Yes I service several small companies that have their own mail server on business class DSL or cable lines I am also aware of a few that are still on ISDN lines that show as Dial-up accounts.
I stopped using DUL after one days use. I checked every address it rejected and found that almost 50% Where legit mail servers from business class DSL or cable lines. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Len Conrad Sent: Saturday, January 04, 2003 11:26 PM To: [EMAIL PROTECTED] Subject: [IMGate] Re: comments, please >There are far to many real businesses that don't spam using DSL for >there connection. Which means they are running their own mailserver on their=20 dsl/cable/whatever line? anyway, here's the scripts to go about investigating your situation: 1. awk '/smtpd.* connect from/ {print $8 }' /var/log/maillog |\ egrep -iv "unknown\[" | cut -d "[" -f 1 > /var/tmp/ptr.txt .... will give you the list of PTR's. In my case: # wc -l /var/tmp/ptr.txt 53809 /var/tmp/ptr.txt 2. here the filter file /etc/postfix/mta_clients_dul.regexp that contains=20 just one line: /(docsis|dsl|client|dhcp|pool|cpe|host|cust|dial|access|in\-addr|arpa|ca ble|= nombres|upc\-[a-z]|user|bri\-).*\..*\.[a-z][a-z]/=20 554 ACL mta_clients_dul 3. here's the script to see the PTR's that match the reject rule. /usr/local/bin/ptr_test.sh contains: #!/bin/sh for p in `cat /var/tmp/ptr.txt` ; do /usr/sbin/postmap -q "$p" regexp:/etc/postfix/mta_clients_dul.regexp >=20 /dev/null if [ $? -eq 0 ] then echo $p fi done exit 0 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D the script give output like this: CPE-203-45-228-79.qld.bigpond.net.au adsl-61-66-36-203.TC.sparqnet.net 84.Red-80-34-251.pooles.rima-tde.net adsl-67-115-25-94.dsl.sndg02.pacbell.net adsl-64-169-237-67.dsl.sndg02.pacbell.net host-218-122.tele2.pl adsl-62-128-213-198.iomart.com dsl-217-155-58-230.zen.co.uk adsl-63-197-67-10.dsl.snfc21.pacbell.net ps94.internetdsl.tpnet.pl adsl-67-36-151-214.dsl.clevoh.ameritech.net host34-152.pool8019.interbusiness.it mailhost2-bcvloh.bcvloh.ameritech.net adsl-67-36-151-214.dsl.clevoh.ameritech.net HOST179.GTLC.WYOMING.COM adsl-78-214-71.bhm.bellsouth.net las-DSL5-cust085.mpowercom.net adsl-67-36-248-82.dsl.wotnoh.ameritech.net host-218-122.tele2.pl 12-228-38-102.client.attbi.com c-24-98-208-38.atl.client2.attbi.com host217-35-90-91.in-addr.btopenworld.com docsis226-242.menta.net host250-119.pool80207.interbusiness.it 212-170-14-96.uc.nombres.ttd.es 217-125-95-147.uc.nombres.ttd.es host0-226.rancor.birch.net adsl-67-36-151-214.dsl.clevoh.ameritech.net mailhost2-bcvloh.bcvloh.ameritech.net adsl-67-36-151-214.dsl.clevoh.ameritech.net 222.Red-80-35-172.pooles.rima-tde.net host-218-122.tele2.pl PE242126.user.veloxzone.com.br CPE-203-51-207-216.qld.bigpond.net.au adsl-66-126-101-182.dsl.lsan03.pacbell.net adsl-66-126-101-182.dsl.lsan03.pacbell.net adsl-66-126-101-182.dsl.lsan03.pacbell.net 12-222-236-16.client.insightBB.com modemcable060.3-201-24.mtl.mc.videotron.ca user-112u59b.biz.mindspring.com host-62-245-197-213.customer.m-online.net adsl-67-36-151-214.dsl.clevoh.ameritech.net mailhost2-bcvloh.bcvloh.ameritech.net adsl-67-36-151-214.dsl.clevoh.ameritech.net I'm sure ya=B4ll recognize some PTR in there you'd like to nuke!! yeah,=20 some false positives, but pretty easily spottable. 4. running the script to see how many PTR connections match, gives: # /usr/local/bin/ptr_test.sh | wc -l 6457 So 6500 connects from PTR's that match the filter, out of total of 54K PTR= =20 connects (there were an addtional 42K connects from MTA's without PTR) so= =20 at least 6500 "DUL" connects about out nearly 100K total connects. The 6500 DUL filter matching is far from complete, since other DUL PTR=20 notations aren't easily definable with a regex. Of those 6500 "DUL" PTR connects, 1. how many were rejected anyway by other rules? ( a little more scripting= =20 work to come up with that answer) ie, if they are spamming, they are=20 probably forging [EMAIL PROTECTED], so SAV would catch them, too. 2. how many are legit mailservers? this is the key question. I would like= =20 to believe that the false positives in there would be manageable, even if=20 initially high. oh well. interesting, but probably inconclusive. :)) Len --------------------:NOTICE:----------------------- This Email was scanned for all known viruses by Network Associates WebShield SMTP V 4.5 We STRONGLY SUGGEST you re-check all Email and any filesattached with your own Antivirus software. -----------:http://www.irvingnet.com:--------------
