Re: More sorbs blacklisting
On Mon, 10 Jul 2006 03:09:30 +0200, you wrote:
>Example on the above: Mail from lists.debian.org is HELO'ed with
>murphy.debian.org, here, and the connection comes from 70.103.162.31,
>which has rDNS murphy.debian.org. Had that last domain been something
>else, 70.103.162.31 wouldn't have been legitimate, in this meaning of
>the word?
I don't check what HELO says. I check matching forward/reverse DNS of
the mail server host IP address. Every legitimate mail server should
have matching DNS, forward and reverse.
# host 70.103.162.31
31.162.103.70.in-addr.arpa domain name pointer murphy.debian.org.
# host murphy.debian.org.
murphy.debian.org has address 70.103.162.31
... and thus murphy.debian.org passes the test.
>If so, could one not merely drop all incoming smtp-connections which
>neither originated from rDNS-legitimate addresses
Checking for a match of forward and reverse DNS is my first line of
defense. It stops 60% - 70% of the spam hitting my server.
Everything passing the first defense has a known host name, so I can
use regex filtering to catch dsl/adsl/dynamic/whatever host names. I
also query dynablock.njabl.org, to supplement my local filters. That
completes my second line of defense.
For the third line of defense, I check:
dnsbl.njabl.org
list.dsbl.org
sbl-xbl.spamhaus.org
bl.spamcop.net
Anything passing the first three defenses, then goes to clamav-milter
which checks for viruses.
However, the first three lines of defense are so effective, I have no
need for content filtering of spam, and that means I keep a very cool
CPU. :-)
Reply to: