chris+exim at qwirx
Jun 27, 2009, 1:51 PM
Views: 620
Permalink
|
|
New spammer check: too many PTRs
|
|
Hi all,
I just found the following unusual message in my Exim logs:
2009-06-27 21:14:58 host name alias list truncated for 69.10.169.230
Curious, I did a DNS lookup on that IP:
chris[at]top ~ $ host 69.10.169.230 | wc -l
86
chris[at]top ~ $ host 69.10.169.230 | head -5
;; Truncated, retrying in TCP mode.
230.169.10.69.in-addr.arpa domain name pointer heavenlydonut.com.
230.169.10.69.in-addr.arpa domain name pointer pitrivertribe.org.
230.169.10.69.in-addr.arpa domain name pointer shastawebmail.com.
230.169.10.69.in-addr.arpa domain name pointer vidalvineyard.com.
Looks like a spammer to me :)
Luckily, Exim provides a way to match senders like this:
defer
set acl_c_ptr_count = ${reduce {${lookup dnsdb{>: \
ptr=$sender_host_address}}} {0} {${eval:$value+1}}}
condition = ${if >{$acl_c_ptr_count}{4}}
message = Too many PTR records ($acl_c_ptr_count)
This matches any host with more than four PTR records. I based the reduce
operation on the one in the manual.
[http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html#SECTexpcond]
Although this is pretty ugly. I don't suppose anyone wants to implement a
"count" operation to count the number of items in a list? Or would accept
a patch for same?
Cheers, Chris.
--
_____ __ _
\ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
|
New spammer check: too many PTRs
