greylisting?
Steve Freegard
smf at f2s.com
Wed Apr 19 09:54:41 IST 2006
Hi Kai,
On Tue, 2006-04-18 at 23:31 +0200, Kai Schaetzl wrote:
> Res wrote on Mon, 17 Apr 2006 13:36:22 +1000 (EST):
>
> > Since enforcing PTR checks, like I said 90% of the crap is now rejected
>
> By simply checking if a PTR record exists? You are then getting spam from
> weird locations ;-) All big German providers have PTR for their dynamic IP
> space and what I get from the big US providers like charter, comcast, shaw
> and such, they all have PTR. Actually that's a good thing since I can
> block them all by domain instead of collecting their IP ranges :-)
> I could reject maybe 10% by a "need PTR" policy - if I'm lucky.
I've been messing around with miltering a lot lately and I came up with
what I think is quite a good way to deal with dynamic IP ranges from
cable/DSL providers etc. that spew out junk from injected/trojan
machines without resorting to using a blacklist (which doesn't list all
the possible ranges anyway) or manually listing lots of IP ranges:
1) Check the PTR record (no lookup required Sendmail already does this).
- TEMPFAIL the connection if no record exists.
2) Check the A record for the hostname returned by the reverse lookup.
- (Optional), TEMPFAIL the connection if no record exists.
3) Run a series of regexp tests against the hostname and REJECT the
message if any match:
- Hex encoded IP address appears within the hostname
- all IP octets appear within the hostname (fwd/rev)
- IP address without the .'s appears within the hostname (fwd/rev)
- Last two octets appears within the hostname (fwd/rev)
- Last octet appears within the hostname
- Hostname contains any of the following (.adsl. .dsl. .dip. .ddns.)
I'm not sure I'd ever dare run anything like this on a production system
-- but using this and the URI blacklisting was almost 100% effective in
rejecting all junk from our spam trap at the MTA level (the only
messages left were joe-job bounce-backs).
I'm going to see if I can create some SpamAssassin rules to achieve the
same sort of thing using the first untrusted Received header and see how
effective it might be using mass-check against a corpus.
Cheers,
Steve.
More information about the MailScanner
mailing list