Thanks, I'll keep my subscriber filter as is for now then. Its been working well.
Also, I find my self out of the loop a bit here since I haven't monitored the list closely the past few months until recently. I don't know what joker or 4tuple is. Len, can you send me the current IMGate config files so I can read through it all and understand these new filters? Thanks, Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Len Conrad Sent: Tuesday, November 18, 2003 11:09 AM To: [EMAIL PROTECTED] Subject: [IMGate] Re: updated subscriber filter >Is there a complete mta_clients_subscriber.regexp file that is posted >anywhere? The one I have is dated 8/14, but I'm sure its been improved upon >in the past 2 months. I haven't improved upon it, but it probably is time to move the joker and joker2 reject into explicit filter lines. but with about 400 networks explicitly listed then the joker filter, there's not much to improve, so don't feel crippled with the August filter. One reason for doing the above is to allow US IMGators, who won't/can't use the full subscriber list, to edit the list to DUNNO each of the US/CA cable/DSL nets (or at least the ones local to their region), while still catching all the foreign nets. There was a press item in the last few days about cable/DSL networks having a record quarter for new signups, so the subscriber abuse potential in NA is increasing rapidly. Since I've been implementing stmpd_restriction_classes in the advanced IMGate, I've been trying to imagine a .class that could handle the USA subscriber nets, based on the abuse they do. logic would be: (for those who won't run the subscriber filter full bore against usa networks) If <USA subscriber networks PTR>, then: check_client_access pcre: (refuse ccTLD helo hostname) check_sender_access pcre: (refuse ccTLD @sender.domain) ... that would kill tons of foreign TLDs used by USA spammers, and would certainly not catch many if any legit USA MTAs using forgeign helo/sender.domain (are there any?). The pcre would look something like: /(.*\.[a-zA-Z][a-zA-Z]$)/ 554 ACL The subscriber network PTR hostname is not authorized to send the HELO hostname, HELO = "$1" /(.*\.[a-zA-Z][a-zA-Z]$)/ 554 ACL The subscriber network PTR hostname is not authorized to send the @sender.domain, sender.domain = "$1" btw, I was reviewing a report and saw traffic with declude sender+helo but with no PTR. Has Scott gotten charter to remove his ma.charter.net PTR so he won't get caught in subscriber filters? It would have been better to have charter give his IP a declude PTR. I've always wondered why Scott refuses to relay declude's outbound through a non-subscriber IP over at ComputerizedHorizons. Is he still affiliated with them? Doesn't he trust CH's MTAs to handle his declude outbound? As usual, there is always a solution for legit MTAs running in subscriber networks to escape the subscriber filter. 1. have the network operator change their PTR hostname to their own domain 2. run own DNS and have reverse zone delegated to it. 3. relay their outbound (only) through ISP or partner MTA. 4. If Scott's case is real, it's one I hadn't thought about, run with no PTR. (maybe the network operator's policy is not to put a client's domain in the network operator's DNS/PTR, but will remove the operator's standard network PTR). Len
