>But, no, there are still a lot of false positives where legitmate,
>card-carding jerks have no PTR hostname and HELO name is not findable in
>DNS. Anyway, with warn_if_reject, this filter should be good for
>harvesting the true positives manually.
example:
Sep 2 19:09:37 im1 postfix/smtpd[9226]: 5132A53522: reject_warning: RCPT
from unknown[158.73.247.7]: 554 <CONSE10.HCFA.GOV>: Helo command rejected:
Host not found; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]>
proto=ESMTP helo=<CONSE10.HCFA.GOV>
the above was primed because of no PTR, then executed due to unfindable
CONSE10.HCFA.GOV
# dig CONSE10.HCFA.GOV any
; <<>> DiG 8.3 <<>> CONSE10.HCFA.GOV any
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; CONSE10.HCFA.GOV, type = ANY, class = IN
;; AUTHORITY SECTION:
hcfa.gov. 1H IN SOA hcfadns.hcfa.gov.
hostmaster.hcfa.gov. (
2800231998 ; serial
1H ; refresh
10M ; retry
1D ; expiry
1H ) ; minimum
HCFA ? "How Can (I) Find (my) @ss"
Len
