>There are far to many real businesses that don't spam using DSL for
>there connection.
Which means they are running their own mailserver on their=20
dsl/cable/whatever line?
anyway, here's the scripts to go about investigating your situation:
1. awk '/smtpd.* connect from/ {print $8 }' /var/log/maillog |\
egrep -iv "unknown\[" | cut -d "[" -f 1 > /var/tmp/ptr.txt
.... will give you the list of PTR's. In my case:
# wc -l /var/tmp/ptr.txt
53809 /var/tmp/ptr.txt
2. here the filter file /etc/postfix/mta_clients_dul.regexp that contains=20
just one line:
/(docsis|dsl|client|dhcp|pool|cpe|host|cust|dial|access|in\-addr|arpa|cable|=
nombres|upc\-[a-z]|user|bri\-).*\..*\.[a-z][a-z]/=20
554 ACL mta_clients_dul
3. here's the script to see the PTR's that match the reject rule.
/usr/local/bin/ptr_test.sh contains:
#!/bin/sh
for p in `cat /var/tmp/ptr.txt` ; do
/usr/sbin/postmap -q "$p" regexp:/etc/postfix/mta_clients_dul.regexp >=20
/dev/null
if [ $? -eq 0 ]
then
echo $p
fi
done
exit 0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
the script give output like this:
CPE-203-45-228-79.qld.bigpond.net.au
adsl-61-66-36-203.TC.sparqnet.net
84.Red-80-34-251.pooles.rima-tde.net
adsl-67-115-25-94.dsl.sndg02.pacbell.net
adsl-64-169-237-67.dsl.sndg02.pacbell.net
host-218-122.tele2.pl
adsl-62-128-213-198.iomart.com
dsl-217-155-58-230.zen.co.uk
adsl-63-197-67-10.dsl.snfc21.pacbell.net
ps94.internetdsl.tpnet.pl
adsl-67-36-151-214.dsl.clevoh.ameritech.net
host34-152.pool8019.interbusiness.it
mailhost2-bcvloh.bcvloh.ameritech.net
adsl-67-36-151-214.dsl.clevoh.ameritech.net
HOST179.GTLC.WYOMING.COM
adsl-78-214-71.bhm.bellsouth.net
las-DSL5-cust085.mpowercom.net
adsl-67-36-248-82.dsl.wotnoh.ameritech.net
host-218-122.tele2.pl
12-228-38-102.client.attbi.com
c-24-98-208-38.atl.client2.attbi.com
host217-35-90-91.in-addr.btopenworld.com
docsis226-242.menta.net
host250-119.pool80207.interbusiness.it
212-170-14-96.uc.nombres.ttd.es
217-125-95-147.uc.nombres.ttd.es
host0-226.rancor.birch.net
adsl-67-36-151-214.dsl.clevoh.ameritech.net
mailhost2-bcvloh.bcvloh.ameritech.net
adsl-67-36-151-214.dsl.clevoh.ameritech.net
222.Red-80-35-172.pooles.rima-tde.net
host-218-122.tele2.pl
PE242126.user.veloxzone.com.br
CPE-203-51-207-216.qld.bigpond.net.au
adsl-66-126-101-182.dsl.lsan03.pacbell.net
adsl-66-126-101-182.dsl.lsan03.pacbell.net
adsl-66-126-101-182.dsl.lsan03.pacbell.net
12-222-236-16.client.insightBB.com
modemcable060.3-201-24.mtl.mc.videotron.ca
user-112u59b.biz.mindspring.com
host-62-245-197-213.customer.m-online.net
adsl-67-36-151-214.dsl.clevoh.ameritech.net
mailhost2-bcvloh.bcvloh.ameritech.net
adsl-67-36-151-214.dsl.clevoh.ameritech.net
I'm sure ya=B4ll recognize some PTR in there you'd like to nuke!! yeah,=20
some false positives, but pretty easily spottable.
4. running the script to see how many PTR connections match, gives:
# /usr/local/bin/ptr_test.sh | wc -l
6457
So 6500 connects from PTR's that match the filter, out of total of 54K PTR=
=20
connects (there were an addtional 42K connects from MTA's without PTR) so=
=20
at least 6500 "DUL" connects about out nearly 100K total connects.
The 6500 DUL filter matching is far from complete, since other DUL PTR=20
notations aren't easily definable with a regex.
Of those 6500 "DUL" PTR connects,
1. how many were rejected anyway by other rules? ( a little more scripting=
=20
work to come up with that answer) ie, if they are spamming, they are=20
probably forging [EMAIL PROTECTED], so SAV would catch them, too.
2. how many are legit mailservers? this is the key question. I would like=
=20
to believe that the false positives in there would be manageable, even if=20
initially high.
oh well. interesting, but probably inconclusive. :))
Len
