Henrik K a écrit : > On Fri, Jan 16, 2009 at 01:52:46PM +0100, Jonas Eckerman wrote: >> Benny Pedersen wrote: >> >>> i have changed to use BadRelay from >>> http://sa.hege.li/BadRelay.pm >>> http://sa.hege.li/BadRelay.cf >> After reading BadRelay.pm I see that it does not really replace Botnet. >> >> Some of the differences in what is checked are due to Botnet doing >> DNS-lookups while BadRelay avoids that. That's fair enough since one of >> the points of BadRelay is to avoid those lookups. It does mean that >> BadRelay has less info to base decisions on than Botnet though. > > Less info only if you are running a sad MTA, that doesn't properly resolve.
not completely true. $ host 220.174.1.163 163.1.174.220.in-addr.arpa domain name pointer 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn. $ host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn Host 163.1.174.220.broad.hk.hi.dynamic.163data.com.cn not found: 3(NXDOMAIN) if you get a message from this IP, postfix will set the name to "unknown". so you won't detect that the PTR is dynamic. and "unknown" is also used if there is a dns failure, or if the PTR doesn't "confirm" (ip -> ptr -> different IP). so you can't treat all "unknown" similarly. I know you can block the IP in postfix (I block the whole dynamic.163data.com.cn), but this is just an example (I'm too lazy to look for a better one), and I hope you see my point. > I guess the SOHO rule is exception, but I've never seen a need for it > myself. You can always whitelist such minority cases by hand. > >> One differences is simply due to the fact that all Badrelay does is the >> simple regexp matches. BadRelay doesn't have Botnet's check for IP in >> host name, wich it could do without DNS lookups. > > Check for IP in hostname? Does anyone have actual stats, that it's somehow > better than a generic \d+-\d+ regex or whatever? Sometimes it's just better > to KISS. > > Btw, I haven't touched BadRelay in ages, since all these "dynamic" etc > checks should be done in MTA. I pretty much don't get anything through to SA > that would get hit by it. > >> What would be nice though would be a plugin that: >> ... > > All this should be generic SA stuff.. :) If only someone would have time to > revamp the current (old) rules. >
