[Mimedefang] Another silly idea

Wed May 3 07:11:43 EDT 2006

> pjm> ...
> pjm>   if ( $hostname =~ /dsl./i )
> pjm>     {
> pjm>     md_syslog("info","$MsgID - Host $hostname is a DSL 
> broadband client");
> pjm>     return (0);
> pjm>     }
> pjm> ...
> 
> 
> So, you are rejecting messages from eg. mail.redslab.com that may be a
> perfectly legitimate and well behaving mail server, aren't you?

Probably, yes.  The code was a quick hack to investigate the principle, and
doesn't take into account any number of possible false positives.  The regex
is also sub-optimal, but it was a quick and dirty check as a demo.

Then again, in the last week, I've seen 1216 hosts which I've classed as
broadband and rejected, and 566 unique hosts which successfully sent me mail.
None of the rejected systems was a false positive - here's today's crop so
far:

adsl-ull-29-112.44-151.net24.it
3e70db70.adsl.enternet.hu
14-136-88-127.adslgp.cegetel.net
19.vnta6.xdsl.nauticom.net
22.wkln5.xdsl.nauticom.net
26.107.72.218.dsl.dynamic.hz.zj.cndata.com
58.fip-8.dsl.ozemail.com.au
60-244-118-113.vdslpro.static.apol.com.tw
61-59-244-109.adsl.static.seed.net.tw
62-31-204-40.cable.ubr05.live.blueyonder.co.uk
67-138-187-100.sdsl01.roc.ny.frontiernet.net
72-31-223-201.adsl.terra.cl
74-33-86-227.dsl1.jdn.mn.frontiernet.net
80-192-1-199.cable.ubr03.edin.blueyonder.co.uk
80.178.204.6.adsl.012.net.il
81-178-96-160.dsl.pipex.com
82-33-108-173.cable.ubr03.stav.blueyonder.co.uk
82.200.184.45.adsl.online.kz
83-131-140-65.adsl.net.t-com.hr
84-123-105-230.onocable.ono.com
84.232.95.82.novelda.cableworld.es
84.94.160.137.cable.012.net.il
84.95.125.145.cable.012.net.il
85-55-168-24.zar1.adsl.uni2.es
86-127-41-157.cable-modem.hdsnet.hu
87.68.41.193.cable.012.net.il
88-108-226-107.dynamic.dsl.as9105.com
171-21-161-212.DSL.ONCOLT.COM
180-88-223-201.adsl.terra.cl
186-196-dsl.coinfotech.com
200-232-192-96.dsl.telesp.net.br
200.146.106.81.adsl.gvt.net.br
200.175.212.78.adsl.gvt.net.br
200.95.143.139.cableonline.com.mx
201-236-122-62.adsl.tie.cl
201.10.180.2.cpece705.dsl.brasiltelecom.net.br
201.22.14.132.adsl.gvt.net.br
203-97-114-55.cable.telstraclear.net
210-64-245-206.adsl.dynamic.seed.net.tw
211-74-191-51.adsl.dynamic.seed.net.tw
212-127-180-48.cable.quicknet.nl
212.106.230.27.adsl.jazztel.es
216-129-114.0502.adsl.tele2.no
219-68-111-95.adsl.dynamic.giga.net.tw
221.112.46.212.dsl.getacom.de
53530FC7.cable.casema.nl

In my case, this works.  YMMV, and I would of course advise caution when
implementing anything like this.  In a corporate environment, I would expect
the number of valid mail servers to be in the hundreds of thousands, and the
broadband hosts seen to be of a similar size.

My decision to do this was taken after seeing the growth of botnets which
were hitting me with 50 connections at a time from one IP, all of which were
greylisted, and all of which were then retried successfully a few minutes
later, with all of the resulting messages being classified as spam with
scores of over 10.  A few minutes later, I'd see the same from a different
IP.

My mail server is designed for the volume I expected it to handle, and is
over-specified for my very small needs - 500MHz P3, 384Mb RAM, 36Gb IDE disk,
with legitimate mail volume of 6000 per week - so this sort of bandwidth- and
CPU-intensive attack is something I want to put a stop to immediately.

Basic principle - know your mail patterns, and filter based on this
knowledge.

Paul.

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.392 / Virus Database: 268.5.2/329 - Release Date: 02/05/2006