Re: [exim] reject sender hosts with dynamic ip

Top Page
Delete this message
Reply to this message
Author: Mar Matthias Darin
Date:  
To: exim-users
Subject: Re: [exim] reject sender hosts with dynamic ip
Hello,

Adam KOSA writes:

> i was trying to create a config which requires dynamic hosts to use
> their IPS's smtp server. I found this:
> http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20040913/msg00172.html
>
> which gave the original idea. So i started playing and modified it to this:
>
>   deny hosts          = \N^.*demo1.*$\N
>       log_message     = $sender_host_address is required to use ISP SMTP
>       message         = $sender_host_address rejected: You are required 
> \ to use your ISP's SMTP server! 

>
>
> Testing confirmed it's ok. So i continued to transform the config to this:
>
> hostlist domain_reject = ${lookup mysql {SELECT concat(domain, ' : ')
> from domain_reject order by domain}}
>
> (this was a single line in the config, no linebreaks)
>
> deny hosts          = +domain_reject
>       log_message     = $sender_host_address is required to use ISP SMTP
>       message         = $sender_host_address rejected: You are required 
> \ to use your ISP's SMTP server!


Having spent seven years of time researching this area, here are the
problems I forsee you having (as been mentioned previously on this list):

1. False positives (FP).

2. Correlating the IP address in question to the Reverse Domain Name (RDN).
There must be some analytical methodology involved that insures the IP
address in question is related to the RDN. Without such an analysis, the
risk of FPs is unacceptably high.

3. Dynamic IP address exclusion. There must exist a method to exclude a
given IP address/range. For example, the sans.org mail servers are all on
dynamic IP addresses. Not having this will also result in unacceptably high
FPs.

4. Advance heuristic analysis on the RDN to prevent cross pattern FPs.
Example, secureserver.net contains the dynamic IP pattern of reserve (Thanks
to Marc Perkel for bring this one to my attention).

5. If all you are seeking to do is block a cidr range (ex: 10.0.0.0/8),
your firewall would be a better option.

In the 7 years of this research, I have analyzed 371+ million IP addresses
and can tell you from experience, I have had some very frustrating days and
translating foriegn TOS/AUPs can be a real hair-pulling experience.

Please keep the list updated on your progress in this area.

---

DynaStop: Stopping spam one dynamic IP address at a time.
http://tanaya.net/DynaStop/