Re: [exim] New spammer check: too many PTRs

Page principale
Supprimer ce message
Répondre à ce message
Auteur: W B Hacker
Date:  
À: exim users
Sujet: Re: [exim] New spammer check: too many PTRs
Aaron Wolfe wrote:
> On Sat, Jun 27, 2009 at 4:51 PM, Chris Wilson<chris+exim@???> wrote:
>> Hi all,
>>
>> I just found the following unusual message in my Exim logs:
>>
>> 2009-06-27 21:14:58 host name alias list truncated for 69.10.169.230
>>
>> Curious, I did a DNS lookup on that IP:
>>
>> chris@top ~ $ host 69.10.169.230 | wc -l
>> 86
>>
>> chris@top ~ $ host 69.10.169.230 | head -5
>> ;; Truncated, retrying in TCP mode.
>> 230.169.10.69.in-addr.arpa domain name pointer heavenlydonut.com.
>> 230.169.10.69.in-addr.arpa domain name pointer pitrivertribe.org.
>> 230.169.10.69.in-addr.arpa domain name pointer shastawebmail.com.
>> 230.169.10.69.in-addr.arpa domain name pointer vidalvineyard.com.
>>
>> Looks like a spammer to me :)


Chris,

Why not have a look at the websites for those domain.tld?

All four seem to be quite legitimate.

What they have in common (do a whois on the IP block holder), is use of the
services of 'shasta.com' - who's website ALSO appears to be legitimate.

Should your server be receiving this traffic?

Pass.

They could be sloppy, or have easily compromised client services or web pages.

But they seem to be entirely too 'visible' to be criminally inclined.

>>
>
> Although having multiple PTRs is a bad idea and generally doesn't work
> as desired anyway, there are 'legitimate' mail hosts that have them.


Aaron,

Correct. Hosting multiple mail domains is one of the few, and rare, but
necessary, reasons for having mulitple <domain>.<tld> homes onto one/few IP.
Low-budget e-commerce *can* be another.

And is provided for in the applicable RFC's.

And is listed as a 'possibly OK' by DNS analysis tools.

> I recently had to troubleshoot a problem with a mail server that
> rejected mail from hosts with "bad" ptrs that was rejecting mail from
> a desired source. Turned out the sender had over 100 PTR records, and
> one of them matched, but the receiving mail server (or its resolver)
> only looked at the first answer in the list. I'd only use this in
> combination with other sins for blocking purposes.
>


Chirs,

'Sins' yes. 'Other sins' not.

This one is not a 'sin' - just not common.

>
>> Luckily, Exim provides a way to match senders like this:
>>
>>   defer
>>         set acl_c_ptr_count = ${reduce {${lookup dnsdb{>: \
>>                 ptr=$sender_host_address}}} {0} {${eval:$value+1}}}
>>         condition = ${if >{$acl_c_ptr_count}{4}}
>>         message = Too many PTR records ($acl_c_ptr_count)

>>
>> This matches any host with more than four PTR records. I based the reduce
>> operation on the one in the manual.
>> [http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html#SECTexpcond]
>>
>> Although this is pretty ugly. I don't suppose anyone wants to implement a
>> "count" operation to count the number of items in a list? Or would accept
>> a patch for same?
>>
>> Cheers, Chris.
>> --


All,

What Exim does already (kindly peruse ~/src/hosts.c) is to build lists and
evaluate for a 'reasonable' match.

And it works as it should. Calling for reverse_host_lookup will pass - ditto a
HELO check - so long as 'among' the multiple PTR returned one is found that matches.

Spambots, OTOH, seldom have even ONE non-generic PTR RR that can pass.

That said, there *are* DNS-registered, rules-abiding, non-bot but still
unwelcome-to-many agencies that are in the direct marketing 'business'.

Some of these MAY utilize multiple domain to PTR mapping, but rarely so, as
these are usually sufficiently well-funded to have access to largish blocks of
IP's and do not need to to this.

Better to specifically BL such critters when you find them being rude to your
client base.

Chris,

Your ruleset (above) is more likely to slam bystanders - those using budget
hosting services of ISP's who have few IP's and are trying to do the best they
can with regard to DNS entries for their mail or online e-commerce services.

Better to catch those on unwelcome content or such.

If any.

Speaking of which - you have not told us if the message coming from that IP was
in fact unwelcome.

>> _____ __     _
>> \  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
>> / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
>> \__/_/_/_//_/___/ | We are GNU : free your mind & your software |

>>
>> --


... have a care what that 'freed' mind is *aimed* at...

;-)

Bill