On Tue, 2015-03-24 at 16:29 -0700, Gordon Messmer wrote:
> On 03/18/2015 08:32 AM, Lindsay Haisley wrote:
> > Gordon, there's a bug in your network-aware logic in ratelimit.py in
> > courier-pythonfilter 1.9.
> >
> > sender = sender[:sender.rindex('.')]
> >
> > ... will simply chop off the last octet of the v4 IP address from the
> > return from courier.control.getSendersMta(controlFileList)
>
> Yeah, that was a merge failure. getSendersMta should have been replaced
> with getSendersIP.
>
> 1.10 is up, now.
Sorry, I missed this! Your fix in v1.10 will probably work fine. I'm
still using my own modified version of 1.9.
The helo address returned by getSendersMta is an integral part of the
spam blocking/tracking system here, as it may be for others using the
ratelimit module. I'd suggest that the full return from getSendersMta
be returned by this module even if the address analysis is done on the
return from getSendersIP.
The helo address in rate-limited spams tells a lot. I'm on the mailing
list for the Mailman mailing list manager and got into a discussion with
Brad Knowles, one of the Mailman developers/maintainers. He used to
work for AOL back in the bad old days, and they spent a lot of time
looking at the spam problem. They observed that commercial spamming
operations engage in what's called "domain tasting" from registrars
which will give out domain names for free on a time-limited trial basis,
and for these domain names the options for name service are very
limited. Looking at the log records from ratelimit.py and the NS
records associated with the helo hostnames I found that this is still
true. Large spam spews from these people cover a huge range of IP
addresses and an infinite number of domain names, but I'm seeing only
half a dozen or so name servers for these domain names. I've hacked
together a "baddns" pythonfilter module based on this information which
is proving to be _very_ useful and effective in keeping spam away from
FMP's customer in-boxes.
--
Lindsay Haisley | "UNIX is user-friendly, it just
FMP Computer Services | chooses its friends."
512-259-1190 | -- Andreas Bogk
http://www.fmp.com |
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
