[Mimedefang] DNS Lookups in MD - Was RBL and DNS lookups
Jeff Rife
mimedefang at nabs.net
Fri May 11 22:38:13 EDT 2007
On 11 May 2007 at 11:46, Kevin A. McGrail wrote:
> > You really shouldn't have to do any DNS lookups until you run SA.
> > Sendmail will have already done a reverse lookup on the connecting IP
> > address (available in $RelayHostname), so there's nothing much else to
> > look up.
>
> I disagree. I run at least to routines in my filter which use DNS which I
> find very effective.
>
> The first is to check for valid MX records on the sender. I use this to
> reject email and it works VERY well.
What's your hit rate for this? In particular, what's your hit rate for
messages that *only* this catches?
> Get the perl module from CPAN. Net::validMX.
Already tested. For me, it only stops about 1% from getting to SA that
wasn't being stopped through non-network tests. That's not worth the
code or the DNS lookup.
> in filter_sender add something like this:
>
> if ($sender ne '<>') {
Why would you restrict it this way? If someone is bouncing and they
don't have a valid MX, then you never sent them mail anyway, and it's a
spoof. So, *anything* without a valid MX should be tossed.
> The second is a reverse DNS check that I then use to score with in
> SpamAssassin. It has some pros and cons. The pro is that it works very
> well.
Again, tested, and in just 14 checks that weren't already being
stopped, it yielded 2 erroneous results.
Even with just scoring that's too dangerous, as any score that did
enough to matter would likely push something into "spam territory".
> BTW, several years ago, someone helping me with RelayRegistry showed me how
> to start making MD "mini" modules. I didn't understand what they meant then
> but now I see the error of my ways. However, despite my searching, I can't
> find the info. I'm looking to do something like put all the reverse DNS
> info in a separate file and use a C-esque #INCLUDE.
Here's my entire mimedefang-filter...it's doing something like you
want:
#######################################################################
# -*- Perl -*-
# vim:ts=2:sw=2
#***********************************************************************
#
# mimedefang-filter
#
#***********************************************************************
use strict;
use lib '/etc/mail';
use DBI;
use Net::CIDR;
use Net::DNS;
use Digest::Hashcash;
use Net::Domain qw(hostname hostdomain);
# Must declare globals here...can initialize elsewhere
use vars qw(%nabs %db_sth %gl_sth %gl_greystatus %gl_greynames);
require 'filter/globals';
require 'filter/utility';
require 'filter/db';
require 'filter/greylist';
require 'filter/initialize';
require 'filter/cleanup';
require 'filter/outgoing';
require 'filter/relay';
require 'filter/helo';
require 'filter/sender';
require 'filter/recipient';
require 'filter/filter';
require 'filter/tick';
# DO NOT delete the next line, or Perl will complain.
1;
#######################################################################
> #REVERSE DNS CHECK
> if ($authorized_sender < 1) {
> $res = Net::DNS::Resolver->new;
>
> $suspect_spammy_country_tlds = 1;
>
> $packet = $res->send($RelayAddr);
Your Net::DNS::Resolver->send is the complete waste of cycles I was
talking about...just pass $RelayHostname into this code that checks for
"valid" reverse DNS, because sendmail has already done the lookup for
you.
> } elsif ($has_subdomain && $reverse_subdomain =~
> /pool|dhcp|dip|dyn|dial|home|cable|dsl|\d{1,3}[-\.]\d{1,3}[-\.]\d{1,3}|\d{9,12}/i
> && $reverse_subdomain !~ /static/i) {
At least you aren't scoring against my IPs. Verizon is a PITA to deal
with in getting reverse DNS.
> #FAILED REQUIREMENT DID NOT HAVE A REVERSE ENTRY
> action_change_header("X-KAM-Reverse", "Missing - Reverse PTR for
> $RelayAddr was missing!");
I saw this with known good Yahoo mail servers...that's why I won't use
anything like it.
Again, what are your stats on what is stopped *solely* by this check.
In other words, how many extra bad e-mails (as a percentage) would you
deliver if you did not have this check?
For me, none of the reverse DNS checks stop enough extra to be worth
wasting DNS bandwidth (even with a caching DNS server).
--
Jeff Rife | "Because he was human; because he had goodness;
| because he was moral they called him insane.
| Delusions of grandeur; visions of splendor;
| A manic-depressive, he walks in the rain."
| -- Rush, "Cinderella Man"
More information about the MIMEDefang
mailing list