Thank you all, after last changes in /etc/spamdyke.d/ip-in-rdns-keyword-blacklist-file where I did add to keywords '.'. I'm surprised why this wouldn't work without '.' in pattern. Now SPAMDYKE block all DNS names with IP in name. Only one exception remain for case when IP is in DNS name witten ala reverse address. I guess it is by design and SPAMDYKE doesn't check possible reverse notation of IP and it resulting into ALLOW. Here is example:
May 6 05:29:52 fw spamdyke[23071]: ALLOWED from: [email protected] to: [email protected] origin_ip: 91.122.235.164 origin_rdns: ip-164-235-122-091.pools.atnet.ru auth: (unknown) I guess it could be future fueature for IP block in rDNS check. I would suggest it because it is not that rare case. As I do observing logs few days I did see a lot of ISP allocate theirs DSL/ADSL lines and giving names with partial IP in name, here are few records: May 6 06:53:05 fw spamdyke[23725]: ALLOWED from: [email protected] to: [email protected] origin_ip: 82.144.185.107 origin_rdns: adsl-185-107.globonet.hu auth: (unknown) May 6 06:19:47 fw spamdyke[23487]: ALLOWED from: @xxxxxx.cz to: @xxxxxx.cz origin_ip: 124.109.52.214 origin_rdns: mbl-109-52-214.dsl.net.pk auth: (unknown) May 6 07:29:49 fw spamdyke[24011]: ALLOWED from: [email protected] to: [email protected] origin_ip: 88.100.218.39 origin_rdns: 39.218.broadband5.iol.cz auth: (unknown) I can't count these names as regular ones for SMPT server, because group of IP addresses returning same name. Who run SMTP server in all cases request, or at least should request, real DNS name not provider default assigned for whole group of IP addresses. SPAMDYKE should do partial check on IP match as well too. Eduard [email protected] wrote on 04.05.2009 10:00:08: > > Dear Ulrich, > > I didn't. I had these keywords without '.' as you can see in thread > where I have listed full content of my file: > > > > /etc/spamdyke.d/ip-in-rdns-keyword-blacklist-file > > > > > > contains: > > > > > > dsl > > > com > > > net > > > broadband > > > dynamic > > > > > Adding it now will see result. > > Thank You > Eduard > > "Ulrich C. Manns" <[email protected]> wrote on 04.05.2009 09:30:45: > > > Hi Eduard, > > > > i only added .com and .net (with dot as prefix!). This rejects all > > of the blabla.net spams. I found some DENIED_IP_IN_RDNS with zeros: > > > > May 4 09:18:03 srv0 spamdyke[18967]: DENIED_IP_IN_RDNS from: > > [email protected] to: [email protected] origin_ip: 74.251. > > 132.129 origin_rdns: adsl-074-251-132-129.sip.asm.bellsouth.net > > auth: (unknown) > > May 4 09:18:03 srv0 spamdyke[18967]: DENIED_IP_IN_RDNS from: > > [email protected] to: [email protected] origin_ip: 74.251. > > 132.129 origin_rdns: adsl-074-251-132-129.sip.asm.bellsouth.net > > auth: (unknown) > > > > You really added the dot? > > > > Regards, > > Ulrich > > > > > > Von: Eduard Svarc <[email protected]> > > Antworten an: <[email protected]> > > Datum: Mon, 4 May 2009 09:02:09 +0200 > > An: "Ulrich C. Manns" <[email protected]> > > Cc: <[email protected]>, spamdyke users <[email protected]> > > Betreff: Re: [spamdyke-users] Problem with DENIED_IP_IN_CC_RDNS not > > applied to all connections > > > > > > Dear Ulrich, > > > > yes I did. In most case works fine like this from .net domain: > > > > May 4 08:44:23 fw spamdyke[21491]: DENIED_IP_IN_RDNS from: > [email protected]: > > [email protected] origin_ip: 71.115.109.232 origin_rdns: > > pool-71-115-109-232.sangtx.dsl-w.verizon.net auth: (unknown) > > > > What else I found lines where numbers are prepended with '0' (zeros > > and seems SPAMDYKE was fooled too. Here is example: > > > > May 4 08:45:15 fw spamdyke[21525]: ALLOWED from: [email protected] to: > > [email protected] origin_ip: 65.184.96.160 origin_rdns: > > cpe-065-184-096-160.sc.res.rr.com auth: (unknown) > > > > I have onother idea even I have defined > > > > ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns- > > keyword-blacklist-file > > > > and keywords inside it stops only these lines where is keyword at > > front of IP-part in DNS not at end of IP-part DNS. > > > > I think that .net was stoped because I have in file keyword 'pool' > > not because is there keyword 'net'. Why I think it is that case? > > because I see lines like > > > > May 4 08:50:09 fw spamdyke[21599]: ALLOWED from: @xxxxxxx.cz to: > > @xxxxxx.cz origin_ip: 79.180.128.135 origin_rdns: > > bzq-79-180-128-135.red.bezeqint.net auth: (unknown) > > > > and it is from .net domain and even keyword 'net' is in blacklist > > file mail wasn't denied at all. > > > > FYI: Why I do fight with these dynamic IP senders so hard? Reason is > > we getting around 10 to 20 connections from these each minute and I > > don't want to waste bandwitdh at our line. We have SPAMDYKE at > > perimeter SMTP to intercept these boggies. At backden we have true > > mail server with SPAM prevention software. I'm trying this way to > > offload some load from that server. We were in situation when we got > > around 10mil e-mail per day. This is for small company with 30 e- > > mail boxes really too much. It lead on DoS attack on our server. > > Thanks to SPAMDYKE we did lower load by 99%. Now I'm trying to > > intercept remaining boggies. > > > > Thank you > > Eduard > > > > "Ulrich C. Manns" <[email protected]> wrote on 04.05.2009 08:42:28: > > > > > Did you find any DENIED_IP_IN_RDNS? > > > How are the file rights? > > > I have entered .com and .net, not only com and net. > > > > > > Regards, > > > Ulrich > > > > > > > > > Von: Eduard Svarc <[email protected]> > > > Antworten an: <[email protected]>, spamdyke users <spamdyke- > > > [email protected]> > > > Datum: Mon, 4 May 2009 08:32:35 +0200 > > > An: spamdyke users <[email protected]> > > > Betreff: Re: [spamdyke-users] Problem with DENIED_IP_IN_CC_RDNS not > > > applied to all connections > > > > > > > > > Dears, > > > > > > I did try to block incoming mails from dynamic IPs but with partial > > > success still having problem with: > > > > > > > > > May 4 08:19:31 fw spamdyke[21023]: DENIED_GRAYLISTED from: > > > [email protected] to: [email protected] origin_ip: 200.83. > > > 179.199 origin_rdns: pc-199-179-83-200.cm.vtr.net auth: (unknown) > > > > > > my \etc\spamdyke.conf contains next lines: > > > > > > reject-empty-rdns > > > reject-ip-in-cc-rdns > > > ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns- > > > keyword-blacklist-file > > > reject-missing-sender-mx > > > reject-unresolvable-rdns > > > > > > and file: > > > > > > /etc/spamdyke.d/ip-in-rdns-keyword-blacklist-file > > > > > > contains: > > > > > > dsl > > > com > > > net > > > broadband > > > dynamic > > > > > > In most cases it does stop e-mails from DSL line subscribers but not > > > from all as you see from line above. Sender was just graylisted not > > > denied with DENIED_IP_IN_CC_RDNS. May be problem is wih IP in DNS > > > because is exact reverse of real IP 200.83.179.199. In DNS is > > > 199-177-83-200? Should SPAMDYKE check for ala-reverse IP? > > > > > > Any idea where I did mistake? > > > > > > Tanks in advance > > > Eduard > > > > > > [email protected] wrote on 29.04.2009 12:46:53: > > > > > > > > > > > Dear Sam, > > > > > > > > thank you for great hint. In first gues I tought root cause of > > > > problem is IP represented in DNS because it is not plain IP but > > > > dashes with leading text are used in name. I have similar entries > > > inlog like: > > > > > > > > Apr 29 12:34:52 fw spamdyke[11641]: ALLOWED from: xx...@xxxxxxxxx > > > > to: xxx...@xxxxxx origin_ip: 88.12.245.122 origin_rdns: 122. > > > > red-88-12-245.dynamicip.rima-tde.net auth: (unknown) > > > > > > > > Going to get test, crossing my fingers > > > > Thank You > > > > Eduard > > > > > > > > [email protected] wrote on 29.04.2009 03:17:27: > > > > > > > > > You've misunderstood the meaning of the > "DENIED_IP_IN_CC_RDNS"message. > > > > > That particular filter is triggered because spamdyke found the IP > > > > > address _and_ a two-letter country code. In other words, > your example > > > > > was blocked because it contained the IP address and ended in > > ".nl". The > > > > > graylisted entry wasn't blocked because it ends in ".net". > > > > > > > > > > spamdyke searches for many different ways of putting the IP > address in > > > > > the rDNS name, including reversing the octets. The full list of > > > > > patterns it checks is listed here: > > > > > http://www.spamdyke.org/documentation/README.html#RDNS > > > > > > > > > > To block dynamic hosts, enable the "ip-in-rdns-keyword- > blacklist-file" > > > > > option. In the file, list a few keywords that you expect to find in > > > > > dynamic rDNS names (e.g. dhcp, dynamic, cable). When > spamdykefinds the > > > > > IP address and one of those keywords, it will block the connection. > > > > > Using your example, if your keyword file contained "dsl", > > spamdyke would > > > > > have blocked the connection. > > > > > > > > > > There are also several RBLs that claim to block dynamic IP > > ranges, but I > > > > > haven't had much success with them. Matching keywords and > IP addresses > > > > > has been much more fruitful for me. Your mileage may vary. > > > > > > > > > > -- Sam Clippinger > > > > > > > > > > Eduard Svarc wrote: > > > > > > > > > > > > Looking for clues, > > > > > > > > > > > > I would like reject all e-mails from dynamic IPs but seems that > > > > > > Spamdyke don't recognize all correctly like: > > > > > > > > > > > > DENIED_GRAYLISTED from: [email protected] to: > > > > > > pavel_k...@xxxxxxxx origin_ip: 99.184.238.30 origin_rdns: > > > > > > adsl-99-184-238-30.dsl.irvnca.sbcglobal.net auth: > > > > > > > > > > > > is graylisted instead denied like: > > > > > > > > > > > > DENIED_IP_IN_CC_RDNS from: [email protected] to: > > > > > > sa...@xxxxxxx origin_ip: 91.184.0.35 origin_rdns: > > > > > > 91-184-0-35.shared.hostnet.nl auth: > > > > > > > > > > > > As I see only diference is in 1st case is IP adress entered as > > > > > > reverse, but still is just plain IP. Seems that some > providers trying > > > > > > to create pseudo FQDNS for theirs dynamic IPs. Denying > dynamic IPs is > > > > > > great feature preventing 99% of spams, but seems it could > befooled or > > > > > > can be configured even further to intercept is? > > > > > > > > > > > > Please Help > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > _______________________________________________ > > > > > > spamdyke-users mailing list > > > > > > [email protected] > > > > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > > > > > > > > _______________________________________________ > > > > > spamdyke-users mailing list > > > > > [email protected] > > > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > _______________________________________________ > > > > spamdyke-users mailing list > > > > [email protected] > > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
