It's not an RFC violation, nor is it unreasonable or weird. :) The reason spamdyke keeps the connection open is so it can capture the sender and recipients for its log entries. If it closed the connection immediately, it would only be able to log the incoming IP address.
In some cases spamdyke cannot close the connection early because there's a chance it could still be allowed for some reason. This can happen, for example, when a recipient whitelist is being used -- the whitelist cannot be consulted until after the recipient is identified. On your server SMTP AUTH is possible, so spamdyke must at least wait until the sender is identified because authentication may take place. -- Sam Clippinger Ken Schweigert wrote: > I'm trying to debug a problem and have enabled the "full-log-dir" > option to see the contents of each message when I noticed something > unusual, or at least something I'm not fully understanding. > > One of the messages was obviously from a spammer and this particular > IP did not have a reverse DNS entry; I see the entry stating such > early in it's conversation. However, after this was established the > servers continued to talk where I thought they would have just > terminated the conversation. I would've thought that my server > would've closed the connection after learning that the connecting > server did not reverse it's IP. Here is a snippet from that entry > (sanitized to protect the innocent): > > ################################################# > [EMAIL PROTECTED] fulllogdir]# more 20080515_143525_137.101.41.66 > 05/15/2008 14:35:25 STARTED: VERSION = 3.1.6+TLS, PID = 8307 > 05/15/2008 14:35:25 LEGEND: To remote host = <<< ; to child process = > >>>> ; blocked by filter = <XX >>>> > 05/15/2008 14:35:25 LEGEND: From filter to remote host = <FF ; from > filter to child process = FF> > > <<< 05/15/2008 14:35:25 > 220 rsmail.mydomain.tld ESMTP > > >>>> 05/15/2008 14:35:26 >>>> > EHLO corp-66-40-101-137.apnadream.tld > > <<< 05/15/2008 14:35:26 > 250-rsmail.mydomain.tld > 250-STARTTLS > 250-PIPELINING > 250-8BITMIME > 250-SIZE 12500000 > 250 AUTH LOGIN PLAIN CRAM-MD5 > > >>>> 05/15/2008 14:35:27 >>>> > MAIL FROM:<[EMAIL PROTECTED]> > > <FF 05/15/2008 14:35:27 > 250 Refused. You have no reverse DNS entry. > > FF> 05/15/2008 14:35:27 > . > QUIT > > >>>> 05/15/2008 14:35:27 >>>> > RCPT TO: <[EMAIL PROTECTED]> > > <FF 05/15/2008 14:35:27 > 421 Refused. You have no reverse DNS entry. > > >>>> 05/15/2008 14:35:27 >>>> > RCPT TO: <[EMAIL PROTECTED]> > > <FF 05/15/2008 14:35:27 > 421 Refused. You have no reverse DNS entry. > > ...[ snipped out a couple dozen more entries of "Refused" ] ... > > >>>> 05/15/2008 14:35:27 >>>> > RCPT TO: <[EMAIL PROTECTED]> > > <FF 05/15/2008 14:35:27 > 421 Refused. You have no reverse DNS entry. > > >>>> 05/15/2008 14:35:27 >>>> > DATA > > <FF 05/15/2008 14:35:27 > 421 Refused. You have no reverse DNS entry. > > <XX 05/15/2008 14:35:27 > 502 unimplemented (#5.5.1) > 221 rsmail.mydomain.tld > > 05/15/2008 14:35:28 CLOSED > [EMAIL PROTECTED] fulllogdir]# > ################################################# > > So I guess my question is ... can we get Spamdyke to close the > connection after the first false DNS check instead of waiting for it > to wade through all the bogus RcptTo's? Maybe this violates some RFC, > I don't know, so please correct me if this is weird/unreasonable. > > -ken > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
