke sends to which nameservers and what the responses are. -- Sam Clippinger On Feb 3, 2014, at 7:09 AM, Lawrence <spamdyke.ad...@freeman.me.uk> wrote: > Gents. > I have also been troubleshooting a couple of legitimate hosts that are being > blocked. > > Just to clarify my process can I test the following with the group? > > Scenario A > I think this is a valid denied. > > LOG section: > Jan 28 12:01:35 flobix spamdyke[1841]: FILTER_RDNS_RESOLVE ip: > 164.177.131.207 rdns: 398878-prod-batch01.oyster.tfl.gov.uk > Jan 28 12:01:35 flobix spamdyke[1841]: DENIED_RDNS_RESOLVE from: > autorespo...@tfl.gov.uk to: xxxremove...@freeman.me.uk origin_ip: > 164.177.131.207 origin_rdns: 398878-prod-batch01.oyster.tfl.gov.uk auth: > (unknown) encryption: (none) reason: (empty) > > Here are the results of the test done manually; > Reverse test > >nslookup 164.177.131.207 RESULT 207.131.177.164.in-addr.arpa > name = 398878-prod-batch01.Oyster.tfl.gov.uk. OKAY > Forward test > >nslookup 398878-prod-batch01.Oyster.tfl.gov.uk RESULT ** server can't find > >398878-prod-batch01.Oyster.tfl.gov.uk: NXDOMAIN FAILED > > So I assume the denied was the follup forward after reverse? (I have email > tfl and rackspace about their missing a records) > I have temporarily whitelisted the server to receive this mail.... > > Scenario B > I think this is a false positive. > > Log Section: > Jan 28 21:46:05 flobix spamdyke[8024]: DENIED_RDNS_MISSING from: > www-d...@lastpass.com to: xxxremove...@freeman.me.uk origin_ip: 38.127.167.2 > origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) > > Results of manual testing; > >nslookup 38.127.167.2 > RESULT > Non-authoritative answer: > 2.167.127.38.in-addr.arpa canonical name = 38.127.167.2.LastPass.com. > 38.127.167.2.LastPass.com name = rodan.LastPass.com. > > >nslookup rodan.LastPass.com > RESULT > Non-authoritative answer: > Name: rodan.LastPass.com > Address: 38.127.167.2 > > Now this dies resolve but to a cname record but that is quite common these > days for telplate based dns services and might also be the case if you have a > load balance mail server setup that has 2 nodes but uses a cnmae of > mail.blablabla.com > So why is this failing? > > > My Config: > filter-level=normal > greeting-delay-secs=2 > max-recipients=5 > reject-empty-rdns > reject-ip-in-cc-rdns > reject-sender=no-mx > reject-unresolvable-rdns > dns-level=normal > log-level=verbose > #config-dir=/etc/spamdyke.d > idle-timeout-secs=120 > reject-recipient=same-as-sender > ip-blacklist-file=/etc/spamdyke/blacklist_ip > recipient-blacklist-file=/etc/spamdyke/recipient_blacklist > sender-blacklist-file=/etc/spamdyke/sender_blacklist > ip-in-rdns-keyword-blacklist-entry=dynamic > ip-whitelist-entry=80.177.27.115 > ip-whitelist-entry=83.244.151.218 > ip-whitelist-file=/etc/spamdyke/whitelist_ip > dns-blacklist-entry=zen.spamhaus.org > dns-blacklist-entry=bl.spamcop.net > qmail-rcpthosts-file=/var/qmail/control/rcpthosts > dns-max-retries-primary=5 > ip-relay-entry=80.177.27.115 > > p.s. I have a new addition of tailling the maillog, is this normal, will it > pass? :) > > Regards > Lawrence > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users