cgpsa-discuss@mail.tffenterprises.com Αρχείο Λιστών Αλληλογραφίας

> > Op 28 nov. 2017, om 11:42 heeft Palvelin Postmaster <postmaster@palvelin.fi> het volgende geschreven: > >> On 28 Nov 2017, at 11:16, Patrick Sneyers <patrick@bulckens.com> wrote: >> >> Blacklist by DNS name (reject) >> *pppoe* >> *.dhcp.* >> *ppp* >> *dyn* >> *dial-up* >> *.ippool.* >> *dial*.ru* >> *host name is unknown* >> *no-reverse-dns* > > This is interesting. > > I presume you’re using CGP’s 'Detect Blacklisted by DNS Name’ setting for these? Yes > Have you followed up the effectiveness of these? Any false positives? > No FP's whatsoever. Blacklisted is ignored when a user SMTP-authenticates. I had *pool* in there too at one time, which did generate FP's. Some idiots call there MTA pool.domain.dom This "brute force" refuses (unauthenticated) incoming connections from a what certainly is a DHCP IP, and from IP's without reverse DNS ("host name is unknown" in CGP speak). A bunch of these NXDOMAINS actually resolve to "no-reverse-dns-configered", hence the last entry. The Botnet SA plugin then does a more fine grained rDNS evaluation, adding to SA score for IP's that look like a client (DHCP), or those without "Full Circle DNS". Of course some HAM is bound to hit these, so you should be careful not to score them too high. But it helps pushing real spam over the threshold. These work for me: * 1.1 BOTNET_BADDNS Relay has no FCrDNS. * [botnet_baddns,ip=23.95.231.151,rdns=8ylw.com] * 1.9 BOTNET_CLIENT Relay looks like a client * [botnet_client,ip=158.255.208.218,rdns=218.208.255.158.in-addr.arpa,ipinhostname] I did a quick check: On an inbox (contains only ham). 17 messages of 3000 hit BOTNET, none of them passed SA threshold (4.8) On a mailbox (contains only spam) : 198 of 600 hit BOTNET > -- > Palvelin.fi Hostmaster > postmaster@palvelin.fi Patrick ------------------------------------------------------------------------ zwartopwit.be - Drukkerij Bulckens http://www.zwartopwit.be Beestig drukwerk van A tot XXL Industriezone Herentals Grensstraat 9, 2270 Herenthout +32 (0) 14 28 58 78 ------------------------------------------------------------------------