block email from dynamic IP

I am trying to generate a set of rulesets that can block email from dynamic IP space (sorry to all of the good
guys who want to do this) and have the problem that I cannot bypass the rule with access.db entries. I thought
delay_checks was supposed to provide the way to do this.

i.e. even if I put the following in my access.db,
xxx.xxx.xxx OK

The ruleset below will still process the relay address and reject it if it matches xxx-xxx-xxx-xxx.dls.spamer.com.

I am sure that I am missing something, but I'm not getting it.

LOCAL_CONFIG

Kdsl1 regex -a@MATCH ([0-9].*){5,}

LOCAL_RULESETS

SLocal_check_relay

R$* $: $(dsl1 $&{client_name} $)
R@MATCH $#error $@ 5.7.1 $: "554 DSL sender "$&{client_name} " [" $&{client_addr} "] (1), Dynamic IP"

--
David L. Aldridge
The Aldridge Company 713-403-9150 (fax: 713-621-1826)
http://www.aldridge.com/
Powered by Pentium/FreeBSD/Apache - Because it works.

Re: block email from dynamic IP

David L. Aldridge wrote:
> I am trying to generate a set of rulesets that can block email from dynamic IP space (sorry to all of the good
> guys who want to do this) and have the problem that I cannot bypass the rule with access.db entries. I thought
> delay_checks was supposed to provide the way to do this.

I think it will be easier to use some dns-blacklists than trying to block what
you think may be dynamic ips.

A fast and easy way to block the majority of spam would just be deny mail from
US and China and is a lot easier too.
--

//Aho

Re: block email from dynamic IP

On Mon, 29 Oct 2007 21:51:10 +0100, "J.O. Aho" wrote:

>David L. Aldridge wrote:
>> I am trying to generate a set of rulesets that can block email from dynamic IP space (sorry to all of the good
>> guys who want to do this) and have the problem that I cannot bypass the rule with access.db entries. I thought
>> delay_checks was supposed to provide the way to do this.
>
>I think it will be easier to use some dns-blacklists than trying to block what
>you think may be dynamic ips.
>
>A fast and easy way to block the majority of spam would just be deny mail from
>US and China and is a lot easier too.

That is precisely what I do not want to do. Thank you.
--
David L. Aldridge
The Aldridge Company 713-403-9150 (fax: 713-621-1826)
http://www.aldridge.com/
Powered by Pentium/FreeBSD/Apache - Because it works.

Re: block email from dynamic IP

In article David
L. Aldridge writes:
>I am trying to generate a set of rulesets that can block email from
>dynamic IP space (sorry to all of the good
>guys who want to do this) and have the problem that I cannot bypass the
>rule with access.db entries. I thought
>delay_checks was supposed to provide the way to do this.
>
>i.e. even if I put the following in my access.db,
>xxx.xxx.xxx OK
>
>The ruleset below will still process the relay address and reject it if
>it matches xxx-xxx-xxx-xxx.dls.spamer.com.
>
>I am sure that I am missing something, but I'm not getting it.

You're missing that delay_checks reverses the order of the
check_{relay,mail,rcpt} *rulesets*, not the order of individual
checks/rules *within* those rulesets. I.e. I assume that your
xxx.xxx.xxx above is supposed to be the first three bytes of an IP
address (it's a good idea to use Connect: in that case). The client IP
address check is done in the "standard" part of check_relay, but your
Local_check_relay is *also* called in check_relay, and always *before*
the "standard" part (to allow you to override the latter) - regardless
of delay_checks.

What you could do is to duplicate the client IP address lookup in your
Local_check_relay - perhaps only if the name check says that you should
reject (and don't do that if you get an OK on the IP address check).

--Per Hedeland
per@hedeland.org

Re: block email from dynamic IP

"David L. Aldridge" wrote in message
news:qtgci3hd8agfibmsb2omek9jtmdf5lo3oh@4ax.com...
> I am trying to generate a set of rulesets that can block email from
dynamic IP space (sorry to all of the good
> guys who want to do this) and have the problem that I cannot bypass the
rule with access.db entries. I thought
> delay_checks was supposed to provide the way to do this.
>
> i.e. even if I put the following in my access.db,
> xxx.xxx.xxx OK
>
> The ruleset below will still process the relay address and reject it if it
matches xxx-xxx-xxx-xxx.dls.spamer.com.
>
> I am sure that I am missing something, but I'm not getting it.
>
> LOCAL_CONFIG
>
> Kdsl1 regex -a@MATCH ([0-9].*){5,}
>
> LOCAL_RULESETS
>
> SLocal_check_relay
>
> R$* $: $(dsl1 $&{client_name} $)
> R@MATCH $#error $@ 5.7.1 $: "554 DSL sender "$&{client_name} " ["
$&{client_addr} "] (1), Dynamic IP"

1) I use a different ruleset. Your set will catch MORE than just the IPv4
address embedded in the dummy reverse name - and if that's what you want, so
be it.

# Special rewrite rule helper for dialup detection
Kundash regex -a.LOOP -d. -o -s1,2 (.+)-(.+)
C{Dialup} ADSL Cable catv DHCP Dial Dialin Dialup dip DSL DYN Dynamic
DynamicIP IP IPpool ISDN pooles PPP reverse

Sreverse
R$+ $- $: $2 $>reverse $1

Ssome_other_ruleset
; The snippet that needs to be inserted into the rule set you desire: I use
local_check_relay, but you will want to put it somewhere else.
R$* $: <$&{client_resolve}>
R $#error $@ 5.4.8 $: "550 DNS PTR mismatch. "
($&{client_addr})
R $#error $@ 5.4.3 $: "550 DNS reverse lookup failed.
" ($&{client_addr})
R $#error $@ 4.4.3 $: "450 Cannot resolve DNS PTR
record. " ($&{client_addr})
R$* $: $[ $&{client_name} $]
R$*. $1
R$j $@ $j Ignore myself
R$=w $@ $1 Ignore my aliases
R$*$=M $@ $1 Ignore my masqueraders
R$*$=R $@ $1 Ignore my relay class domains
R[$&{client_addr}] $: OK Address literals always match - but
technically, above prevents them from reaching here.
;
; if you want to allow "STATIC-aaa.bbb.ccc.ddd._xxxx.tld_" dummy names,
exempt them here.
;
R$* $: $1.LOOP
R$*.LOOP $(undash $1 $: $1 $) Dialups hide as IP-dashed
string
R$* $={Dialup} $* $#error $@ 5.7.1 $: _DIALUP_REJECT_ (N)
R$* $&{client_addr} $* $#error $@ 5.7.1 $: _DIALUP_REJECT_ (A)
R$+ $- $: $2 $>reverse $1
R$* $&{client_addr} $* $#error $@ 5.7.1 $: _DIALUP_REJECT_ (R)

I consider a generic static IPv4 address based name as one that should also
be disallowed. I want a "real" domain name on the reverse lookup. Correct
placement into the rule set is left to the reader. See the various DIVERT()
entry points. Note that this snippet does not preserve the data it starts
with.

2) There is merit to checking this BEFORE performing a lookup in a DNSBL.
No need to perform the relatively expensive check if one already knows one
is going to pitch the incoming connection anyway.

Re: block email from dynamic IP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tue, 30 Oct 2007, Res wrote:

>
>
> David,
>
> On Mon, 29 Oct 2007, David L. Aldridge wrote:
>
>>
>> I am trying to generate a set of rulesets that can block email from dynamic IP space (sorry to all of the good
>> guys who want to do this) and have the problem that I cannot bypass the rule with access.db entries. I thought
>> delay_checks was supposed to provide the way to do this.
>
>
> Why re-invent the wheel? See: milter-regex
>

ooops!! I meant milter-regexp
milter-regex (same thing) had problems compiling on linux last time I
looked at it

- --
Cheers
Res


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHJmxJsWhAmSIQh7MRAm9EAJ405RrndJc3mYIaAoUBuERd2xIpkQCf Uz+R
VEhQ6kr0iDDkFHDJU+9cVjc=
=DiEF
-----END PGP SIGNATURE-----