Sam, i'm going back to this thread as I believe something is not working right still.
Here's what's going on. 1)Here's a snippet of the log file entry which contains the error, ip, and rDNS of the connection DENIED_GRAYLISTED 89.141.38.150 89.141.38.150.dyn.user.ono.com 2)Here' our ip-in-rdns-keyword-blacklist-file entries adsl cable dsl dyn dynamic ip kabel mtu nat pool ppp pppoe user .veloxzone.com.br .virtua.com.br xdsl 3)as you'd see, at least 2 entries should hit the above hostname namely user or dyn keywords. None of them does. When I remove those and simply leave the ip-in-rdns-keyword-blacklist-file with just 2 entries namely dyn user we're able to fully block the connections. There's no white space or anything "weird" in the file I've noticed this behaviour many times with different keywords, which act up if the size of the ip-in-rdns-keyword-blacklist-file increases. What's the logic behind the keyword filtering and would it help if we ran it with full-logging? Thanks. ------------------------ Erald Troja [EMAIL PROTECTED] 646.528.6671 Sam Clippinger wrote: > In order to block this connection with the ip-in-rdns filter, the IP > address must appear in the rDNS name. In this case, the rDNS name does > not contain the text "80.6.107.90" or "80-6-107-90" or "080006107090" or > any of the other formats spamdyke searches for. That's why the filter > won't trigger, no matter what keywords you put in the file. > > What you need is a filter that will block connections based on finding > arbitrary keywords in the rDNS name, which is a feature spamdyke does > not provide. I've considered adding it in the past but I believe it > would cause more problems than it solved. For instance, blocking > "cable" would stop residential cable modems but it would also stop > "legitimatesender.staticip.cable.example.com". I think you'd spend more > time troubleshooting false positives than you would save by using the > filter. > > In your case, if you want to block all connections ending in > "cable.ntl.com", simply add the following entry to your rDNS blacklist: > .cable.ntl.com > > -- Sam Clippinger > > Erald Troja wrote: >> Sam/others, >> >> I've re-read the documentation for this feature over and over >> and as far as I can understand we've done all possible to stop >> the following. >> >> Here's an entry log from a SPAMMER's address we'd like to reject via the >> ip-in-rdns-keyword-blacklist-entry feature. >> >> Oct 13 12:45:21 mail02 spamdyke[12401]: DENIED_GRAYLISTED from: >> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: >> 80.6.107.90 origin_rdns: cpc1-west2-0-0-cust857.brnt.cable.ntl.com auth: >> (unknown) >> >> >> our ip-in-rdns-keyword-blacklist-entry referenced file contains the >> following >> >> >> cable >> .cable.ntl.com >> .ntl.com >> cable .ntl.com >> >> Seems none of the 4 potential keyword entries we're providing >> is matching the above host name. >> >> The hostname should be rejected with DENIED_IP_IN_RDNS rather >> than DENIED_GRAYLISTED >> >> >> What are we doing wrong? Or is this a un-discovered bug? >> >> Thanks. >> >> >> >> ------------------------ >> Erald Troja >> >> >> Erald Troja wrote: >> >>> Sam, >>> >>> I'm reading your reply again, and perhaps I misunderstood what >>> you're saying. >>> >>> Here's the entry log for one of the rDNS's I'd like to reject the >>> connection. >>> >>> >>> Oct 13 11:05:41 mail02 spamdyke[29352]: DENIED_GRAYLISTED from: >>> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: >>> 82.19.66.39 origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: >>> (unknown) >>> Oct 13 11:06:23 mail02 spamdyke[31397]: DENIED_GRAYLISTED from: >>> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 82.19.66.39 >>> origin_rdns: cpc1-rdng9-0-0-cust550.winn.cable.ntl.com auth: (unknown) >>> >>> >>> As you will see, there is an IP address for their rDNS. >>> >>> Are you saying that the ip-in-rdns-keyword-blacklist-entry file should >>> also contain the IP address of the originating connection, or as long as >>> their IP resolves to a numeric address, all is necessary to have is the >>> keyword in the ip-in-rdns-keyword-blacklist-entry ? >>> >>> Can anyone clarify this please? >>> >>> >>> >>> ------------------------ >>> Erald Troja >>> >>> Sam Clippinger wrote: >>> >>>> In order for the keyword filter to block connections, spamdyke must >>>> find the keyword and the entire IP address in the rDNS name. The two >>>> examples you gave don't appear to contain whole IP addresses. Also, >>>> the second example contains the keyword "cablelink", not "cable"; >>>> spamdyke will not match keywords within other text. >>>> >>>> -- Sam Clippinger >>>> >>>> Erald Troja wrote: >>>> >>>>> Hello Folks, >>>>> >>>>> We are slowly building up on the many swiss army knife features >>>>> that Spamdyke offers. >>>>> >>>>> One of them is the ip-in-rdns-keyword-blacklist-entry feature >>>>> http://spamdyke.org/documentation/README.html#RDNS >>>>> >>>>> In essence, we notice many, next to say almost all connections >>>>> connecting to port 25 of our servers, with the keyword 'cable' are >>>>> of SPAMMY nature and we'd like to stop them. >>>>> >>>>> So, we have Spamdyke configured with >>>>> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/ip-in-rdns-keyword-blacklist-file >>>>> >>>>> >>>>> >>>>> and have /etc/spamdyke/ip-in-rdns-keyword-blacklist-file >>>>> >>>>> with one line containing just the keyword >>>>> >>>>> cable >>>>> >>>>> >>>>> We do notice logging of a handful of connections yet for example >>>>> >>>>> >>>>> DENIED_GRAYLISTED cpc2-midd9-0-0-cust525.midd.cable.ntl.com >>>>> DENIED_GRAYLISTED cablelink-173-45-65.cpe.intercable.net >>>>> >>>>> >>>>> are Graylisted instead of being denied connectivity. Can anyone >>>>> pass along some documentation on Spamdyke + keyword processing? >>>>> >>>>> Thanks. >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> spamdyke-users mailing list >>>> [email protected] >>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>>> >>>> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
