[exim] Unusual DNS Lists available

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Marc Perkel
Fecha:  
A: exim users
Asunto: [exim] Unusual DNS Lists available
I added a number of new lists. Some of these may not be useful for
anything but thought I'd put them out there in case someone figures out
a use. Constructive Feedback appreciated.

http://wiki.ctyme.com/index.php/Registrar_Barrier_DNS_List


Registrar Barrier DNS List


       From Computer Tyme Support Wiki


Jump to: navigation
<http://wiki.ctyme.com/index.php/Registrar_Barrier_DNS_List#column-one>,
search
<http://wiki.ctyme.com/index.php/Registrar_Barrier_DNS_List#searchInput>


    Contents


[hide <javascript:toggleToc()>]

    * 1 DNS Lookup to Separate the domain part of a hostname
      <http://wiki.ctyme.com/index.php/Registrar_Barrier_DNS_List#DNS_Lookup_to_Separate_the_domain_part_of_a_hostname>


          o 1.1 Exim Configuration
            <http://wiki.ctyme.com/index.php/Registrar_Barrier_DNS_List#Exim_Configuration>
    * 2 Other DNS Lists
      <http://wiki.ctyme.com/index.php/Registrar_Barrier_DNS_List#Other_DNS_Lists>


          o 2.1 Free Mail Domains List
            <http://wiki.ctyme.com/index.php/Registrar_Barrier_DNS_List#Free_Mail_Domains_List>
          o 2.2 ISP Hosts List
            <http://wiki.ctyme.com/index.php/Registrar_Barrier_DNS_List#ISP_Hosts_List>
          o 2.3 HELO Match List
            <http://wiki.ctyme.com/index.php/Registrar_Barrier_DNS_List#HELO_Match_List>


[edit
<http://wiki.ctyme.com/index.php?title=Registrar_Barrier_DNS_List&action=edit&section=1>]


DNS Lookup to Separate the domain part of a hostname

This DNS lookup helps you find the main domain part (Registrar Barrier)
of a hostname. Sometimes it is reffered to as two level TLDs and three
level TLDs. Lookups are accomplished through DNS calls as follows:

dig perkel.com.rb.junkemailfilter.com         - returns 127.0.0.1
dig perkel.co.uk.rb.junkemailfilter.com       - returns 127.0.0.2
dig perkel.state.ca.us.rb.junkemailfilter.com - returns 127.0.0.3


This is a service of Junk Email Filter dot com
<http://www.junkemailfilter.com>. One of many technologies used in
advanced email filtering.

[edit
<http://wiki.ctyme.com/index.php?title=Registrar_Barrier_DNS_List&action=edit&section=2>]


    Exim Configuration


If you are running Exim <http://www.exim.org> you can use this as follows:

# This example calls rb_resolve as an ACL subroutine setting acl_c_sender_host_domain
# from $acl_c_rb_result. Using the acl subroutine allows you to extract the
# registrar barrier part from and host string such as HELO.

warn    set acl_c_rb_query = $sender_host_name
    acl = rb_resolve
    set acl_c_sender_host_domain = $acl_c_rb_result


# ACL Subroutine that returns that registry barrier part of a string. The string is
# passed in acl_c_rb_query and returned in acl_c_rb_result.
# Example: mx.junkemailfilter.com returns junkemailfilter.com

rb_resolve:

# Separates the domain part of a hostname - ftp.perkel.com returns perkel.com
# DNS lookup returns 127.0.0.1 for single level domains
# DNS lookup returns 127.0.0.2 for two level domains
# DNS lookup returns 127.0.0.3 for three level domains

warn    set acl_c_rb_result =
    set acl_c_rb_query = ${lc:$acl_c_rb_query}


accept    condition = ${if eq{$acl_c_rb_query}{}}


accept    !dnslists = rb.junkemailfilter.com/$acl_c_rb_query


accept    condition = ${if eq{$dnslist_value}{127.0.0.1}}
    set acl_c_rb_result = ${sg{$acl_c_rb_query}{\N^(.*\.)?(.*\..*)$\N}{\$2}}


accept    condition = ${if eq{$dnslist_value}{127.0.0.2}}
    set acl_c_rb_result = ${sg{$acl_c_rb_query}{\N^(.*\.)?(.*\..*\..*)$\N}{\$2}}


accept    condition = ${if eq{$dnslist_value}{127.0.0.3}}
    set acl_c_rb_result = ${sg{$acl_c_rb_query}{\N^(.*\.)?(.*\..*\..*\..*)$\N}{\$2}}


accept

[edit
<http://wiki.ctyme.com/index.php?title=Registrar_Barrier_DNS_List&action=edit&section=3>]


Other DNS Lists

Junk Email Filter produces a number of other lists that return
information about host names.

[edit
<http://wiki.ctyme.com/index.php?title=Registrar_Barrier_DNS_List&action=edit&section=4>]


    Free Mail Domains List


These are a list of host names of provider of free email accounts that
are often used for fraud scams. The list includes names like yahoo.com,
hotmail.com, gmail.com. This is not a block list. It is used to
determine if the account used comes from a freemail provider.

Usage:

dig yahoo.com.freemaildomains.junkemailfilter.com

For example. Spammers sometimes send email from a hotmail.com account
and have the reply-to set to a gmail.com account. That way when the
sender gets shut down for spamming the reply-to still works.

Here's an example of an Exim rule to block this.

# Freemail Tests

warn    dnslists = freemaildomains.junkemailfilter.com/${domain:${lc:$h_From:}}
    add_header = X-Freemail-From: ${domain:${lc:$h_From:}}
    set acl_c_freemail = yes
    set acl_c_freemail_from = ${domain:${lc:$h_From:}}

    
warn    dnslists = freemaildomains.junkemailfilter.com/${domain:${lc:$h_Reply-to:}}
    add_header = X-Freemail-Reply-to: ${domain:${lc:$h_Reply-to:}}
    set acl_c_freemail = yes
    set acl_c_freemail_reply = ${domain:${lc:$h_Reply-to:}}


deny    condition = ${if def:acl_c_freemail}
    condition = ${if eq{$sender_host_name}{}}


deny    condition = ${if def:acl_c_freemail_reply}
    condition = ${if def:acl_c_freemail_from}
    !condition = ${if eqi{${local_part:$h_From:}@${domain:$h_From:}} \
        {${local_part:$h_Reply-to:}@${domain:$h_Reply-to:}}}


[edit
<http://wiki.ctyme.com/index.php?title=Registrar_Barrier_DNS_List&action=edit&section=5>]


    ISP Hosts List


The ISP list are domains that provide DSL or cable modem access to end
users. We use the list internally as an exclusion list when we test for
conditions excepting ISPs. This list is generated by using the registry
barrier of hosts that are classified as dynamic IP ranges. We don't know
how useful this list is to you but if you find a good use for it let us
know.

dig comcast.com.isphosts.junkemailfilter.com

[edit
<http://wiki.ctyme.com/index.php?title=Registrar_Barrier_DNS_List&action=edit&section=6>]


    HELO Match List


This is another list we generate that seems like it should be useful but
haven't yet figures out how. This list matches the registry barrier of
the FCrDNS of the connecting host with the registry barrier of the HELO.
If they match it is more likely to be not spam than spam. If you find a
use for this let us know.

dig yahoo.com.helomatch.junkemailfilter.com