Tim, well understood now.
Being some reverse DNS is not setup to allow Spamdyke to filter what's the next option one would try to ban such malicious connections? Obviously not every DNS admin is neat enough to go via the xxx.xxx.xxx.xxx.domainname.tld convention of setting up rDNS host names. Thanks. ------------------------ Erald Troja Tim Mancour wrote: >>From Sam's earlier post - "spamdyke must find the keyword and the entire IP > address in the rDNS name. 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk > does contain the IP address (i.e. 77.96.122.40) while the rdns name > cpc1-west2-0-0-cust857.brnt.cable.ntl.com does not include a complete IP > address so it is not filtered. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Erald Troja > Sent: Monday, October 13, 2008 1:01 PM > To: spamdyke users > Subject: Re: [spamdyke-users] spamdyke + ip-in-rdns-keyword-blacklist-entry > option > > Davide, > > no go. > > Other host names containing 'cable' keyword such as > 77-96-122-40.cable.ubr02.nmal.blueyonder.co.uk are properly being rejected > with the right error message. > > > ------------------------ > Erald Troja > > > Davide D'Amico wrote: >> Please try with: >> *.cable.* >> >> >> d. >> >> >> 2008/10/13 Erald Troja <[EMAIL PROTECTED]>: >>> Sam/others, >>> >>> I've re-read the documentation for this feature over and over and as >>> far as I can understand we've done all possible to stop the >>> following. >>> >>> Here's an entry log from a SPAMMER's address we'd like to reject via >>> the ip-in-rdns-keyword-blacklist-entry feature. >>> >>> Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: >>> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: >>> 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: >>> (unknown) >>> >>> >>> our ip-in-rdns-keyword-blacklist-entry referenced file contains the >>> following >>> >>> >>> cable >>> .cable.ntl.com >>> .ntl.com >>> cable .ntl.com >>> >>> Seems none of the 4 potential keyword entries we're providing is >>> matching the above host name. >>> >>> The hostname should be rejected with DENIED_IP_IN_RDNS rather than >>> DENIED_GRAYLISTED >>> >>> >>> What are we doing wrong? Or is this a un-discovered bug? >>> >>> Thanks. >>> >>> >>> >>> ------------------------ >>> Erald Troja >>> >>> >>> Erald Troja wrote: >>>> Sam, >>>> >>>> I'm reading your reply again, and perhaps I misunderstood what >>>> you're saying. >>>> >>>> Here's the entry log for one of the rDNS's I'd like to reject the >>>> connection. >>>> >>>> >>>> Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: >>>> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: >>>> 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: >>>> (unknown) >>>> Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: >>>> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: >>>> 82.19.66.39 >>>> origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: >>>> (unknown) >>>> >>>> >>>> As you will see, there is an IP address for their rDNS. >>>> >>>> Are you saying that the ip-in-rdns-keyword-blacklist-entry file >>>> should also contain the IP address of the originating connection, or >>>> as long as their IP resolves to a numeric address, all is necessary >>>> to have is the keyword in the ip-in-rdns-keyword-blacklist-entry ? >>>> >>>> Can anyone clarify this please? >>>> >>>> >>>> >>>> ------------------------ >>>> Erald Troja >>>> >>>> Sam Clippinger wrote: >>>>> In order for the keyword filter to block connections, spamdyke must >>>>> find the keyword and the entire IP address in the rDNS name. The >>>>> two examples you gave don't appear to contain whole IP addresses. >>>>> Also, the second example contains the keyword "cablelink", not >>>>> "cable"; spamdyke will not match keywords within other text. >>>>> >>>>> -- Sam Clippinger >>>>> >>>>> Erald Troja wrote: >>>>>> Hello Folks, >>>>>> >>>>>> We are slowly building up on the many swiss army knife features >>>>>> that Spamdyke offers. >>>>>> >>>>>> One of them is the ip-in-rdns-keyword-blacklist-entry feature >>>>>> http://spamdyke.org/documentation/README.html#RDNS >>>>>> >>>>>> In essence, we notice many, next to say almost all connections >>>>>> connecting to port 25 of our servers, with the keyword 'cable' are >>>>>> of SPAMMY nature and we'd like to stop them. >>>>>> >>>>>> So, we have Spamdyke configured with >>>>>> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword >>>>>> -blacklist-file >>>>>> >>>>>> >>>>>> and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file >>>>>> >>>>>> with one line containing just the keyword >>>>>> >>>>>> cable >>>>>> >>>>>> >>>>>> We do notice logging of a handful of connections yet for example >>>>>> >>>>>> >>>>>> DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com >>>>>> DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net >>>>>> >>>>>> >>>>>> are Graylisted instead of being denied connectivity. Can anyone >>>>>> pass along some documentation on Spamdyke + keyword processing? >>>>>> >>>>>> Thanks. >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> spamdyke-users mailing list >>>>> [email protected] >>>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>>>> >>> _______________________________________________ >>> spamdyke-users mailing list >>> [email protected] >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
