|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: "Potted" regexquestion
From: Noel Jones (njones
megan.vbhcs.org)
Date: Sat Apr 17 2004 - 21:22:17 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, Apr 17, 2004 at 12:41:18PM +0200, Tony Earnshaw wrote:
> List,
>
> mail_version = 2.0.19-20040312
>
> Because I get my mail on port 25 via my ISP's mailkick server every time
> I connect to the Internet (always the same IP number), I can't use CIDR
> maps on this particular rig.
>
> I get spam to a particular privileged user for whom most
> smtpd_recipient_restrictions are bypassed. He can and does resort to
> header_checks, though. Today spam comes in to him for thingy-growth
> snake oil and I want to ban the network that sent it, which I do with
> header_checks.
>
> The spam comes (jwhois) from Madritel ES 213.37.150.0 - 213.37.251.255.
> So I make a fine pcre regexp for Madritel:
>
> /(?:^Received:\s{1,2}from\s+.+213\.37\.(?:(?:(?:1(?:[5-9][0-9])|(?:2(?:0|1|2|3|4)[0-9])|(?:25[0-1]))))\.\d{1,3})/
>
> It works beautifully, but costs some time to make it and test it. Just
> for one spammer network, which could just as well be a zombie network.
> There must be hundreds or thousands of them.
>
> Does anyone know of a site where I could pick up the meat of regexps for
> such IP ranges for known spammer networks?
>
> Best,
>
> --Tonni
I don't know of any ready-made regexp lists, but maybe
download the spamhaus list.
A clever sed or perl script could convert the list of IPs to a
regular expresion header_checks table.
Then enclose the whole thing inside something like:
if /^Received:.*by #something to match headers your ISP adds#
... ~40,000 spamhaus entries ...
fi
so you only check the final hop and limit the impact of
what would be a really large header_checks table.
The drawbacks are the same as any giant header_checks table, huge
cleanup process size and high CPU usage.
But probably usable with a small mail load and a decent server.
If you have the horsepower to burn, let us know what happens.
I would never recommend anyone do this that could use an RBL check
or access table instead... This is a last resort for a desparate man.
--
Noel Jones
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]