Dear Ulrich, I didn't. I had these keywords without '.' as you can see in thread where I have listed full content of my file:
> > /etc/spamdyke.d/ip-in-rdns-keyword-blacklist-file > > > > contains: > > > > dsl > > com > > net > > broadband > > dynamic > > Adding it now will see result. Thank You Eduard "Ulrich C. Manns" <[email protected]> wrote on 04.05.2009 09:30:45: > Hi Eduard, > > i only added .com and .net (with dot as prefix!). This rejects all > of the blabla.net spams. I found some DENIED_IP_IN_RDNS with zeros: > > May 4 09:18:03 srv0 spamdyke[18967]: DENIED_IP_IN_RDNS from: > [email protected] to: [email protected] origin_ip: 74.251. > 132.129 origin_rdns: adsl-074-251-132-129.sip.asm.bellsouth.net > auth: (unknown) > May 4 09:18:03 srv0 spamdyke[18967]: DENIED_IP_IN_RDNS from: > [email protected] to: [email protected] origin_ip: 74.251. > 132.129 origin_rdns: adsl-074-251-132-129.sip.asm.bellsouth.net > auth: (unknown) > > You really added the dot? > > Regards, > Ulrich > > > Von: Eduard Svarc <[email protected]> > Antworten an: <[email protected]> > Datum: Mon, 4 May 2009 09:02:09 +0200 > An: "Ulrich C. Manns" <[email protected]> > Cc: <[email protected]>, spamdyke users <[email protected]> > Betreff: Re: [spamdyke-users] Problem with DENIED_IP_IN_CC_RDNS not > applied to all connections > > > Dear Ulrich, > > yes I did. In most case works fine like this from .net domain: > > May 4 08:44:23 fw spamdyke[21491]: DENIED_IP_IN_RDNS from: [email protected]: > [email protected] origin_ip: 71.115.109.232 origin_rdns: > pool-71-115-109-232.sangtx.dsl-w.verizon.net auth: (unknown) > > What else I found lines where numbers are prepended with '0' (zeros > and seems SPAMDYKE was fooled too. Here is example: > > May 4 08:45:15 fw spamdyke[21525]: ALLOWED from: [email protected] to: > [email protected] origin_ip: 65.184.96.160 origin_rdns: > cpe-065-184-096-160.sc.res.rr.com auth: (unknown) > > I have onother idea even I have defined > > ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns- > keyword-blacklist-file > > and keywords inside it stops only these lines where is keyword at > front of IP-part in DNS not at end of IP-part DNS. > > I think that .net was stoped because I have in file keyword 'pool' > not because is there keyword 'net'. Why I think it is that case? > because I see lines like > > May 4 08:50:09 fw spamdyke[21599]: ALLOWED from: @xxxxxxx.cz to: > @xxxxxx.cz origin_ip: 79.180.128.135 origin_rdns: > bzq-79-180-128-135.red.bezeqint.net auth: (unknown) > > and it is from .net domain and even keyword 'net' is in blacklist > file mail wasn't denied at all. > > FYI: Why I do fight with these dynamic IP senders so hard? Reason is > we getting around 10 to 20 connections from these each minute and I > don't want to waste bandwitdh at our line. We have SPAMDYKE at > perimeter SMTP to intercept these boggies. At backden we have true > mail server with SPAM prevention software. I'm trying this way to > offload some load from that server. We were in situation when we got > around 10mil e-mail per day. This is for small company with 30 e- > mail boxes really too much. It lead on DoS attack on our server. > Thanks to SPAMDYKE we did lower load by 99%. Now I'm trying to > intercept remaining boggies. > > Thank you > Eduard > > "Ulrich C. Manns" <[email protected]> wrote on 04.05.2009 08:42:28: > > > Did you find any DENIED_IP_IN_RDNS? > > How are the file rights? > > I have entered .com and .net, not only com and net. > > > > Regards, > > Ulrich > > > > > > Von: Eduard Svarc <[email protected]> > > Antworten an: <[email protected]>, spamdyke users <spamdyke- > > [email protected]> > > Datum: Mon, 4 May 2009 08:32:35 +0200 > > An: spamdyke users <[email protected]> > > Betreff: Re: [spamdyke-users] Problem with DENIED_IP_IN_CC_RDNS not > > applied to all connections > > > > > > Dears, > > > > I did try to block incoming mails from dynamic IPs but with partial > > success still having problem with: > > > > > > May 4 08:19:31 fw spamdyke[21023]: DENIED_GRAYLISTED from: > > [email protected] to: [email protected] origin_ip: 200.83. > > 179.199 origin_rdns: pc-199-179-83-200.cm.vtr.net auth: (unknown) > > > > my \etc\spamdyke.conf contains next lines: > > > > reject-empty-rdns > > reject-ip-in-cc-rdns > > ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns- > > keyword-blacklist-file > > reject-missing-sender-mx > > reject-unresolvable-rdns > > > > and file: > > > > /etc/spamdyke.d/ip-in-rdns-keyword-blacklist-file > > > > contains: > > > > dsl > > com > > net > > broadband > > dynamic > > > > In most cases it does stop e-mails from DSL line subscribers but not > > from all as you see from line above. Sender was just graylisted not > > denied with DENIED_IP_IN_CC_RDNS. May be problem is wih IP in DNS > > because is exact reverse of real IP 200.83.179.199. In DNS is > > 199-177-83-200? Should SPAMDYKE check for ala-reverse IP? > > > > Any idea where I did mistake? > > > > Tanks in advance > > Eduard > > > > [email protected] wrote on 29.04.2009 12:46:53: > > > > > > > > Dear Sam, > > > > > > thank you for great hint. In first gues I tought root cause of > > > problem is IP represented in DNS because it is not plain IP but > > > dashes with leading text are used in name. I have similar entries > > inlog like: > > > > > > Apr 29 12:34:52 fw spamdyke[11641]: ALLOWED from: xx...@xxxxxxxxx > > > to: xxx...@xxxxxx origin_ip: 88.12.245.122 origin_rdns: 122. > > > red-88-12-245.dynamicip.rima-tde.net auth: (unknown) > > > > > > Going to get test, crossing my fingers > > > Thank You > > > Eduard > > > > > > [email protected] wrote on 29.04.2009 03:17:27: > > > > > > > You've misunderstood the meaning of the "DENIED_IP_IN_CC_RDNS"message. > > > > That particular filter is triggered because spamdyke found the IP > > > > address _and_ a two-letter country code. In other words, your example > > > > was blocked because it contained the IP address and ended in > ".nl". The > > > > graylisted entry wasn't blocked because it ends in ".net". > > > > > > > > spamdyke searches for many different ways of putting the IP address in > > > > the rDNS name, including reversing the octets. The full list of > > > > patterns it checks is listed here: > > > > http://www.spamdyke.org/documentation/README.html#RDNS > > > > > > > > To block dynamic hosts, enable the "ip-in-rdns-keyword-blacklist-file" > > > > option. In the file, list a few keywords that you expect to find in > > > > dynamic rDNS names (e.g. dhcp, dynamic, cable). When spamdykefinds the > > > > IP address and one of those keywords, it will block the connection. > > > > Using your example, if your keyword file contained "dsl", > spamdyke would > > > > have blocked the connection. > > > > > > > > There are also several RBLs that claim to block dynamic IP > ranges, but I > > > > haven't had much success with them. Matching keywords and IP addresses > > > > has been much more fruitful for me. Your mileage may vary. > > > > > > > > -- Sam Clippinger > > > > > > > > Eduard Svarc wrote: > > > > > > > > > > Looking for clues, > > > > > > > > > > I would like reject all e-mails from dynamic IPs but seems that > > > > > Spamdyke don't recognize all correctly like: > > > > > > > > > > DENIED_GRAYLISTED from: [email protected] to: > > > > > pavel_k...@xxxxxxxx origin_ip: 99.184.238.30 origin_rdns: > > > > > adsl-99-184-238-30.dsl.irvnca.sbcglobal.net auth: > > > > > > > > > > is graylisted instead denied like: > > > > > > > > > > DENIED_IP_IN_CC_RDNS from: [email protected] to: > > > > > sa...@xxxxxxx origin_ip: 91.184.0.35 origin_rdns: > > > > > 91-184-0-35.shared.hostnet.nl auth: > > > > > > > > > > As I see only diference is in 1st case is IP adress entered as > > > > > reverse, but still is just plain IP. Seems that some providers trying > > > > > to create pseudo FQDNS for theirs dynamic IPs. Denying dynamic IPs is > > > > > great feature preventing 99% of spams, but seems it could befooled or > > > > > can be configured even further to intercept is? > > > > > > > > > > Please Help > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ > > > > > spamdyke-users mailing list > > > > > [email protected] > > > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > > > > > > _______________________________________________ > > > > spamdyke-users mailing list > > > > [email protected] > > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > _______________________________________________ > > > spamdyke-users mailing list > > > [email protected] > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
