Re: [exim] New spammer check: too many PTRs

Góra strony
Delete this message
Reply to this message
Autor: Chris Wilson
Data:  
Dla: W B Hacker
CC: exim users
Temat: Re: [exim] New spammer check: too many PTRs
Hi Bill,

On Sun, 28 Jun 2009, W B Hacker wrote:

>>> chris@top ~ $ host 69.10.169.230 | head -5
>>> ;; Truncated, retrying in TCP mode.
>>> 230.169.10.69.in-addr.arpa domain name pointer heavenlydonut.com.
>>> 230.169.10.69.in-addr.arpa domain name pointer pitrivertribe.org.
>>> 230.169.10.69.in-addr.arpa domain name pointer shastawebmail.com.
>>> 230.169.10.69.in-addr.arpa domain name pointer vidalvineyard.com.
>>>
>>> Looks like a spammer to me :)
>
> Chris,
>
> Why not have a look at the websites for those domain.tld?
>
> All four seem to be quite legitimate.


Good point :) I hadn't looked at the sites. They do look legit.

> What they have in common (do a whois on the IP block holder), is use of
> the services of 'shasta.com' - who's website ALSO appears to be
> legitimate.
>
> Should your server be receiving this traffic?


No:

2009-06-27 21:14:58 host name alias list truncated for 69.10.169.230
2009-06-27 21:15:03 no IP address found for host dynamicessentialsinc.co
(during SMTP connection from [69.10.169.230])
2009-06-27 21:15:03 no IP address found for host
palocedrocommunitypark.org (during SMTP connection from [69.10.169.230])
2009-06-27 21:15:07 no IP address found for host mantonvin.com (during
SMTP connection from [69.10.169.230])
2009-06-27 21:15:14 H=youthgotohealth.org (localhost) [69.10.169.230]
rejected EHLO or HELO localhost: Invalid HELO

I don't like people who say HELO localhost. They go in my sin bin.

>> Although having multiple PTRs is a bad idea and generally doesn't work
>> as desired anyway, there are 'legitimate' mail hosts that have them.
>
> Correct. Hosting multiple mail domains is one of the few, and rare, but
> necessary, reasons for having mulitple <domain>.<tld> homes onto one/few
> IP. Low-budget e-commerce *can* be another.


Why bother with PTRs in that case?

> Spambots, OTOH, seldom have even ONE non-generic PTR RR that can pass.


Yes, because that requires control of the reverse DNS, and zombies don't
control their reverse DNS. This case made me think that the site was a
full-on spamming operation.

> Your ruleset (above) is more likely to slam bystanders - those using
> budget hosting services of ISP's who have few IP's and are trying to do
> the best they can with regard to DNS entries for their mail or online
> e-commerce services.


Well, I've never seen a host with so many PTRs before in the 10 years that
I've known how to check, so I'm mighty suspicious, but OK.

> Speaking of which - you have not told us if the message coming from that
> IP was in fact unwelcome.


Never found out. HELO localhost -> bad boy.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |