cable + dsl + dialups are a big source of abuse, duh!
I'm thinking about this:
smtpd_client_restrictions=
.
.
.
check_client_accsess regexp:/etc/postfix/mta_clients_dul.regexp
... where that file would contain lines like:
/(docsis|dsl|client|dhcp|pool|cpe|host|cust|dial|access|in\-addr|arpa|cable|nombres|upc\-[a-z]|user|bri\-).*\..*\./
554 ACL mta_clients_dul
+ any other strings we can find, which I "think" :)) would reject stuff
like this:
blahstring.domain.tld
or
stringblah.blah.blah.domain.tld
as in
dsl.attbi.net
or
nombres.telesp.es
or
host-218-122.tele2.pl
or
host217-37-198-45.in-addr.btopenworld.com
or
bri-ts7-2600-205.tpgi.com.au
or
docsis226-242.menta.net
or
dC8545783.dslam-08-29-2-04-01-02.sal.dsl.cantv.net
Meaning, any of the (|strings|) followed by at least two ".", ie, a string
would be in 3rd or loswer level label below
root, ie, 4thlevel.3rdlevel.domain.tld
yeah, I know there are some tiny numbers legit MTA's on those subscriber
ip's who just might want to connect to your IMGate, but I reckon 99+% are
spammers bypassing thier access providers SMTP gateway and sending from
home directly to MX's, ie, what mail-abuse.org calls DUL, dial-up-lines.
So, as with any filter, there will be some whitelisting. yawn
Intiallly, we could also change the 554 to 450 and then monitor the
mta_clients_dul rejects for false positives.
The more timid BOFH-ers could precede the restriction with warn_if_reject.
If you want to look at PTR's connecting to your IMGate, run this:
awk '/smtpd.*: connect from/ {print $8 }' /var/log/maillog |\
egrep -iv "unknown\[" | sort -f | uniq -i | sort -f | less
If enough want to try it, I could come up with a script that would extract
all your PTR's for the last 10 days to a file PTR.txt and then see how
many would be caught by the regexp file:
something like
#!/bin/sh
for $p in `cat PTR.txt`; do
/usr/sbin/postmap -q "$p" regexp:/etc/postfix/mta_clients_dul.regexp
done
exit 0
the output would be a list of all your actual PTR's that would have been
blocked by the .regexp.
comments?
Len
