Re: [exim] New spammer check: too many PTRs

Top Page
Delete this message
Reply to this message
Author: Aaron Wolfe
Date:  
To: exim-users
Subject: Re: [exim] New spammer check: too many PTRs
On Sat, Jun 27, 2009 at 4:51 PM, Chris Wilson<chris+exim@???> wrote:
> Hi all,
>
> I just found the following unusual message in my Exim logs:
>
>   2009-06-27 21:14:58 host name alias list truncated for 69.10.169.230
>
> Curious, I did a DNS lookup on that IP:
>
>   chris@top ~ $ host 69.10.169.230 | wc -l
>   86
>
>   chris@top ~ $ host 69.10.169.230 | head -5
>   ;; Truncated, retrying in TCP mode.
>   230.169.10.69.in-addr.arpa domain name pointer heavenlydonut.com.
>   230.169.10.69.in-addr.arpa domain name pointer pitrivertribe.org.
>   230.169.10.69.in-addr.arpa domain name pointer shastawebmail.com.
>   230.169.10.69.in-addr.arpa domain name pointer vidalvineyard.com.
>
> Looks like a spammer to me :)
>


Although having multiple PTRs is a bad idea and generally doesn't work
as desired anyway, there are 'legitimate' mail hosts that have them.
I recently had to troubleshoot a problem with a mail server that
rejected mail from hosts with "bad" ptrs that was rejecting mail from
a desired source. Turned out the sender had over 100 PTR records, and
one of them matched, but the receiving mail server (or its resolver)
only looked at the first answer in the list. I'd only use this in
combination with other sins for blocking purposes.


> Luckily, Exim provides a way to match senders like this:
>
>   defer
>         set acl_c_ptr_count = ${reduce {${lookup dnsdb{>: \
>                 ptr=$sender_host_address}}} {0} {${eval:$value+1}}}
>         condition = ${if >{$acl_c_ptr_count}{4}}
>         message = Too many PTR records ($acl_c_ptr_count)
>
> This matches any host with more than four PTR records. I based the reduce
> operation on the one in the manual.
> [http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html#SECTexpcond]
>
> Although this is pretty ugly. I don't suppose anyone wants to implement a
> "count" operation to count the number of items in a list? Or would accept
> a patch for same?
>
> Cheers, Chris.
> --
> _____ __     _
> \  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
> / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
> \__/_/_/_//_/___/ | We are GNU : free your mind & your software |
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>