/mastercard\.com$/ DUNNO /citizensbank.com$/ DUNNO /outblaze\.com$/ DUNNO
All dunno lines should end with a dollar sign $ to match the end of the string only. Its not likely to be abused but its possible. Without the $ outblaze.com.spammerdomain.net would also be dunno'd :) But thanks, I didn't see the original post and outblaze blocked me because of the joker match -----Original Message----- From: Len Conrad [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 8:59 AM To: [EMAIL PROTECTED] Subject: [IMGate] Re: updated subscriber filter Here's a couple of commands that give you two report files for subscriber, one with subscriber blocks for explicit matches: zegrep -i "smtpd.*reject.*subscriber" /var/log/maillog.[0-9].gz | egrep -iv "joker" | awk '{print $10}' | sort -f | uniq -i | sort -t[ -k2 > /var/tmp/subscriber_nojoker.txt and one for the jokers: zegrep -i "smtpd.*reject.*subscriber" /var/log/maillog.[0-9].gz | egrep -i "joker" | awk '{print $10}' | sort -f | uniq -i | sort -t[ -k2 > /var/tmp/subscriber_joker.txt I'm amazed at how many joker networks there are, since I spent a LOT of time harvesting the original explicit network regexps. I can't see any way, other than manually, of extracting subscriber_joker.txt PTR hostname groups into individual /regex/, so it's tedious work. Also note, if you find any legit non-subscriber MTAs using subscriber-style PTRs, like these beauties: 12-14-115-040.mastercard.com[12.14.115.40]: host-12-154-167-140.citizensbank.com[12.154.167.140]: 205-158-62-67.outblaze.com[205.158.62.67]: ... then share them here so we can DUNNO them: /mastercard\.com/ DUNNO /citizensbank.com/ DUNNO /outblaze\.com/ DUNNO (btw, outblaze is not a spammer, even if you sees tons of mail from them for unknown recipients. The head mail guy is a famous, vociferous anti-spammer, but his hosted legit, non-spamming mail domains do send a lot of mail to unknown users (dirty lists, I guess).) ====================== The report files are sorted by IP address, so it will be easier to see a group of subscriber PTR's, so the new regex pattern to block them, that will be added as an explicit match to the non-joker regex's. For those who want to whitelist a network regex, here's a suggestion. A comment to remove the regex is not recommended: #/regex/ 554 ....... ... will cause postfix to continue processing the file (uselessly), while /regex/ DUNNO .... will cause a match and postfix to exit from the file. Practically (and the size of file demands practical skill and tricks), rather than going into the file and editing each line's "554 text" into a "DUNNO", identify the networks' regex's you want to whitelist and put them at the top of the file (giving a fast exit), leaving the body of the file untouched: #whitelist subscriber networks with too many legit server for my users /regex/ DUNNO /regex/ DUNNO /regex/ DUNNO #all explicit network regex /(kbl.*\.zeelandnet\.nl)/ 554 ACL mta_clients_subscriber The IP address of your sending machine is on a proscribed subscriber access network. Send from a non-subscriber network, PTR = "$1" etc. #network jokers /(.*[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}.*\..*\..*)/ 554 ACL mta_clients_subscriber_joker The IP address of your sending machine is on a proscribed subscriber access network. Send from a non-subscriber network, PTR = "$1" /(.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*\..*\..*)/ 554 ACL mta_clients_subscriber_joker The IP address of your sending machine is on a proscribed subscriber access network. Send from a non-subscriber network, PTR = "$1" #shorties /(.*[0-9]{2,3}\-[0-9]{2,3}.*\..*\..*)/ 554 ACL mta_clients_subscriber_joker2 The IP address of your sending machine is on a proscribed subscriber access network. Send from a non-subscriber network, PTR = "$1" "shorties" does catch a lot of obvious subscriber nets, but, no surprise, it catches some non-sub PTRs, also. vigilance =================================================== btw, you CANNOT accomplish the above whitelisting with two files, putting all the DUNNOs in the first file (that would be too, nice, huh?, my own private whitelist file running before the big common file): check_client_access pcre:/etc/postfix/mta_clients_subscriber_dunno.regexp, check_client_access pcre:/etc/postfix/mta_clients_subscriber.regexp ... because a DUNNO match exits from the first file and postfix proceeds to the next, so the DUNNO has to be in same file as the reject rule, and before it, since regexp: and pcre: files are processed in physical order. ( And note that cleanup's filter *_checks.regexp files are not processed in the same way as smtpd's access .regexp files.) And the ACTIONs in a *_checks file are different from the ACTIONs in an access file (man 5 access and man pcre_table) This "joker" maintenance is no joke, it's a pain in the @ss (but we don't have to do it every day, only once a month or so), so sharing here will help everyone. Promoiting stuff from joke to explicit is to help people DUNNO specific networks that get caught by the jokers. As I mentioned earlier, marketing reports are that cable/DSL subscriber uptake is booming, so the mail abuse (and compromised subscriber machines) will continue booming also. Nothing has changed, other than for the much worse, as the boom in subscriber IPs that spam, and the above all volumes they spam with, will always dominate the comparatively tiny number of legit IPs and their legit volume. Len
