Agreed, however reverse DNS is not a universal solution as things like
RR accounts will come from the same base domain as RR spam zombies, and
you would otherwise have to track down each unique reverse DNS entry.
I would test a connection to the SMTP server instead. Most of these
servers will at least respond. So if a domain like yahoo.com,
gmail.com, rr.com, etc. is found in the reverse DNS for a new IP rule,
you would then check to see if it at least responded to a port 25
connection, and if it did, skip that rule.
Note that I score IP rules at half the weight of the others. There are
more common issues with international ISP's and webmail providers than
with things like yahoo.com, gmail.com, rr.com, etc. Many don't get a
lot of international traffic so they don't notice it.
Matt
Andy Schmidt wrote:
Hi,
Unless I'm mistaken, rule 1370762 was targeting the same address range.
If I may make a suggestion:
Before the spam-trap robots are allowed to block major, well-known and
easily recognizable email providers, how about the robot script pulls a
WHOIS and a Reverse DNS and runs that data against a table of "can't block"
entities - or at least spits those out for "human review".
If that can't be done, then how about the robots issue an hourly report of
"suspect" IPs. A no-brainer script can pull matching WHOIS and RevDNS for
quick human review and overriding (if necessary).
I would rather those obvious bad rules are caught before or very quickly
after they go live. There is always some delay before I get first reports
until I realize that this is a "real" problem. Then I have to try to get
headers from end-users before I can dig into logs... Hours and hours pass
(especially if it's overnight events). In the meantime the problem escalates
all around me.
Thanks,
Andy
-----Original Message-----
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Pete McNeil
Sent: Tuesday, April 03, 2007 11:09 AM
To: Message Sniffer Community
Subject: [sniffer] Re: How to incorporate a white list?
Hello Andy,
Tuesday, April 3, 2007, 9:36:17 AM, you wrote:
Hi Phil,
Yes, it seems as if some Sniffer rules, e.g., 1367683, is broadly
targeting
Google's IPs.
I've submitted 3 false positive reports since last night, at least two of
them were Google users, one located in the U.S. and the other in the
Netherlands!
This IP rule has been pulled.
FP processing will happen shortly.
_M
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
