On Tue, 18 May 2004, Matthew Byng-Maddick wrote:
> I'm considering a spamassassin rule for adding points where the rDNS
> hostname contains obvious bits of the IP address (either in hex or
> in decimal).
Many of them seem to trigger this match in our ACL:
condition = ${if match {$sender_host_address:$sender_host_name}\
{\N^(\d+)\.(\d+)\.(\d+)\.(\d+).*\1-0*\2-0*\3-0*\4\N} {1}{0}}
(which we can then use to cut a warning header, and rate that in
spamassassin. We're not going quite as far as rejecting them outright
- at least, not yet ;-)
Of course this only works for complete IPv4 decimal addresses, and
only if the ISP uses '-' as the delimiter within the host name: but
this is indeed a very common pattern. The names occasionally have the
IP octet values padded out with leading zero(es), so the recipe allows
for that.
But this will only trigger if the IP looks-up *both* ways, since that
is exim's rule for setting sender_host_name. If not, then they'll be
treated (within the ACL) as if the IP did not look-up, despite any PTR
record which might be found.