> > 1. PTR hostname. AOL now rejects mail based on the single criteria of
>NOT= =20
> > having a PTR hostname. If that's good enough for AOL, why isn't if
>good=20
> > enough for you?
>
>Over 20,000 4tuple reports per day with no PTR hostname over here on one of
>my postfix gateways. (have two). Kinda scary to just block them
it depends on what kind of restrictions you are running now, and what how
many of those 20K are being accepted by IMGate and then rejected anyway by
JM/Sniffer?
>, and command
>line reporting is rather hard to read.
>I ran the following to generate an HTML report of every single 4tuple with
>no PTR showing PTR(unknown) HELO, FROM and TO. Very easy to page up/down in
>a browser window to look at them all.
>( this generated over a 3MB html table, give it a minute to render if you
>move/resize your browser on a slower machine )
>
>
>echo "<html><body>" > no-ptr.html ; \
>echo "<table
>border=1><tr><td>PTR</td><td>HELO</td><td>FROM</td><td>TO</td></tr>"
> >>no-ptr.html; \
>zegrep '4tuple.* unknown; ' /var/log/maillog.0.gz
for that large of maillog file, you should help the regex match skip
non-smtpd lines like this:
egrep -i "^... .. ..:..:.. ... smtpd\/postfix\[.* connect from
unknown\[.*4tuple
which is lines like (replace mx1 with your label):
mmm dd hh:mm:ss mx1 postfix/smtpd
this matches only smtpd lines quicker, allowing the regex to unmatch all
other line easier.
>| \
>awk '{print $17" "$21" "$18" "$19}' | \
it makes the line wider, but I always include and sort by the $10, the IP
address, since that groups networks together. since it's very unusual to
have more than one or two IPs in the ClassC with PTR sending you legit
mail. Also if you see one or many IPs in the same ClassC sending with
various [EMAIL PROTECTED], then that's very probably illegit. And since
you are going to OK or DUNNO by IP, you need to keep the IP in the report.
but if you don't keep $10, sort the 4tuple by @sender.domain:
sort -t@ -k2 > report.html
For legit IPs, they will be mostly usually sending with one @sender.domain,
so you want to group them together to facilitate visual recognition.
another trick identifying legit senders is to exclude from the report all
forged helo for BigISP domains (since they will ALL have PTR and there will
not legitimately be in this unknown=PTR report)
egrep -iv
"helo=<.*(netscape|aol|yahoo|lycos|mindspring|msn|microsoft|yourdomain|etc....)"
ie, the concept is to filter out of the report all this is obviously bogus,
to make the report smaller.
also, same trick to exclude -i "proto=smtp" since legit mail servers will
nearly always send HELO for proto=ESMTP
again, 20K msgs from PTR-less IPs will ALL be rejected by AOL, so how many
can be legit for you?
Here's a small list showing PTR-less msgs' from and helo, sorted by
@sender.domain:
egrep -i "reject.*from unknown\[.*4tuple" /var/log/maillog |\
cut -d ";" -f 2 |\
awk '{print $1" " $4}' |\
sort -t@ -k2 |\
less
from=<> helo=<adv4nc3dd3live3ry.com>
from=<> helo=<advanced2delivery.com>
from=<> helo=<advanceddelivery.com>
from=<> helo=<atlexch1.Rossinc.com>
from=<> helo=<mailsrv1.leoburnett.com>
from=<> helo=<panther.info.bw>
from=<> helo=<uscorwss2.us.loreal.com>
from=<[EMAIL PROTECTED]> helo=<bellatlantic.net>
from=<[EMAIL PROTECTED]> helo=<saralee.net>
from=<[EMAIL PROTECTED]> helo=<news.4reseller.info>
from=<[EMAIL PROTECTED]> helo=<news.4reseller.info>
from=<[EMAIL PROTECTED]>
helo=<af1892.abercrombieandfitch.com>
from=<[EMAIL PROTECTED]>
helo=<af1892.abercrombieandfitch.com>
from=<[EMAIL PROTECTED]> helo=<navserver.ahint.com>
from=<[EMAIL PROTECTED]> helo=<notes.cibcmellon.com>
from=<[EMAIL PROTECTED]> helo=<home-made.maridan.net>
from=<[EMAIL PROTECTED]> helo=<home-made.maridan.net>
from=<[EMAIL PROTECTED]> helo=<listserv.moderat.se>
from=<[EMAIL PROTECTED]> helo=<listserv.moderat.se>
from=<[EMAIL PROTECTED]>
helo=<site.careerbuilder.com>
from=<[EMAIL PROTECTED]> helo=<att.com>
from=<[EMAIL PROTECTED]> helo=<mx3.actuate.com>
from=<[EMAIL PROTECTED]> helo=<ties.itu.ch>
from=<[EMAIL PROTECTED]> helo=<julian.uwo.ca>
from=<[EMAIL PROTECTED]> helo=<smtp11.astrocenter.com>
from=<[EMAIL PROTECTED]> helo=<atlaswebmail.com>
from=<[EMAIL PROTECTED]> helo=<enetica.com.au>
from=<[EMAIL PROTECTED]> helo=<hizashi.net>
from=<[EMAIL PROTECTED]> helo=<micronicos.co.uk>
from=<[EMAIL PROTECTED]> helo=<mail.africaonline.co.zw>
from=<[EMAIL PROTECTED]> helo=<abc-sbs2k.bettercampaigns.local>
from=<[EMAIL PROTECTED]> helo=<cisco.com>
from=<[EMAIL PROTECTED]> helo=<nomade.tiscali.fr>
from=<[EMAIL PROTECTED]>
helo=<smtp4.zd-swx.com>
from=<[EMAIL PROTECTED]> helo=<BlingMail.com>
from=<[EMAIL PROTECTED]> helo=<www1.camycoochie.com>
from=<[EMAIL PROTECTED]> helo=<www2.busterbackside.com>
from=<[EMAIL PROTECTED]> helo=<www6.greatadultoffers.com>
from=<[EMAIL PROTECTED]> helo=<moray.cardscan.net>
from=<[EMAIL PROTECTED]> helo=<gjr.paknet.com.pk>
from=<[EMAIL PROTECTED]> helo=<mailer.ccbill.com>
from=<[EMAIL PROTECTED]> helo=<mydomain.com>
from=<[EMAIL PROTECTED]> helo=<hdoweb0.corporate.southam.ca>
from=<[EMAIL PROTECTED]> helo=<adelphia.net>
from=<[EMAIL PROTECTED]> helo=<charlesschwab.com>
from=<[EMAIL PROTECTED]> helo=<gtei.net>
from=<[EMAIL PROTECTED]> helo=<ispchannel.com>
from=<[EMAIL PROTECTED]> helo=<nortelnetworks.com>
from=<[EMAIL PROTECTED]> helo=<psi.net>
from=<[EMAIL PROTECTED]> helo=<ups.com>
from=<[EMAIL PROTECTED]> helo=<videotron.ca>
from=<[EMAIL PROTECTED]> helo=<mail.citm.com>
from=<[EMAIL PROTECTED]> helo=<ericanexpress.com>
from=<[EMAIL PROTECTED]> helo=<rasserver.net>
from=<[EMAIL PROTECTED]> helo=<com.com>
from=<[EMAIL PROTECTED]> helo=<cw.net>
from=<[EMAIL PROTECTED]> helo=<umich.edu>
from=<[EMAIL PROTECTED]> helo=<core.com>
from=<[EMAIL PROTECTED]> helo=<core.com>
from=<[EMAIL PROTECTED]> helo=<core.com>
from=<[EMAIL PROTECTED]> helo=<rj111135.user.veloxzone.com.br>
from=<[EMAIL PROTECTED]> helo=<mail.citm.com>
from=<[EMAIL PROTECTED]> helo=<mediaone.net>
from=<[EMAIL PROTECTED]> helo=<wcom.net>
from=<[EMAIL PROTECTED]> helo=<audomains.com.au>
from=<[EMAIL PROTECTED]> helo=<op.se>
from=<[EMAIL PROTECTED]> helo=<mindset.de>
from=<[EMAIL PROTECTED]> helo=<jessica.de>
from=<[EMAIL PROTECTED]>
helo=<trmail1.e-netdeal.com>
from=<[EMAIL PROTECTED]> helo=<mail2.customersat.com>
from=<[EMAIL PROTECTED]> helo=<ns4.ke2k.org>
from=<[EMAIL PROTECTED]> helo=<ns4.ke2k.org>
from=<[EMAIL PROTECTED]> helo=<cscexch1.netbytel.com>
from=<[EMAIL PROTECTED]> helo=<slb.com>
from=<[EMAIL PROTECTED]> helo=<expedia.com>
from=<[EMAIL PROTECTED]>
helo=<callisto.flmercury-boca.com>
from=<[EMAIL PROTECTED]>
helo=<callisto.flmercury-boca.com>
from=<[EMAIL PROTECTED]> helo=<theo.it>
from=<[EMAIL PROTECTED]> helo=<hizashi.net>
from=<[EMAIL PROTECTED]> helo=<ab17c1030.com>
from=<[EMAIL PROTECTED]> helo=<meinwebworker.de>
from=<[EMAIL PROTECTED]> helo=<videotrons.ca>
from=<[EMAIL PROTECTED]> helo=<gre183.greekpanda.com>
from=<[EMAIL PROTECTED]> helo=<charlesschwab.com>
from=<[EMAIL PROTECTED]> helo=<fedex.com>
from=<[EMAIL PROTECTED]> helo=<mail.hamiltonprinting.com>
from=<[EMAIL PROTECTED]> helo=<test1.com>
from=<[EMAIL PROTECTED]> helo=<batch-prod1.prod.colo>
from=<[EMAIL PROTECTED]> helo=<bohmail2.health-net.gov.gg>
from=<[EMAIL PROTECTED]> helo=<mail.mailing.com>
from=<[EMAIL PROTECTED]> helo=<Mailer2.hebg.com>
from=<[EMAIL PROTECTED]> helo=<mailer1.hebj.com>
from=<[EMAIL PROTECTED]> helo=<za-internet.de>
from=<[EMAIL PROTECTED]> helo=<charlesschwab.com>
from=<[EMAIL PROTECTED]> helo=<mail01.homelan.com>
from=<[EMAIL PROTECTED]> helo=<hpmscontrol1.com>
from=<[EMAIL PROTECTED]> helo=<mail.iexcluding.com>
from=<[EMAIL PROTECTED]> helo=<orange.net>
from=<[EMAIL PROTECTED]> helo=<tele-cl3a.uk.informa.com>
from=<[EMAIL PROTECTED]> helo=<apollo.instant-mail.com>
from=<[EMAIL PROTECTED]> helo=<mail.intware.tv>
from=<[EMAIL PROTECTED]> helo=<notes-2.javacity.com>
from=<[EMAIL PROTECTED]> helo=<smartmedia.co.uk>
from=<[EMAIL PROTECTED]> helo=<globalvision.com.au>
from=<[EMAIL PROTECTED]> helo=<listes.cru.fr>
from=<[EMAIL PROTECTED]> helo=<switch.ch>
from=<[EMAIL PROTECTED]> helo=<web1.maclee.com>
from=<[EMAIL PROTECTED]>
helo=<lists.iwirelessforum.com>
from=<[EMAIL PROTECTED]>
helo=<lists.iwirelessforum.com>
from=<[EMAIL PROTECTED]> helo=<weather.com>
from=<[EMAIL PROTECTED]> helo=<mail2liberia1265.com>
from=<[EMAIL PROTECTED]> helo=<hizashi.net>
from=<[EMAIL PROTECTED]> helo=<textilzeitung.at>
from=<[EMAIL PROTECTED]> helo=<abcnews.com>
from=<[EMAIL PROTECTED]> helo=<lycos.com>
from=<[EMAIL PROTECTED]> helo=<mail.medicalletter.org>
from=<[EMAIL PROTECTED]> helo=<artfiles.de>
from=<[EMAIL PROTECTED]> helo=<ecl2002.ec-lyon.fr>
from=<[EMAIL PROTECTED]> helo=<arch.vuw.ac.nz>
from=<[EMAIL PROTECTED]> helo=<za-internet.de>
from=<[EMAIL PROTECTED]> helo=<astrakan.se>
from=<[EMAIL PROTECTED]> helo=<kaz.com.au>
from=<[EMAIL PROTECTED]> helo=<mail.mtgla.com>
from=<[EMAIL PROTECTED]> helo=<v1.nationalcareerfairs.com>
from=<[EMAIL PROTECTED]> helo=<v1.nationalcareerfairs.com>
from=<[EMAIL PROTECTED]> helo=<pacbell.net>
from=<[EMAIL PROTECTED]> helo=<biochem.unizh.ch>
from=<[EMAIL PROTECTED]> helo=<klute-thiemann.de>
from=<[EMAIL PROTECTED]> helo=<EXCHANGE2K.nthgen.nth.com>
from=<[EMAIL PROTECTED]> helo=<iol.it>
from=<[EMAIL PROTECTED]> helo=<chello.nl>
from=<[EMAIL PROTECTED]> helo=<psi.net>
from=<[EMAIL PROTECTED]> helo=<on-luebeck.de>
from=<[EMAIL PROTECTED]> helo=<cisco.com>
from=<[EMAIL PROTECTED]> helo=<zyan.com>
from=<[EMAIL PROTECTED]> helo=<os2.prod.camzone.com>
from=<[EMAIL PROTECTED]> helo=<compuserve.com>
from=<[EMAIL PROTECTED]> helo=<pl.webcarriers.com>
from=<[EMAIL PROTECTED]> helo=<pl.webcarriers.com>
from=<[EMAIL PROTECTED]> helo=<optonline.net>
from=<[EMAIL PROTECTED]> helo=<rasserver.net>
from=<[EMAIL PROTECTED]> helo=<yezfree.com>
from=<[EMAIL PROTECTED]> helo=<yezfree.com>
from=<[EMAIL PROTECTED]> helo=<realinter.net>
from=<[EMAIL PROTECTED]> helo=<flashcom.net>
from=<[EMAIL PROTECTED]> helo=<highphalanx.net>
from=<[EMAIL PROTECTED]> helo=<server1.a-leads.com>
from=<[EMAIL PROTECTED]>
helo=<server1.obxmkting.com>
from=<[EMAIL PROTECTED]>
helo=<server1.obxmkting.com>
from=<[EMAIL PROTECTED]> helo=<playtimedlvr.net>
from=<[EMAIL PROTECTED]> helo=<med.ucalgary.ca>
from=<[EMAIL PROTECTED]> helo=<apple.com>
from=<[EMAIL PROTECTED]> helo=<club-internet.fr>
from=<[EMAIL PROTECTED]> helo=<mindshare.de>
from=<[EMAIL PROTECTED]> helo=<za-internet.de>
from=<[EMAIL PROTECTED]> helo=<optusnet.com.au>
from=<[EMAIL PROTECTED]> helo=<prserv.net>
from=<[EMAIL PROTECTED]> helo=<msn.com>
from=<[EMAIL PROTECTED]> helo=<fw124.swordfishmedia.com>
from=<[EMAIL PROTECTED]> helo=<cgocable.net>
from=<[EMAIL PROTECTED]> helo=<charlesschwab.com>
from=<[EMAIL PROTECTED]> helo=<uu.net>
from=<[EMAIL PROTECTED]> helo=<mailer.marketrange.com>
from=<[EMAIL PROTECTED]> helo=<aries.dhs.state.tx.us>
from=<[EMAIL PROTECTED]> helo=<crgweb1.crg.com>
from=<[EMAIL PROTECTED]> helo=<www3.busterbackside.com>
from=<[EMAIL PROTECTED]> helo=<optinet.de>
from=<[EMAIL PROTECTED]> helo=<mailserver.bnuep.com>
from=<[EMAIL PROTECTED]> helo=<reporter.iwindsurf.com>
from=<[EMAIL PROTECTED]> helo=<mediaone.com>
from=<[EMAIL PROTECTED]> helo=<switch.ch>
from=<[EMAIL PROTECTED]> helo=<control.greybeardhosting.com>
from=<[EMAIL PROTECTED]> helo=<wagtsy.com>
from=<[EMAIL PROTECTED]> helo=<usatoday.com>
from=<[EMAIL PROTECTED]> helo=<wonderdrug.ws>
from=<[EMAIL PROTECTED]> helo=<hotmail.com>
from=<[EMAIL PROTECTED]> helo=<msn.com>
from=<[EMAIL PROTECTED]> helo=<yahoo.ca>
from=<[EMAIL PROTECTED]> helo=<cityallstar.de.vu>
from=<[EMAIL PROTECTED]> helo=<zdvd.com>
again, all above came from PTR-less IPs.
Len
