On Thu, May 16, 2013 at 07:48:24PM -0400, Wietse Venema wrote:
> /dev/rob0:
> > In the time since I've been running this, I saw the first thing
> > that might be seen as a problem: dnsblog timing out on one of
> > the DNSBL lookups:
> >
> > May 16 21:51:44 harrier postfix/postscreen[29502]: CONNECT from
> > [208.66.205.36]:53814 to [207.223.116.211]:25
> > May 16 21:51:44 harrier postfix/dnsblog[29507]: addr 208.66.205.36 listed
> > by domain list.dnswl.org as 127.0.15.0
> >
> > This gives it a -2 so far, but when the greet pause is finished,
> > postscreen proceeds anyway:
>
> All postscreen versions work that way. When the DNSBL score is not
> final before the pregreet test completes, the DNSBL test remains
> undecided, and the test will be repeated the next time the client
> connects.
>
> Increasing the greet-wait to 10+ seconds could result in
> legitimate clients hanging up, so I would not recommend that.
Do we have any testing to validate this? I'm pretty sure I recall
from a few years back on the old original SPAM-L list that some
Sendmail people[1] were saying they used greet pauses in excess of 30
seconds.
> You can try to change the DNS resolver timeout/retry behavior:
Thanks for all that. As it happens, I have a quick fix for this:
$ grep 'dnsblog.*timeout' /var/log/maillog | wc
35 420 3731
$ grep 'dnsblog.*timeout' /var/log/maillog | grep -v surriel | wc
0 0 0
PSBL seems to be a bit slow for me. I've taken it out of my
postscreen_dnsbl_sites; I had only recently added it.
What this shows is that there's no good, risk-free way to test
potential new DNSBLs. No great harm done: at the most, 35 delayed
mails. But could a site which is consistently timing out cause
positive scores to be ignored? Apparently not here:
May 12 05:05:39 harrier postfix/postscreen[17895]: CONNECT from
[24.227.47.42]:1362 to [207.223.116.211]:25
May 12 05:05:39 harrier postfix/postscreen[17895]: PREGREET 21 after 0.03 from
[24.227.47.42]:1362: EHLO [192.168.2.33]\r\n
May 12 05:05:39 harrier postfix/dnsblog[17901]: addr 24.227.47.42 listed by
domain dnsbl.sorbs.net as 127.0.0.7
May 12 05:05:39 harrier postfix/dnsblog[17897]: addr 24.227.47.42 listed by
domain b.barracudacentral.org as 127.0.0.2
May 12 05:05:40 harrier postfix/dnsblog[17900]: addr 24.227.47.42 listed by
domain zen.spamhaus.org as 127.0.0.4
May 12 05:05:45 harrier postfix/postscreen[17895]: DNSBL rank 6 for
[24.227.47.42]:1362
May 12 05:05:45 harrier postfix/postscreen[17895]: NOQUEUE: reject: RCPT from
[24.227.47.42]:1362: 550 5.7.1 Service unavailable; client [24.227.47.42]
blocked using zen.spamhaus.org; from=<t...@live.com>,
to=<therichshei...@yahoo.com>, proto=ESMTP, helo=<[192.168.2.33]>
May 12 05:05:45 harrier postfix/postscreen[17895]: DISCONNECT
[24.227.47.42]:1362
May 12 05:05:49 harrier postfix/postscreen[17895]: warning: dnsblog reply
timeout 10s for psbl.surriel.com
May 12 05:05:59 harrier postfix/dnsblog[17902]: warning: dnsblog_query: lookup
error for DNS query 42.47.227.24.psbl.surriel.com: Host or domain name not
found. Name service error for name=42.47.227.24.psbl.surriel.com type=A: Host
not found, try again
I guess this says that postscreen_dnsbl_action fires at the end of
the greet pause when postscreen_dnsbl_threshold is met, but
postscreen_dnsbl_whitelist_threshold is not calculated. Here's the
same botnet from a different zombie, which does not meet the
threshold, rejected for protocol error:
May 12 05:43:09 harrier postfix/postscreen[19787]: CONNECT from
[80.24.21.133]:23652 to [207.223.116.211]:25
May 12 05:43:09 harrier postfix/dnsblog[19790]: addr 80.24.21.133 listed by
domain bl.spameatingmonkey.net as 127.0.0.2
May 12 05:43:09 harrier postfix/postscreen[19787]: PREGREET 21 after 0.22 from
[80.24.21.133]:23652: EHLO [192.168.2.33]\r\n
May 12 05:43:19 harrier postfix/postscreen[19787]: warning: dnsblog reply
timeout 10s for psbl.surriel.com
May 12 05:43:20 harrier postfix/postscreen[19787]: NOQUEUE: reject: RCPT from
[80.24.21.133]:23652: 550 5.5.1 Protocol error; from=<t...@live.com>,
to=<therichshei...@yahoo.com>, proto=ESMTP, helo=<[192.168.2.33]>
May 12 05:43:21 harrier postfix/postscreen[19787]: DISCONNECT
[80.24.21.133]:23652
Here's one without the pregreet:
May 13 06:21:09 harrier postfix/postscreen[3805]: CONNECT from
[89.121.129.184]:43448 to [207.223.116.211]:25
May 13 06:21:09 harrier postfix/dnsblog[3807]: addr 89.121.129.184 listed by
domain b.barracudacentral.org as 127.0.0.2
May 13 06:21:09 harrier postfix/dnsblog[3813]: addr 89.121.129.184 listed by
domain zen.spamhaus.org as 127.0.0.11
May 13 06:21:09 harrier postfix/dnsblog[3813]: addr 89.121.129.184 listed by
domain zen.spamhaus.org as 127.0.0.4
May 13 06:21:09 harrier postfix/dnsblog[3808]: addr 89.121.129.184 listed by
domain bl.mailspike.net as 127.0.0.12
May 13 06:21:15 harrier postfix/postscreen[3805]: DNSBL rank 6 for
[89.121.129.184]:43448
May 13 06:21:16 harrier postfix/postscreen[3805]: NOQUEUE: reject: RCPT from
[89.121.129.184]:43448: 550 5.7.1 Service unavailable; client [89.121.129.184]
blocked using zen.spamhaus.org; from=<watche...@ya.ru>,
to=<mungedu...@example.org>, proto=ESMTP, helo=<89-121-129-184.romtelecom.net>
May 13 06:21:16 harrier postfix/postscreen[3805]: HANGUP after 0.68 from
[89.121.129.184]:43448 in tests after SMTP handshake
May 13 06:21:16 harrier postfix/postscreen[3805]: DISCONNECT
[89.121.129.184]:43448
May 13 06:21:19 harrier postfix/postscreen[3805]: warning: dnsblog reply
timeout 10s for psbl.surriel.com
[Snip all the good resolver(5) information]
[1] Specifically I am thinking of the late Bruce Gingery, a true
master spamfighter. I will ask about this on SDLU[2] also.
[2] http://spammers.dontlike.us/
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
