Hello,

I'm trying to reject e-mail traffic from:

x.x.x.x.nnn.nn.nn.dynamic.163data.com.cn

In my accessdb I already have:

Connect:dynamic.163data.com.cn REJECT
Connect:.dynamic.163data.com.cn REJECT
Connect:163data.com.cn REJECT
Connect:.163data.com.cn REJECT

but it doesn't work. What gives?

Many thanks.

--
n

nobody <noboy@localhost.localhost> wrote:
> I'm trying to reject e-mail traffic from:
>
> x.x.x.x.nnn.nn.nn.dynamic.163data.com.cn
>
> In my accessdb I already have:
>
> Connect:dynamic.163data.com.cn REJECT
> Connect:.dynamic.163data.com.cn REJECT
> Connect:163data.com.cn REJECT
> Connect:.163data.com.cn REJECT
>
> but it doesn't work. What gives?

*EXPLANATION*

Sendmail uses *only* closed PTR-A loop names for access lookups.
[ IP address -("PTR" record)-> DNS name -("A" record)-> IP address ]

The names you mention (e.g. 25.202.108.125.broad.wz.zj.dynamic.163data.com.cn)
do not have "closing" "A" DNS records.

Sendmail uses such policy because access may also return "RELAY" and
names produced by "no loops" are unreliable and easy to fake.

*FIXES*

*FIX0* To get exactly what you want would require patching
cf/m4/proto.m4 and implementing new "connect-ptr:" prefix for names
produced by PTR records with missing A records. The lookup should ignore
RELAY/OK results.

* FIX1* To get what I think you really want you may use
FEATURE(`anfi/rsdnsbl') and FEATURE(`anfi/require_rdns') to require
closed PTR-A loop for
* hosts in a few countries
* all hosts except a few countries
* the worse half on the Internet listed by L2.apews.org

You can use zz.countries.nerd.dk to get IP->country mappings.
zz,countries.nerd.dk zone is available for download via rsync.

#v+
FEATURE(`anfi/countries')dnl list of country codes
dnl
dnl put standard enhdnsbl tests here
dnl
dnl ------------------------------------------------------
FEATURE(`anfi/rsdnsbl',`zz.countries.nerd.dk',`whitelist',`',
C2_US,C2_CA,C2_UK,C2_PL)dnl
dnl IP addresses in USA, Canada, UK and Poland are excluded from
dnl tests below (up to 6 countries may be listed)
dnl -------------------------------------------------------
FEATURE(`anfi/rsdnsbl')
#v-

URL(s):
* http://open-sendmail.sourceforge.net/
* http://sourceforge.net/project/showf...kage_id=228383
* http://groups.google.com/group/comp....49ed886ac9d1d2
From: Andrzej Adam Filip <a...@onet.eu>
Newsgroups: comp.mail.sendmail
Subject: FEATURE(`anfi/rsdnsbl') [2007-12-12]
Date: Wed, 12 Dec 2007 23:57:22 +0100
Message-ID: <bee@87d4tbjzcd.fsf.hobby-site.com>

--
[pl>en: Andrew] Andrzej Adam Filip anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/
The most happy marriage I can imagine to myself would be the union
of a deaf man to a blind woman.
-- Samuel Taylor Coleridge

Andrzej Adam Filip <anfi@onet.eu> wrote:
>> Connect:dynamic.163data.com.cn REJECT
>> Connect:.dynamic.163data.com.cn REJECT
>> Connect:163data.com.cn REJECT
>> Connect:.163data.com.cn REJECT
>>
>> but it doesn't work. What gives?

> *EXPLANATION*

> Sendmail uses *only* closed PTR-A loop names for access lookups.
> [ IP address -("PTR" record)-> DNS name -("A" record)-> IP address ]

Hi, I was having a similar problem to the OP and ran across this response.
I had this in my access file:

Connect:vpls.net 554 Access denied

but messages are still getting through:

May 5 15:37:53 smtp-in2 sendmail[25910]: [ID 801593 mail.info] m45Kbkjq025910: from=<Rebate_Processor_Position@confitravel.info>, size=797, class=0, nrcpts=1, msgid=<32C73153.2B43423F@confitravel.info>, proto=SMTP, daemon=MTA, relay=CUSTOMER.VPLS.NET [67.198.202.170] (may be forged)


Was it because there doesn't seem to be an A record for customer.vpls.net?

nslookup customer.vpls.net
Server: uahis1.uah.edu
Address: 146.229.1.2

*** uahis1.uah.edu can't find customer.vpls.net: Non-existent host/domain


Thanks...

Jim McCullars
University of Alabama in Huntsville

Jim McCullars <jim@info2.uah.edu> wrote:

> Andrzej Adam Filip <anfi@onet.eu> wrote:
>>> Connect:dynamic.163data.com.cn REJECT
>>> Connect:.dynamic.163data.com.cn REJECT
>>> Connect:163data.com.cn REJECT
>>> Connect:.163data.com.cn REJECT
>>>
>>> but it doesn't work. What gives?
>
>> *EXPLANATION*
>
>> Sendmail uses *only* closed PTR-A loop names for access lookups.
>> [ IP address -("PTR" record)-> DNS name -("A" record)-> IP address ]
>
> Hi, I was having a similar problem to the OP and ran across this response.
> I had this in my access file:
>
> Connect:vpls.net 554 Access denied
>
> but messages are still getting through:
>
> May 5 15:37:53 smtp-in2 sendmail[25910]: [ID 801593 mail.info] m45Kbkjq025910: from=<Rebate_Processor_Position@confitravel.info>, size=797, class=0, nrcpts=1, msgid=<32C73153.2B43423F@confitravel.info>, proto=SMTP, daemon=MTA, relay=CUSTOMER.VPLS.NET [67.198.202.170] (may be forged)
>
>
> Was it because there doesn't seem to be an A record for
> customer.vpls.net?

Yes.
There is a "PTR" record for 67.198.202.170 equal CUSTOMER.VPLS.NET
*but* there is no "A" record for CUSTOMER.VPLS.NET
[ sendmail logged "(may be forged)"].

> nslookup customer.vpls.net
> Server: uahis1.uah.edu
> Address: 146.229.1.2
>
> *** uahis1.uah.edu can't find customer.vpls.net: Non-existent host/domain

What have you wanted to achieve? [allowing to relay OR block]

--
[pl>en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
There is no comfort without pain; thus we define salvation through suffering.
-- Cato
----
http://groups.google.com/groups/prof...anfi%40onet.eu
http://groups.google.com/groups?selm...hobby-site.com

Andrzej Adam Filip <anfi@onet.eu> wrote:

> Yes.
> There is a "PTR" record for 67.198.202.170 equal CUSTOMER.VPLS.NET
> *but* there is no "A" record for CUSTOMER.VPLS.NET
> [ sendmail logged "(may be forged)"].

>> nslookup customer.vpls.net
>> Server: uahis1.uah.edu
>> Address: 146.229.1.2
>>
>> *** uahis1.uah.edu can't find customer.vpls.net: Non-existent host/domain

> What have you wanted to achieve? [allowing to relay OR block]

Block. A lot of spam with hostnames of customer.vpls.net but as you
noted, it could very well be forged. I can do it by IP. Thanks again...

Jim McCullars
University of Alabama in Huntsville

Jim McCullars <jim@info2.uah.edu> wrote:

> Andrzej Adam Filip <anfi@onet.eu> wrote:
>
>> Yes.
>> There is a "PTR" record for 67.198.202.170 equal CUSTOMER.VPLS.NET
>> *but* there is no "A" record for CUSTOMER.VPLS.NET
>> [ sendmail logged "(may be forged)"].
>
>>> nslookup customer.vpls.net
>>> Server: uahis1.uah.edu
>>> Address: 146.229.1.2
>>>
>>> *** uahis1.uah.edu can't find customer.vpls.net: Non-existent host/domain
>
>> What have you wanted to achieve? [allowing to relay OR block]
>
> Block. A lot of spam with hostnames of customer.vpls.net but as you
> noted, it could very well be forged. I can do it by IP. Thanks again...

Would you like to require closed PTR-A loop for the hosts in the above
Autonomous (Routing) System? [AS35908]

You can use (DNS) services like asn.routeviews.org to get IP->ASN mapping.
[ asn.routeviews.org returns TXT records ]

P.S. Do you use MIMEDefang milter?

--
[pl>en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
To many, total abstinence is easier than perfect moderation.
-- St. Augustine
----
http://groups.google.com/groups/prof...anfi%40onet.eu
http://groups.google.com/groups?selm...hobby-site.com

Andrzej Adam Filip <anfi@onet.eu> wrote:

> Would you like to require closed PTR-A loop for the hosts in the above
> Autonomous (Routing) System? [AS35908]

> You can use (DNS) services like asn.routeviews.org to get IP->ASN mapping.
> [ asn.routeviews.org returns TXT records ]

> P.S. Do you use MIMEDefang milter?

I'll have to look in to ASN, I'd never heard of it before now. I do use
MIMEDefang (and SA), since about 2002. Love it.

Jim McCullars
University of Alabama in Huntsville

Jim McCullars <jim@info2.uah.edu> wrote:

> Andrzej Adam Filip <anfi@onet.eu> wrote:
>
>> Would you like to require closed PTR-A loop for the hosts in the above
>> Autonomous (Routing) System? [AS35908]
>
>> You can use (DNS) services like asn.routeviews.org to get IP->ASN mapping.
>> [ asn.routeviews.org returns TXT records ]
>
>> P.S. Do you use MIMEDefang milter?
>
> I'll have to look in to ASN, I'd never heard of it before now.
> I do use MIMEDefang (and SA), since about 2002. Love it.

You can quite easily make MIMEDefang do rejects based on $&{client_addr}
and $&{client_resolve} (reverse DNS status).

--
[pl>en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
It is by the fortune of God that, in this country, we have three benefits:
freedom of speech, freedom of thought, and the wisdom never to use either.
-- Mark Twain
----
http://groups.google.com/groups/prof...anfi%40onet.eu
http://groups.google.com/groups?selm...hobby-site.com

Andrzej Adam Filip <anfi@onet.eu> wrote:

> Jim McCullars <jim@info2.uah.edu> wrote:
>> [...]

For future c.m.sendmail readers reference:

How have you decided to fix your specific problem?

If you have decided to block based on IP addresses/nets then
how have you decided about IP ranges to block?

--
[pl>en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
"The best index to a person's character is a) how he treats people who
can't do him any good and b) how he treats people who can't fight back."
-- Abigail Van Buren
----
http://groups.google.com/groups/prof...anfi%40onet.eu
http://groups.google.com/groups?selm...hobby-site.com

Andrzej Adam Filip <anfi@onet.eu> wrote:
> Andrzej Adam Filip <anfi@onet.eu> wrote:

>> Jim McCullars <jim@info2.uah.edu> wrote:
>>> [...]

> For future c.m.sendmail readers reference:

> How have you decided to fix your specific problem?

To recap - I was putting "Connect:some.domain 554 Access denied" in
the access file and some hosts in some.domain were still able to send mail.
I knew that if sendmail detected discrepancies between the A records and the
PTR records it would put "may be forged" in the "Received:" headers but I
did not realize at the time that this affected entries in the access db
as well.

In my specific case, I put in a range of IP addresses in the access db
instead. Someone noted that I could do this in MIMEDefang, and in some
cases I do block based on hostnames in my MD filter rules file but in my mind
if I can refuse based on an access db entry it might save a call to a perl
slave.

> If you have decided to block based on IP addresses/nets then
> how have you decided about IP ranges to block?

It depends on the sender. I look at the log file and if a spam run seems
to come from one IP address I might block just the one. If they are coming
from several, and especially if I have a history of playing whack-a-mole
with some provider, I might block their whole range (especially if it's a
small range registered to an individual).

Jim McCullars
University of Alabama in Huntsville

Once upon a time, Jim McCullars <jim@info2.uah.edu> said:
> To recap - I was putting "Connect:some.domain 554 Access denied" in
>the access file and some hosts in some.domain were still able to send mail.
>I knew that if sendmail detected discrepancies between the A records and the
>PTR records it would put "may be forged" in the "Received:" headers but I
>did not realize at the time that this affected entries in the access db
>as well.

It has to, because the access.db entry could be allowing additional
access (e.g. relaying, bypassing filters, etc.), so the only legitimate
thing to do is only use the domain name when it is considered valid.

--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

cmadams@hiwaay.net (Chris Adams) wrote:

> Once upon a time, Jim McCullars <jim@info2.uah.edu> said:
>> To recap - I was putting "Connect:some.domain 554 Access denied" in
>>the access file and some hosts in some.domain were still able to send mail.
>>I knew that if sendmail detected discrepancies between the A records and the
>>PTR records it would put "may be forged" in the "Received:" headers but I
>>did not realize at the time that this affected entries in the access db
>>as well.
>
> It has to, because the access.db entry could be allowing additional
> access (e.g. relaying, bypassing filters, etc.), so the only legitimate
> thing to do is only use the domain name when it is considered valid.

It is possible to implement in sendmail.cf support for new prefix for
access db lookups [connect-ptr] acting just like connect:hostname but
accepting *ONLY* reject replies (and ignoring OK/RELAY replies).

--
[pl>en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Example is not the main thing in influencing others. It is the only thing.
-- Albert Schweitzer
----
http://groups.google.com/groups/prof...anfi%40onet.eu
http://groups.google.com/groups?selm...hobby-site.com