On Jan 07 17:06:52, skin...@britvault.co.uk wrote:
> > If DNS_SOCK_MAX is defined in the config,
> > greyscanner checks that the domain part of every sender
> > has an A and an MX record, and blacklists everything else.
> > That itself is surely a good thing, but:
> >
> > (2) I am getting a lot of false negatives, such as
> >
> > Jan 6 01:15:53 www greyscanner[10017]: Trapped 115.67.162.38: Mailed from
> > sender google.com with no MX or A
> >
> > Needless to say, there is an MX and an A for google.com.
> >
> > The fact that 115.67.162.38 itself does not have an A
> > and is not actually google's outgoing SMTP server does
> > not come into it: this is not checked in greyscanner.
>
> Here's a sample of greyscanner trapped no MX lines from my logs
> (most of it looks spamish, others not so.....):
>
> for line in $(fgrep greyscanner /var/log/maillog | awk '/ MX / { print $7$11
> }'); do print -n "$line\nPTR: "; dig -x $(print $line | cut -d: -f1) +short;
> print; done
>
> 173.85.227.74:jaytronautomation.com
> PTR:
> 37.6.249.99:hol.gr
> PTR: adsl-99.37.6.249.tellas.gr.
>
> 50.193.227.41:gmail.com
> PTR: 50-193-227-41-static.hfc.comcastbusiness.net.
>
> 209.85.220.50:gmail.com
> PTR: mail-pa0-f50.google.com.
This is what I'm talking about:
there is an MX and A for 'gmail.com',
plus this host resolves there and back,
(and apparently is an outgoing smtp of google.com).
Yet greyscanner blacklists it, with 'no MX or A for gmail.com'.
> 110.175.80.66:gmail.com
> PTR: 110-175-80-66.static.tpgi.com.au.
This is a spammer alright, but still,
there _is_ an MX and A for 'gmail.com',
which is all that greyscanner checks for.
Somehow those DNS lookups must be failing,
but so far I haven't found time to look into Net::DNS
Jan
