You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Dave Augustus <da...@ingraftedsoftware.com> on 2006/03/18 18:53:51 UTC

rules for IP addresses without reverse DNS records?

Anyone point me in the right direction? 

I am just thinking of increasing the spam level counter based on whether they have a reverse IP address. I have tried to reject these outiright based on this criteria but that would cause too many false positives. 

I am already using alot of rules via rules_du_jour. 

Thanks, 
Dave

Re: rules for IP addresses without reverse DNS records?

Posted by Jeremy Fairbrass <jf...@hotmail.com>.

Correct me if I'm wrong, but would a rule like the following one of mine not 
do the trick regardless of how the MTA writes the Received header, and be 
less prone (actually not prone at all) to spoofing?

header    JF_NO_PTR    X-Spam-Relays-Untrusted =~ /^\[ ip=[^ ]* rdns= helo=/
describe    JF_NO_PTR    No reverse lookup for sender IP in 
X-Spam-Relays-Untrusted
score    JF_NO_PTR    0.5

It's simply searching for a blank "rdns=" string (without quotes of course) 
in the X-Spam-Relays-Untrusted pseudoheader. It should only search the very 
first line in this pseudoheader, ie. the one that relates to the most recent 
untrusted relay as per http://wiki.apache.org/spamassassin/TrustedRelays.

I'm guessing, from what I've learnt at 
http://wiki.apache.org/spamassassin/TrustedRelays, that a blank "rdns=" 
string, ie. followed directly by a space, indicates a lack of a PTR record?

The reason why I think this would be better than searching within the 
Received header, is that in theory the info in an older Received header 
could be spoofed by the spammer so that it includes the name of your MTA. 
Perhaps this is unlikely, I dunno, but at least using 
X-Spam-Relays-Untrusted means you don't have that risk at all, right??!

Can anyone see any exceptions or issues with doing it this way?

Cheers,
Jeremy

"Matthias Fuhrmann" <Ma...@stud.uni-hannover.de> wrote in 
message 
news:Pine.GSO.4.58.0603182017340.14596@studserv.stud.uni-hannover.de...
> On Sat, 18 Mar 2006, Dave Augustus wrote:
>
>>
>> Anyone point me in the right direction?
>>
>> I am just thinking of increasing the spam level counter based on whether
>> they have a reverse IP address. I have tried to reject these outiright
>> based on this criteria but that would cause too many false positives.
>
> this thread will help you:
> http://www.gossamer-threads.com/lists/spamassassin/users/11783?search_string=Reverse%20DNS%20Check;#11783
>
> just have a look at the rule named:  MY_NO_PTR
>
> regards,
> Matthias

Re: rules for IP addresses without reverse DNS records?

Posted by Matthias Fuhrmann <Ma...@stud.uni-hannover.de>.

On Sat, 18 Mar 2006, Dave Augustus wrote:

>
> Anyone point me in the right direction?
>
> I am just thinking of increasing the spam level counter based on whether
> they have a reverse IP address. I have tried to reject these outiright
> based on this criteria but that would cause too many false positives.

this thread will help you:
http://www.gossamer-threads.com/lists/spamassassin/users/11783?search_string=Reverse%20DNS%20Check;#11783

just have a look at the rule named:  MY_NO_PTR

regards,
Matthias

Re: rules for IP addresses without reverse DNS records?

Posted by Matt Kettler <mk...@evi-inc.com>.

mouss wrote:
> Matt Kettler a écrit :
>> I had the same problem. I wound up implementing milter-greylist in a way that
>> greylists these hosts, but lets most systems past. I'm not sure if you're using
>> sendmail or not, but I found this VERY helpful.
>>
>> The selective greylisting is possible due to milter-greylist's use of ACLs, and
>> a configurable default action. Most folks whitelist certain hosts, and use a
>> default of greylist. I do the opposite. I greylist selected patterns, then
>> whitelist the rest.
> 
> You can also greylist and/or greetpause hosts with a hostname that looks
> dynamic. I find this safer than using a dul list. you can also restrict
> dul lookup to hosts that look dynamic (which is helpful in the case of
> sirbs duhl, which lists static IPs).

Yes, I do that too.

I greylist:
	no RDNS
	RDNS looks dynamic
	IP in APNIC
	IP in LACNIC
	RDNS ends in selected country codes
	"troublesome" IP blocks that can't be blacklisted due to
	containing some legitimate mail sources.


See:
http://xanadu.evi-inc.com/greylist.conf.censored

Note: I censored out a lot of semi-sensitive stuff, such as whitelists based on
business relationships, spamtrap addresses, etc with X's.

(I'll probably pull that file down after a few days, so if you really want to
look at it, do so now)

Re: rules for IP addresses without reverse DNS records?

Posted by mouss <us...@free.fr>.

Matt Kettler a écrit :
> I had the same problem. I wound up implementing milter-greylist in a way that
> greylists these hosts, but lets most systems past. I'm not sure if you're using
> sendmail or not, but I found this VERY helpful.
> 
> The selective greylisting is possible due to milter-greylist's use of ACLs, and
> a configurable default action. Most folks whitelist certain hosts, and use a
> default of greylist. I do the opposite. I greylist selected patterns, then
> whitelist the rest.

You can also greylist and/or greetpause hosts with a hostname that looks
dynamic. I find this safer than using a dul list. you can also restrict
dul lookup to hosts that look dynamic (which is helpful in the case of
sirbs duhl, which lists static IPs).

RE: rules for IP addresses without reverse DNS records?

Posted by Herb Martin <He...@learnquick.com>.

> -----Original Message-----
> From: Matt Kettler [mailto:mkettler@evi-inc.com] 
> 
> I had the same problem. I wound up implementing 
> milter-greylist in a way that
> greylists these hosts, but lets most systems past. I'm not 
> sure if you're using
> sendmail or not, but I found this VERY helpful.
> 

I do something similar -- and using Exim to run the
greylist test I add a header for each of these criteria
which can cause greylisting.

So it is possible to either right a rule against
these added headers (when later SA checks the emails
that pass greylisting) or perhaps just consider that
these will count in the Bayes weight.

--
Herb Martin

Re: rules for IP addresses without reverse DNS records?

Posted by Matt Kettler <mk...@evi-inc.com>.

Dave Augustus wrote:
> Anyone point me in the right direction?
> 
> I am just thinking of increasing the spam level counter based on whether
> they have a reverse IP address. I have tried to reject these outiright
> based on this criteria but that would cause too many false positives.

Slightly OT, as I don't have a SA based solution off the top of my head:

I had the same problem. I wound up implementing milter-greylist in a way that
greylists these hosts, but lets most systems past. I'm not sure if you're using
sendmail or not, but I found this VERY helpful.

The selective greylisting is possible due to milter-greylist's use of ACLs, and
a configurable default action. Most folks whitelist certain hosts, and use a
default of greylist. I do the opposite. I greylist selected patterns, then
whitelist the rest.

This simple bit of milter-greylist config will do it:

# enable posix extended regex syntax instead of posix basic syntax
extendedregex

#greylist unresolvable hosts
acl greylist domain /\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/

# set a default to whitelist anything not grelyisted

acl whitelist default

I also find it helpful to start off whitelisting all my servers and clients,
then follow up with a greylist of anything with an envelope from of my domain.
This knocks down a lot of viruses. Since milter-greylist applies it's ACL's in
order, you can do white-grey-default white.

If anyone wants to see my config I can post it up somewhere (with the whitelist
bits censored out)