[Gross] greylisting on reverse dns patterns

Eino Tuominen eino at utu.fi
Mon Apr 16 19:42:24 EEST 2007


Jesse Thompson wrote:
> Hi,
> 
> We're seeing an uptick in spam here.  Gross is still blocking over 58%
> (6% match) of the messages, but the increase in overall spam is becoming
> more noticeable.  I'm noticing that a lot of the spam is originating
> from IP addresses that have a reverse dns record that indicates that the
> IP is dynamically assigned.  e.g. "pool" or "dynamic" or "dhcp"
> 
> Is there a more aggressive RBL that will list IPs that are on known
> dynamic networks?  Here is the list of RBLs that I'm currently using.
> 
> dnsbl = rbl-plus.mail-abuse.org
> dnsbl = bl.spamcop.net
> dnsbl = dnsbl.njabl.org
> dnsbl = cbl.abuseat.org
> dnsbl = dnsbl.sorbs.net
> dnsbl = list.dsbl.org
> dnsbl = multihop.dsbl.org
> dnsbl = zen.spamhaus.org

We have

dnsbl=rbl-plus.mail-abuse.org
dnsbl=bl.spamcop.net
dnsbl=combined.njabl.org
dnsbl=cbl.abuseat.org
dnsbl=dnsbl.sorbs.net
check = dnsbl
check = blocker

Remember that you have to pay for spamhaus lists. I incorrectly had
spamhaus lists in the early example configs as I didn't know it.

Current stats: 22/1/77 (trust/match/grey). I have always wondered why
Gross is more effective with our mail flow - it would be interesting to
know why.

> What about adding a feature to Gross to match on the reverse dns of the
> client_ip?  I'm considering cracking open the source code and dusting
> off my C reference to consider implementing this feature myself.

There are numerous good regexp patterns to find dynamic pools - I think
you can find some with Google. Unfortunately I have no good pointers in
my bookmarks. It should be rather straight forward to write that kind of
a check. And, as I have mentioned before, other good candidates for
blocking are messages with sender domain MX pointing to 127.0.0.1. That
needs the modifications I have been (not so busy) writing in order to
get that envelope sender address trough to the checks.

And, I think I will implement the check delays I have told you before.
The blocker check is much cheaper than a bunch of dns queries - Gross
should perform the expensive checks only if cheaper checks fail.

-- 
  Eino Tuominen




More information about the Gross mailing list