Return-Path: Received: from bulckens.com ([91.183.137.138] verified) by mail.tffenterprises.com (CommuniGate Pro SMTP 6.1.7) with ESMTPS id 19186309 for cgpsa-discuss@mail.tffenterprises.com; Tue, 28 Nov 2017 05:34:32 -0800 Received-SPF: none receiver=mail.tffenterprises.com; client-ip=91.183.137.138; envelope-from=patrick@bulckens.com Received: by bulckens.com (CommuniGate Pro PIPE 6.1.11) with PIPE id 1840946; Tue, 28 Nov 2017 14:34:20 +0100 X-ExtScanner: Niversoft's AddFooter filter Received: from [192.168.252.95] (account trikke@bulckens.com HELO [192.168.252.95]) by bulckens.com (CommuniGate Pro SMTP 6.1.11) with ESMTPSA id 1840945 for cgpsa-discuss@mail.tffenterprises.com; Tue, 28 Nov 2017 14:34:17 +0100 From: Patrick Sneyers Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [CGPSA] Test Date: Tue, 28 Nov 2017 14:34:17 +0100 References: To: CGPSA Discussion List In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3273) >=20 > Op 28 nov. 2017, om 11:42 heeft Palvelin Postmaster = het volgende geschreven: >=20 >> On 28 Nov 2017, at 11:16, Patrick Sneyers = wrote: >>=20 >> Blacklist by DNS name (reject) >> *pppoe* >> *.dhcp.* >> *ppp* >> *dyn* >> *dial-up* >> *.ippool.* >> *dial*.ru* >> *host name is unknown* >> *no-reverse-dns* >=20 > This is interesting. >=20 > I presume you=E2=80=99re using CGP=E2=80=99s 'Detect Blacklisted by = DNS Name=E2=80=99 setting for these? Yes > Have you followed up the effectiveness of these? Any false positives? >=20 No FP's whatsoever. Blacklisted is ignored when a user = SMTP-authenticates. I had *pool* in there too at one time, which did generate FP's. Some = idiots call there MTA pool.domain.dom This "brute force" refuses (unauthenticated) incoming connections from a = what certainly is a DHCP IP, and from IP's without reverse DNS ("host = name is unknown" in CGP speak). A bunch of these NXDOMAINS actually resolve to = "no-reverse-dns-configered", hence the last entry. The Botnet SA plugin then does a more fine grained rDNS evaluation, = adding to SA score for IP's that look like a client (DHCP), or those = without "Full Circle DNS". Of course some HAM is bound to hit these, so you should be careful not = to score them too high. But it helps pushing real spam over the = threshold. These work for me: * 1.1 BOTNET_BADDNS Relay has no FCrDNS. * [botnet_baddns,ip=3D23.95.231.151,rdns=3D8ylw.com] * 1.9 BOTNET_CLIENT Relay looks like a client * = [botnet_client,ip=3D158.255.208.218,rdns=3D218.208.255.158.in-addr.arpa,ip= inhostname]=20 I did a quick check: On an inbox (contains only ham). 17 messages of 3000 hit BOTNET, none of = them passed SA threshold (4.8) On a mailbox (contains only spam) : 198 of 600 hit BOTNET > -- > Palvelin.fi Hostmaster > postmaster@palvelin.fi Patrick= ------------------------------------------------------------------------=09= zwartopwit.be - Drukkerij Bulckens http://www.zwartopwit.be Beestig drukwerk van A tot XXL Industriezone Herentals Grensstraat 9, 2270 Herenthout +32 (0) 14 28 58 78 ------------------------------------------------------------------------