spf-discuss
[Top] [All Lists]

Re: Off-topic: mydnsbl (my "too many failures BL") moving from investigation to testing

2005-01-17 15:01:48
At 09:48 AM 1/17/2005 -0500, Greg Connor <gconnor(_at_)nekodojo(_dot_)org> 
wrote:

This doesn't have to do with SPF, but may be interesting to some folks 
here.  If you are interested in more info, please reply to me off-list.

******************* REPLY SEPARATER *******************
I tried to send this to you directly, but your server rejected it with the
following message:
Diagnostic-Code: SMTP; 450 Client host rejected: cannot find your hostname,
[69.36.102.205]
The host name definitely has an "A" record, and the IP definitely has a
reverse lookup. If you are checking that the hostname matches the reverse
lookup name, it will not always match. This is a very common situation when
a mail server is hosting several domains.
*******************************************************
I am doing something similar. I already have a working BL server that is
stable and currently being fed by two honey pots. My own Sendmail log does
not have all the information I would like, so I developed a monitoring
program that scans the traffic to the mail server by using the ethernet
interface in promiscuous mode. This information is written to a log file,
and I am currently writing a program to analyze the log file using SPF. It
could just as easily be written to a relational database. The results of
this analysis will be fed to the BL server, which drops the Black Listed IP
addresses after 18 hours if they are not used again. As far as I am
concerned, using a dynamically updated BL server is the only way to go in
today's environment. Standard BL servers that are batch updated just don't
cut it.

My thoughts are very much like yours; that useage patterns can be very
indicative of abuse. Contact me if you want to discuss this further.

J.A. Coutts
Systems Engineer
MantaNet/TravPro


<Prev in Thread] Current Thread [Next in Thread>