In order to block this connection with the ip-in-rdns filter, the IP
address must appear in the rDNS name. In this case, the rDNS name does
not contain the text "80.6.107.90" or "80-6-107-90" or "080006107090" or
any of the other formats spamdyke searches for. That's why the filter
won't trigger, no matter what keywords you put in the file.
What you need is a filter that will block connections based on finding
arbitrary keywords in the rDNS name, which is a feature spamdyke does
not provide. I've considered adding it in the past but I believe it
would cause more problems than it solved. For instance, blocking
"cable" would stop residential cable modems but it would also stop
"legitimatesender.staticip.cable.example.com". I think you'd spend more
time troubleshooting false positives than you would save by using the
filter.
In your case, if you want to block all connections ending in
"cable.ntl.com", simply add the following entry to your rDNS blacklist:
.cable.ntl.com
-- Sam Clippinger
Erald Troja wrote:
> Sam/others,
>
> I've re-read the documentation for this feature over and over
> and as far as I can understand we've done all possible to stop
> the following.
>
> Here's an entry log from a SPAMMER's address we'd like to reject via the
> ip-in-rdns-keyword-blacklist-entry feature.
>
> Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from:
> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
> 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth:
> (unknown)
>
>
> our ip-in-rdns-keyword-blacklist-entry referenced file contains the
> following
>
>
> cable
> .cable.ntl.com
> .ntl.com
> cable .ntl.com
>
> Seems none of the 4 potential keyword entries we're providing
> is matching the above host name.
>
> The hostname should be rejected with DENIED_IP_IN_RDNS rather
> than DENIED_GRAYLISTED
>
>
> What are we doing wrong? Or is this a un-discovered bug?
>
> Thanks.
>
>
>
> ------------------------
> Erald Troja
>
>
> Erald Troja wrote:
>
>> Sam,
>>
>> I'm reading your reply again, and perhaps I misunderstood what
>> you're saying.
>>
>> Here's the entry log for one of the rDNS's I'd like to reject the
>> connection.
>>
>>
>> Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from:
>> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
>> 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth:
>> (unknown)
>> Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from:
>> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39
>> origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown)
>>
>>
>> As you will see, there is an IP address for their rDNS.
>>
>> Are you saying that the ip-in-rdns-keyword-blacklist-entry file should
>> also contain the IP address of the originating connection, or as long as
>> their IP resolves to a numeric address, all is necessary to have is the
>> keyword in the ip-in-rdns-keyword-blacklist-entry ?
>>
>> Can anyone clarify this please?
>>
>>
>>
>> ------------------------
>> Erald Troja
>>
>> Sam Clippinger wrote:
>>
>>> In order for the keyword filter to block connections, spamdyke must
>>> find the keyword and the entire IP address in the rDNS name. The two
>>> examples you gave don't appear to contain whole IP addresses. Also,
>>> the second example contains the keyword "cablelink", not "cable";
>>> spamdyke will not match keywords within other text.
>>>
>>> -- Sam Clippinger
>>>
>>> Erald Troja wrote:
>>>
>>>> Hello Folks,
>>>>
>>>> We are slowly building up on the many swiss army knife features
>>>> that Spamdyke offers.
>>>>
>>>> One of them is the ip-in-rdns-keyword-blacklist-entry feature
>>>> http://spamdyke.org/documentation/README.html#RDNS
>>>>
>>>> In essence, we notice many, next to say almost all connections
>>>> connecting to port 25 of our servers, with the keyword 'cable' are
>>>> of SPAMMY nature and we'd like to stop them.
>>>>
>>>> So, we have Spamdyke configured with
>>>> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file
>>>>
>>>>
>>>>
>>>> and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file
>>>>
>>>> with one line containing just the keyword
>>>>
>>>> cable
>>>>
>>>>
>>>> We do notice logging of a handful of connections yet for example
>>>>
>>>>
>>>> DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com
>>>> DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net
>>>>
>>>>
>>>> are Graylisted instead of being denied connectivity. Can anyone
>>>> pass along some documentation on Spamdyke + keyword processing?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> spamdyke-users mailing list
>>> [email protected]
>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>>>
>>>
> _______________________________________________
> spamdyke-users mailing list
> [email protected]
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
