A quick Google search shows that spam getting through because the spamming domain rejects DNS queries is a common problem with several other anti-spam solutions as well.
The problem is described in another forum here: http://postfix.1071664.n5.nabble.com/reject-unknown-sender-domain-and-DNS-SERVFAIL-result-td51236.html Postfix could be configured to reject on a SERVFAIL if it was receiving the SMTP traffic directly but since ASSP is proxying the SMTP traffic, all traffic to postfix appears to be coming from localhost. This is pretty slick, some intelligent scumbag realized that this would be the general behavior since DNS errors do occasionally occur. My suggestion would be to allow these messages to be rejected with a temporary error. If you wanted to get fancy, you could keep track of the attempts and reject the connection with a permanent error after X attempts. The latest example from today's log: Jan-30-14 09:05:38 Connected: 208.88.154.9:40710 -> 10.0.0.15:25 (listenPort) -> 127.0.0.1:125; Jan-30-14 09:05:39 208.88.154.9 MTA offered STARTTLS - converting to SSL; Jan-30-14 09:05:39 m-39109-00844 [SSL-out] 208.88.154.9 <josiahcole...@mail-ny.tilioncouple.com> to: m...@mydomain.com Message-Score: added 20 for blackSenderBase 'NTH AIR', total score for this message is now 20; Jan-30-14 09:05:39 m-39109-00844 [SSL-out] 208.88.154.9 <josiahcole...@mail-ny.tilioncouple.com> to: m...@mydomain.com [scoring:20] SenderBase -- blackSenderBase 'NTH AIR'; Jan-30-14 09:05:39 m-39109-00844 [SSL-out] 208.88.154.9 <josiahcole...@mail-ny.tilioncouple.com> to: m...@mydomain.com Message-Score: added 4 for bombSubjectRe: 'needed (4)', total score for this message is now 24; Jan-30-14 09:05:39 m-39109-00844 [SSL-out] [BombSubject] 208.88.154.9 <josiahcole...@mail-ny.tilioncouple.com> to: m...@mydomain.com [scoring:4] -- bombSubjectRe: 'needed (4)' -- [No exercise or effort is needed Jan 2014]; Jan-30-14 09:05:39 m-39109-00844 [SSL-out] [VIRUS] 208.88.154.9 <josiahcole...@mail-ny.tilioncouple.com> to: m...@mydomain.com ClamAV: scanned 1865 bytes in message - OK ; Jan-30-14 09:05:40 m-39109-00844 [SSL-out] 208.88.154.9 <josiahcole...@mail-ny.tilioncouple.com> to: m...@mydomain.com Bayesian Check [scoring:20] - Prob: 1.00000 / Confidence: 0.00000 => doubtful.spam; Jan-30-14 09:05:40 m-39109-00844 [SSL-out] 208.88.154.9 <josiahcole...@mail-ny.tilioncouple.com> to: m...@mydomain.com Message-Score: added 20 for Bayesian Probability: 1.00000, total score for this message is now 44; Jan-30-14 09:05:40 m-39109-00844 [SSL-out] [MessageScore][Possible SPAM] 208.88.154.9 <josiahcole...@mail-ny.tilioncouple.com> to: m...@mydomain.com [spam found] and passing because messagescore(44) is in warning range ( 39 - 50) -- [No exercise or effort is needed Jan 2014] -> /usr/share/assp/discarded/m-39109-00844.eml; Jan-30-14 09:05:40 Finished message - received DATA size: 1.82 kByte - sent DATA size: 2.53 kByte; No penalty for missing PTR, missing or incorrect SPF, etc. because of the DNS failure: [root@Server assp]# nslookup 208.88.154.9 ;; Got SERVFAIL reply from 10.0.0.15, trying next server ;; connection timed out; trying next origin ;; Got SERVFAIL reply from 10.0.0.15, trying next server Server: 10.0.0.1 Address: 10.0.0.1#53 ** server can't find 9.154.88.208.in-addr.arpa: SERVFAIL I see that the latest version now correctly counts the denystrict connection attempts, thanks for the quick fix. Regards, - Phil -- View this message in context: http://anti-spam-smtp-proxy-server.996265.n3.nabble.com/PTR-reverse-lookup-failure-letting-spam-get-through-tp38017p38048.html Sent from the assp-user mailing list archive at Nabble.com. ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
