David Saez Padros wrote:
> Hi !!
>
>
>>Need a quick regex to look at the sender host name and see if it looks
>>like a dynamic IP address. I'm sure there must be one floating around
>>somewhere.
>
'looks like' a dynamic IP if/as/when the IP does not resolve.
That is not the only reason, but it is a hard one for zombies to
get around, and reasonably low on genuine false-positives.
Bill
>
> I use this one:
>
> # Dial-up/cable/dsl check
>
> dialup_acl:
>
> accept condition = ${if def:acl_c3}
> condition = $acl_c3
>
> deny condition = ${if def:acl_c3}
>
> accept acl = raw_dialup_acl
> set acl_c3 = yes
>
> deny set acl_c3 = no
>
> raw_dialup_acl:
>
> # Known not dialup hosts
>
> deny hosts = *.amazon.com:*.yahoo.com:*.hotmail.com
>
> # Get hostname on acl_c4
>
> warn condition = ${if !def:acl_c4}
> condition = ${if eq {$sender_host_name}{}}
> set acl_c4 = ${lookup
> dnsdb{defer_never,ptr=$sender_host_address}\
> {${lc:$value}}{}}
>
> warn condition = ${if !def:acl_c4}
> set acl_c4 = ${lc:$sender_host_name}
>
> accept condition = ${if eq {$acl_c4}{}}
>
> accept condition = ${if match {$acl_c4}\
> {\N\b[a-z]*?(\d{1,3}[\.\-x]\d{1,3}|\
> ([a-z]?dsl(am)?|dhcp|tnt|ipt|pool|nas|cvx|leased|\
> slip|user|subscriber|d[iu]p|modem(cable)?|ppp(oe)?|\
> dyn(amic)?|dial(up|in)?|cust(omers?)?|(end)?users?|\
> d?cliente?)\d*?)\b\N}}
>
> accept condition = ${if match {$acl_c4}{\N\d{5,}\N}}
>
> accept condition = ${if match {$acl_c4}\
> {(comcast\.net|ips\.sarenet\.es|prod-empresarial\.com\.mx|\
> rodos\.acn\.gr|res\.rr\.com|ks\.charter\.com|\
> abi\.uni2\.es|e\.brasiltelecom\.net\.br|\
> bigpond\.net\.au|ip\.fastwebnet\.it|\
> miyagi\.ocn\.ne\.jp|telecom-bg|speed\.planet\.nl)\$}}
>
> accept dnslists = dnsbl.sorbs.net=127.0.0.10:\
> dialup.blacklist.jippg.org:dynablock.easynet.nl
>
> deny
>
