[exim] New spammer check: too many PTRs

Top Page
Delete this message
Reply to this message
Author: Chris Wilson
Date:  
To: exim-users
CC: Jaco Kroon
Subject: [exim] New spammer check: too many PTRs
Hi all,

I just found the following unusual message in my Exim logs:

2009-06-27 21:14:58 host name alias list truncated for 69.10.169.230

Curious, I did a DNS lookup on that IP:

chris@top ~ $ host 69.10.169.230 | wc -l
86

chris@top ~ $ host 69.10.169.230 | head -5
;; Truncated, retrying in TCP mode.
230.169.10.69.in-addr.arpa domain name pointer heavenlydonut.com.
230.169.10.69.in-addr.arpa domain name pointer pitrivertribe.org.
230.169.10.69.in-addr.arpa domain name pointer shastawebmail.com.
230.169.10.69.in-addr.arpa domain name pointer vidalvineyard.com.

Looks like a spammer to me :)

Luckily, Exim provides a way to match senders like this:

   defer
         set acl_c_ptr_count = ${reduce {${lookup dnsdb{>: \
                 ptr=$sender_host_address}}} {0} {${eval:$value+1}}}
         condition = ${if >{$acl_c_ptr_count}{4}}
         message = Too many PTR records ($acl_c_ptr_count)


This matches any host with more than four PTR records. I based the reduce
operation on the one in the manual.
[http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html#SECTexpcond]

Although this is pretty ugly. I don't suppose anyone wants to implement a
"count" operation to count the number of items in a list? Or would accept
a patch for same?

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |