Hi Ulrich, Yes they were at 1st DENIED_GREYLISTING but message was send after period with same sender so these were allowed at end. Some zombies are smart in these days and can fool GRAYLISTING. I have GRAYLISTING in place too. These messages goes thru because sender and recipent are same and both are from our domain. I have last idea to block our domain as sender. SMTP server is only inbound SMTP server. SMPADYKE shall bounce all e-mails suspected with SPAM because sender can't be from our mail domain at all.
You finally gave me bright idea how I could stop SPAM where sender and recipents are same. Is in another therad. Because I can block our domain as sender... Many thanks you are clever man! Eduard "Ulrich C. Manns" <[email protected]> wrote on 06.05.2009 09:00:33: > Hi Eduard, > > to add only a dot wasn?t my idea. I added > .com > .net > > to reject these RDNS if they contains a ip address. > > Normally DENIED_GREYLISTING should reject your three examples. I > wonder why not? > > Von: Eduard Svarc <[email protected]> > Antworten an: <[email protected]>, spamdyke users <spamdyke- > [email protected]> > Datum: Wed, 6 May 2009 08:22:29 +0200 > An: spamdyke users <[email protected]> > Betreff: Re: [spamdyke-users] Problem with DENIED_IP_IN_CC_RDNS not > applied to all connections > > > Thank you all, > > after last changes in /etc/spamdyke.d/ip-in-rdns-keyword-blacklist-fil > e where I did add to keywords '.'. I'm surprised why this wouldn't > work without '.' in pattern. Now SPAMDYKE block all DNS names with > IP in name. Only one exception remain for case when IP is in DNS > name witten ala reverse address. I guess it is by design and > SPAMDYKE doesn't check possible reverse notation of IP and it > resulting into ALLOW. Here is example: > > May 6 05:29:52 fw spamdyke[23071]: ALLOWED from: [email protected] to: > [email protected] origin_ip: 91.122.235.164 origin_rdns: > ip-164-235-122-091.pools.atnet.ru auth: (unknown) > > I guess it could be future fueature for IP block in rDNS check. I > would suggest it because it is not that rare case. > As I do observing logs few days I did see a lot of ISP allocate > theirs DSL/ADSL lines and giving names with partial IP in name, here > are few records: > > May 6 06:53:05 fw spamdyke[23725]: ALLOWED from: [email protected] to: > [email protected] origin_ip: 82.144.185.107 origin_rdns: > adsl-185-107.globonet.hu auth: (unknown) > May 6 06:19:47 fw spamdyke[23487]: ALLOWED from: @xxxxxx.cz to: > @xxxxxx.cz origin_ip: 124.109.52.214 origin_rdns: mbl-109-52-214. > dsl.net.pk auth: (unknown) > May 6 07:29:49 fw spamdyke[24011]: ALLOWED from: [email protected] to: > [email protected] origin_ip: 88.100.218.39 origin_rdns: 39.218. > broadband5.iol.cz auth: (unknown) > > I can't count these names as regular ones for SMPT server, because > group of IP addresses returning same name. Who run SMTP server in > all cases request, or at least should request, real DNS name not > provider default assigned for whole group of IP addresses. SPAMDYKE > should do partial check on IP match as well too. > > Eduard > > [email protected] wrote on 04.05.2009 10:00:08: > > > > > Dear Ulrich, > > > > I didn't. I had these keywords without '.' as you can see in thread > > where I have listed full content of my file: > > > > > > /etc/spamdyke.d/ip-in-rdns-keyword-blacklist-file > > > > > > > > contains: > > > > > > > > dsl > > > > com > > > > net > > > > broadband > > > > dynamic > > > > > > > > Adding it now will see result. > > > > Thank You > > Eduard > > > > "Ulrich C. Manns" <[email protected]> wrote on 04.05.2009 09:30:45: > > > > > Hi Eduard, > > > > > > i only added .com and .net (with dot as prefix!). This rejects all > > > of the blabla.net spams. I found some DENIED_IP_IN_RDNS with zeros: > > > > > > May 4 09:18:03 srv0 spamdyke[18967]: DENIED_IP_IN_RDNS from: > > > [email protected] to: [email protected] origin_ip: 74.251. > > > 132.129 origin_rdns: adsl-074-251-132-129.sip.asm.bellsouth.net > > > auth: (unknown) > > > May 4 09:18:03 srv0 spamdyke[18967]: DENIED_IP_IN_RDNS from: > > > [email protected] to: [email protected] origin_ip: 74.251. > > > 132.129 origin_rdns: adsl-074-251-132-129.sip.asm.bellsouth.net > > > auth: (unknown) > > > > > > You really added the dot? > > > > > > Regards, > > > Ulrich > > > > > > > > > Von: Eduard Svarc <[email protected]> > > > Antworten an: <[email protected]> > > > Datum: Mon, 4 May 2009 09:02:09 +0200 > > > An: "Ulrich C. Manns" <[email protected]> > > > Cc: <[email protected]>, spamdyke users <[email protected]> > > > Betreff: Re: [spamdyke-users] Problem with DENIED_IP_IN_CC_RDNS not > > > applied to all connections > > > > > > > > > Dear Ulrich, > > > > > > yes I did. In most case works fine like this from .net domain: > > > > > > May 4 08:44:23 fw spamdyke[21491]: DENIED_IP_IN_RDNS from: > > [email protected]: > > > [email protected] origin_ip: 71.115.109.232 origin_rdns: > > > pool-71-115-109-232.sangtx.dsl-w.verizon.net auth: (unknown) > > > > > > What else I found lines where numbers are prepended with '0' (zeros > > > and seems SPAMDYKE was fooled too. Here is example: > > > > > > May 4 08:45:15 fw spamdyke[21525]: ALLOWED from: [email protected] to: > > > [email protected] origin_ip: 65.184.96.160 origin_rdns: > > > cpe-065-184-096-160.sc.res.rr.com auth: (unknown) > > > > > > I have onother idea even I have defined > > > > > > ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns- > > > keyword-blacklist-file > > > > > > and keywords inside it stops only these lines where is keyword at > > > front of IP-part in DNS not at end of IP-part DNS. > > > > > > I think that .net was stoped because I have in file keyword 'pool' > > > not because is there keyword 'net'. Why I think it is that case? > > > because I see lines like > > > > > > May 4 08:50:09 fw spamdyke[21599]: ALLOWED from: @xxxxxxx.cz to: > > > @xxxxxx.cz origin_ip: 79.180.128.135 origin_rdns: > > > bzq-79-180-128-135.red.bezeqint.net auth: (unknown) > > > > > > and it is from .net domain and even keyword 'net' is in blacklist > > > file mail wasn't denied at all. > > > > > > FYI: Why I do fight with these dynamic IP senders so hard? Reason is > > > we getting around 10 to 20 connections from these each minute and I > > > don't want to waste bandwitdh at our line. We have SPAMDYKE at > > > perimeter SMTP to intercept these boggies. At backden we have true > > > mail server with SPAM prevention software. I'm trying this way to > > > offload some load from that server. We were in situation when we got > > > around 10mil e-mail per day. This is for small company with 30 e- > > > mail boxes really too much. It lead on DoS attack on our server. > > > Thanks to SPAMDYKE we did lower load by 99%. Now I'm trying to > > > intercept remaining boggies. > > > > > > Thank you > > > Eduard > > > > > > "Ulrich C. Manns" <[email protected]> wrote on 04.05.2009 08:42:28: > > > > > > > Did you find any DENIED_IP_IN_RDNS? > > > > How are the file rights? > > > > I have entered .com and .net, not only com and net. > > > > > > > > Regards, > > > > Ulrich > > > > > > > > > > > > Von: Eduard Svarc <[email protected]> > > > > Antworten an: <[email protected]>, spamdyke users <spamdyke- > > > > [email protected]> > > > > Datum: Mon, 4 May 2009 08:32:35 +0200 > > > > An: spamdyke users <[email protected]> > > > > Betreff: Re: [spamdyke-users] Problem with DENIED_IP_IN_CC_RDNS not > > > > applied to all connections > > > > > > > > > > > > Dears, > > > > > > > > I did try to block incoming mails from dynamic IPs but with partial > > > > success still having problem with: > > > > > > > > > > > > May 4 08:19:31 fw spamdyke[21023]: DENIED_GRAYLISTED from: > > > > [email protected] to: [email protected] origin_ip: 200.83. > > > > 179.199 origin_rdns: pc-199-179-83-200.cm.vtr.net auth: (unknown) > > > > > > > > my \etc\spamdyke.conf contains next lines: > > > > > > > > reject-empty-rdns > > > > reject-ip-in-cc-rdns > > > > ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns- > > > > keyword-blacklist-file > > > > reject-missing-sender-mx > > > > reject-unresolvable-rdns > > > > > > > > and file: > > > > > > > > /etc/spamdyke.d/ip-in-rdns-keyword-blacklist-file > > > > > > > > contains: > > > > > > > > dsl > > > > com > > > > net > > > > broadband > > > > dynamic > > > > > > > > In most cases it does stop e-mails from DSL line subscribers but not > > > > from all as you see from line above. Sender was just graylisted not > > > > denied with DENIED_IP_IN_CC_RDNS. May be problem is wih IP in DNS > > > > because is exact reverse of real IP 200.83.179.199. In DNS is > > > > 199-177-83-200? Should SPAMDYKE check for ala-reverse IP? > > > > > > > > Any idea where I did mistake? > > > > > > > > Tanks in advance > > > > Eduard > > > > > > > > [email protected] wrote on 29.04.2009 12:46:53: > > > > > > > > > > > > > > Dear Sam, > > > > > > > > > > thank you for great hint. In first gues I tought root cause of > > > > > problem is IP represented in DNS because it is not plain IP but > > > > > dashes with leading text are used in name. I have similar entries > > > > inlog like: > > > > > > > > > > Apr 29 12:34:52 fw spamdyke[11641]: ALLOWED from: xx...@xxxxxxxxx > > > > > to: xxx...@xxxxxx origin_ip: 88.12.245.122 origin_rdns: 122. > > > > > red-88-12-245.dynamicip.rima-tde.net auth: (unknown) > > > > > > > > > > Going to get test, crossing my fingers > > > > > Thank You > > > > > Eduard > > > > > > > > > > [email protected] wrote on 29.04.2009 03:17:27: > > > > > > > > > > > You've misunderstood the meaning of the > > "DENIED_IP_IN_CC_RDNS"message. > > > > > > That particular filter is triggered because spamdyke found the IP > > > > > > address _and_ a two-letter country code. In other words, > > your example > > > > > > was blocked because it contained the IP address and ended in > > > ".nl". The > > > > > > graylisted entry wasn't blocked because it ends in ".net". > > > > > > > > > > > > spamdyke searches for many different ways of putting the IP > > address in > > > > > > the rDNS name, including reversing the octets. The full list of > > > > > > patterns it checks is listed here: > > > > > > http://www.spamdyke.org/documentation/README.html#RDNS > > > > > > > > > > > > To block dynamic hosts, enable the "ip-in-rdns-keyword- > > blacklist-file" > > > > > > option. In the file, list a few keywords that you expect > to find in > > > > > > dynamic rDNS names (e.g. dhcp, dynamic, cable). When > > spamdykefinds the > > > > > > IP address and one of those keywords, it will block the > connection. > > > > > > Using your example, if your keyword file contained "dsl", > > > spamdyke would > > > > > > have blocked the connection. > > > > > > > > > > > > There are also several RBLs that claim to block dynamic IP > > > ranges, but I > > > > > > haven't had much success with them. Matching keywords and > > IP addresses > > > > > > has been much more fruitful for me. Your mileage may vary. > > > > > > > > > > > > -- Sam Clippinger > > > > > > > > > > > > Eduard Svarc wrote: > > > > > > > > > > > > > > Looking for clues, > > > > > > > > > > > > > > I would like reject all e-mails from dynamic IPs but seems that > > > > > > > Spamdyke don't recognize all correctly like: > > > > > > > > > > > > > > DENIED_GRAYLISTED from: [email protected] to: > > > > > > > pavel_k...@xxxxxxxx origin_ip: 99.184.238.30 origin_rdns: > > > > > > > adsl-99-184-238-30.dsl.irvnca.sbcglobal.net auth: > > > > > > > > > > > > > > is graylisted instead denied like: > > > > > > > > > > > > > > DENIED_IP_IN_CC_RDNS from: [email protected] to: > > > > > > > sa...@xxxxxxx origin_ip: 91.184.0.35 origin_rdns: > > > > > > > 91-184-0-35.shared.hostnet.nl auth: > > > > > > > > > > > > > > As I see only diference is in 1st case is IP adress entered as > > > > > > > reverse, but still is just plain IP. Seems that some > > providers trying > > > > > > > to create pseudo FQDNS for theirs dynamic IPs. Denying > > dynamic IPs is > > > > > > > great feature preventing 99% of spams, but seems it could > > befooled or > > > > > > > can be configured even further to intercept is? > > > > > > > > > > > > > > Please Help > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > spamdyke-users mailing list > > > > > > > [email protected] > > > > > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > > > > > > > > > > _______________________________________________ > > > > > > spamdyke-users mailing list > > > > > > [email protected] > > > > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > > _______________________________________________ > > > > > spamdyke-users mailing list > > > > > [email protected] > > > > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > _______________________________________________ > > spamdyke-users mailing list > > [email protected] > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
