Dear Ulrich, yes I did. In most case works fine like this from .net domain:
May 4 08:44:23 fw spamdyke[21491]: DENIED_IP_IN_RDNS from: [email protected] to: [email protected] origin_ip: 71.115.109.232 origin_rdns: pool-71-115-109-232.sangtx.dsl-w.verizon.net auth: (unknown) What else I found lines where numbers are prepended with '0' (zeros and seems SPAMDYKE was fooled too. Here is example: May 4 08:45:15 fw spamdyke[21525]: ALLOWED from: [email protected] to: [email protected] origin_ip: 65.184.96.160 origin_rdns: cpe-065-184-096-160.sc.res.rr.com auth: (unknown) I have onother idea even I have defined ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns-keyword-blacklist-file and keywords inside it stops only these lines where is keyword at front of IP-part in DNS not at end of IP-part DNS. I think that .net was stoped because I have in file keyword 'pool' not because is there keyword 'net'. Why I think it is that case? because I see lines like May 4 08:50:09 fw spamdyke[21599]: ALLOWED from: @xxxxxxx.cz to: @xxxxxx.cz origin_ip: 79.180.128.135 origin_rdns: bzq-79-180-128-135.red.bezeqint.net auth: (unknown) and it is from .net domain and even keyword 'net' is in blacklist file mail wasn't denied at all. FYI: Why I do fight with these dynamic IP senders so hard? Reason is we getting around 10 to 20 connections from these each minute and I don't want to waste bandwitdh at our line. We have SPAMDYKE at perimeter SMTP to intercept these boggies. At backden we have true mail server with SPAM prevention software. I'm trying this way to offload some load from that server. We were in situation when we got around 10mil e-mail per day. This is for small company with 30 e-mail boxes really too much. It lead on DoS attack on our server. Thanks to SPAMDYKE we did lower load by 99%. Now I'm trying to intercept remaining boggies. Thank you Eduard "Ulrich C. Manns" <[email protected]> wrote on 04.05.2009 08:42:28: > Did you find any DENIED_IP_IN_RDNS? > How are the file rights? > I have entered .com and .net, not only com and net. > > Regards, > Ulrich > > > Von: Eduard Svarc <[email protected]> > Antworten an: <[email protected]>, spamdyke users <spamdyke- > [email protected]> > Datum: Mon, 4 May 2009 08:32:35 +0200 > An: spamdyke users <[email protected]> > Betreff: Re: [spamdyke-users] Problem with DENIED_IP_IN_CC_RDNS not > applied to all connections > > > Dears, > > I did try to block incoming mails from dynamic IPs but with partial > success still having problem with: > > > May 4 08:19:31 fw spamdyke[21023]: DENIED_GRAYLISTED from: > [email protected] to: [email protected] origin_ip: 200.83. > 179.199 origin_rdns: pc-199-179-83-200.cm.vtr.net auth: (unknown) > > my \etc\spamdyke.conf contains next lines: > > reject-empty-rdns > reject-ip-in-cc-rdns > ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns- > keyword-blacklist-file > reject-missing-sender-mx > reject-unresolvable-rdns > > and file: > > /etc/spamdyke.d/ip-in-rdns-keyword-blacklist-file > > contains: > > dsl > com > net > broadband > dynamic > > In most cases it does stop e-mails from DSL line subscribers but not > from all as you see from line above. Sender was just graylisted not > denied with DENIED_IP_IN_CC_RDNS. May be problem is wih IP in DNS > because is exact reverse of real IP 200.83.179.199. In DNS is > 199-177-83-200? Should SPAMDYKE check for ala-reverse IP? > > Any idea where I did mistake? > > Tanks in advance > Eduard > > [email protected] wrote on 29.04.2009 12:46:53: > > > > > Dear Sam, > > > > thank you for great hint. In first gues I tought root cause of > > problem is IP represented in DNS because it is not plain IP but > > dashes with leading text are used in name. I have similar entries > inlog like: > > > > Apr 29 12:34:52 fw spamdyke[11641]: ALLOWED from: xx...@xxxxxxxxx > > to: xxx...@xxxxxx origin_ip: 88.12.245.122 origin_rdns: 122. > > red-88-12-245.dynamicip.rima-tde.net auth: (unknown) > > > > Going to get test, crossing my fingers > > Thank You > > Eduard > > > > [email protected] wrote on 29.04.2009 03:17:27: > > > > > You've misunderstood the meaning of the "DENIED_IP_IN_CC_RDNS" message. > > > That particular filter is triggered because spamdyke found the IP > > > address _and_ a two-letter country code. In other words, your example > > > was blocked because it contained the IP address and ended in ".nl". The > > > graylisted entry wasn't blocked because it ends in ".net". > > > > > > spamdyke searches for many different ways of putting the IP address in > > > the rDNS name, including reversing the octets. The full list of > > > patterns it checks is listed here: > > > http://www.spamdyke.org/documentation/README.html#RDNS > > > > > > To block dynamic hosts, enable the "ip-in-rdns-keyword-blacklist-file" > > > option. In the file, list a few keywords that you expect to find in > > > dynamic rDNS names (e.g. dhcp, dynamic, cable). When spamdyke finds the > > > IP address and one of those keywords, it will block the connection. > > > Using your example, if your keyword file contained "dsl", spamdyke would > > > have blocked the connection. > > > > > > There are also several RBLs that claim to block dynamic IP ranges, but I > > > haven't had much success with them. Matching keywords and IP addresses > > > has been much more fruitful for me. Your mileage may vary. > > > > > > -- Sam Clippinger > > > > > > Eduard Svarc wrote: > > > > > > > > Looking for clues, > > > > > > > > I would like reject all e-mails from dynamic IPs but seems that > > > > Spamdyke don't recognize all correctly like: > > > > > > > > DENIED_GRAYLISTED from: [email protected] to: > > > > pavel_k...@xxxxxxxx origin_ip: 99.184.238.30 origin_rdns: > > > > adsl-99-184-238-30.dsl.irvnca.sbcglobal.net auth: > > > > > > > > is graylisted instead denied like: > > > > > > > > DENIED_IP_IN_CC_RDNS from: [email protected] to: > > > > sa...@xxxxxxx origin_ip: 91.184.0.35 origin_rdns: > > > > 91-184-0-35.shared.hostnet.nl auth: > > > > > > > > As I see only diference is in 1st case is IP adress entered as > > > > reverse, but still is just plain IP. Seems that some providers trying > > > > to create pseudo FQDNS for theirs dynamic IPs. Denying dynamic IPs is > > > > great feature preventing 99% of spams, but seems it could be fooled or > > > > can be configured even further to intercept is? > > > > > > > > Please Help > > > > ------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > > > > spamdyke-users mailing list > > > > [email protected] > > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > > > > _______________________________________________ > > > spamdyke-users mailing list > > > [email protected] > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > _______________________________________________ > > spamdyke-users mailing list > > [email protected] > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
