RE: [AMaViS-user] Temporary blocking IP of virus senders

Fri, 02 Dec 2005 08:59:21 -0800 

At 09:25 AM 12/2/2005, [EMAIL PROTECTED] wrote:
------------------------- BEGIN HEADERS ----------------------------- 
Return-Path: <[EMAIL PROTECTED]>
Received: from htwuac.gov (85-250-51-131.bb.netvision.net.il [85.250.51.131]) by mydomain.haifa.ac.il (Postfix) with SMTP id ED5E61B3C7; 
        Thu,  1 Dec 2005 14:54:41 +0200 (IST)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Thu, 01 Dec 2005 12:51:51 GMT
Subject: Your IP was logged
Importance: Normal
X-Mailer: SpeedMail_V2.37
X-Priority: 3 (Normal)
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====80c2818aace8.222" 
Content-Transfer-Encoding: 7bit
-------------------------- END HEADERS ------------------------------ 

Why just not to check if 85.250.51.131 has an MX record?
If it has MX record it's probably ISP and we won't block it.
If it has no MX record lets block it for 24 hours.



Nope.  IPs don't have MX records, many ISPs (and other 
companies) have separate sending and receiving 
servers, there is no clear way (other than SPF 
records) to associate a sending IP with a domain MX 
record.  There is no expectation or requirement that a 
SMTP sender must also accept incoming SMTP 
connections.  One of the companies I work for has 
sending and receiving SMTP servers in different 
cities, hosted by different providers.



The only "reasonable" thing is to temporarily block 
IPs that have no reverse DNS or have a dynamic- or 
residential-looking reverse DNS, and that isn't 
without risk.  If you block at the IP level (firewall 
or null-route or whatever) for 24 hours or so, real 
mail servers will queue the messages and retry 
later.  Virus-spewing home computers won't retry.



Implementing a greylist server with your postfix is 
probably the easiest way to solve this.  Postgrey and 
policyd seem to be the two most frequently 
recommended.  Greylisting requires postfix 2.1 or newer.

http://www.postfix.org/addon.html#policy

--

Noel Jones 




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/














    











					Reply via email to