OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: UCE connect based on IP and reverse name

From: mouss (mlist.onlyfree.fr)
Date: Wed Jul 18 2007 - 04:46:06 CDT

cedric Gross wrote:
> Hello,
>
> I would like to Discard connection from ADSL PC Zombi, often I have a
> connection like this one in my log :
> "connect from host-89-228-252-182.kalisz.mm.pl[89.228.252.182]"
>
> Is there a way to tell postfix doing on connection :
> -Get client's IP
>
postfix always does this
> -Reverse DNS to get name (ie : host-89-228-252-182.kalisz.mm.pl)
>
and this. see your logs!
> -Do regexp on previous name like this one
> /.*([0-9]{1,3})-([0-9]{1,3})-([0-9]{1,3})-([0-9]{1,3})\..*/
>
check_client_access does this
> -DISCARD if $1.$2.$3.$4 (or reverse) match IP
>
this is bad. use REJECT instead of DISCARD.

Be warned that some legitimate sites use a "generic rDNS". whether you
should "punish" them or not is a site policy question. Also, there are
too many forms for generic rDNS, and it is hard to come up with a short
safe list of patterns. There are multiple approaches here:

[per domain pattern]
add patterns as you see them. In your example, you would add
     /^host-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.kalisz\.mm\.pl$/
In addition, if you know that kalisz.mm.pl is only used for
"resedential" hosts, you can put it in a hash map.

The problem with this approach is the maintenance cost (now, such a list
would be helpful to share).

[general unsafe pattern]
Instead of trying to find precise forms, use few general forms that may
catch non generic rDNS, but here, do not reject mail. Instead, run
strict checks (ones that are unsafe for general mail, such as
reject_unknown_hostname or moderately safe dnsbls...) and/or greylist
(but zombies may retry). Alternatively, you can tempfail and check your
logs to build a whitelist and a blocklist, but this requires maintenance.

one pattern that will catch a lot of generic rDNS clients is:
    /[^a-z]{5}/ dynlike
but again, this will also catch non generic rDNS hosts.

but before all this, consider using zen.spamhaus.org (it includes
pbl.spamhaus.org).

> For the moment, I check the regexp against helo name but it's insufficient.
>