Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Steve (steeeeeveeegmx.net)
Date: Sat Mar 13 2010 - 16:47:05 CST
-------- Original-Nachricht --------
> Datum: Sat, 13 Mar 2010 15:33:00 -0500 (EST)
> Von: Wietse Venema <wietseporcupine.org>
> An: Postfix users <postfix-userspostfix.org>
> Betreff: Re: Feature request: configurable dnsbl scores in postscreen
> Stefan Foerster:
> > Now, "feature request" is actually not the right word - it's more an
> > idea, and probably somebody just needs to tell me it's a bad one.
> > With the postscreen_dnsbl_sites setting, each site administrator can
> > configure a list of DNS blacklists that new SMTP connections will be
> > checked against (excluding whitelisted hosts). The actual lookups are
> > done by dnsblog(8), and the result ist logged by postscreen(8) similar
> > to this:
> > postfix/postscreen: DNSBL rank 3 for 188.8.131.52
> > Would it be a good idea to extend the existing funcionality in a way
> > that allows the postmaster to add a "score" for each blacklist and
> > have postscreen(8) drop the connection only if a certain minimum score
> > is reached (and it is configured to drop connections not passing the
> > DNSBL test, of course)? Something like:
> > postscreen_dnsbl_sites = bl-a.example.com:2
> > bl-b.example.com:1
> > bl-c.example.com:2
> > postscreen_dnsbl_score_threshold = 3
> > (it's probably better to use a hash: or other indexed table to
> > configure those scores)
> > This is similar to what some policy server, e.g. policyd-weight, do -
> > with the added benefit that a connection would never reach a real
> > smtpd(8) if the score is exceeded.
> > Does that sound like a somewhat reasonable idea, or more like b/s?
> I think that a design (the stage before code is written) should
> consider how scoring would play with the other tests that postscreen
> implements, and how it would play with things that I intend to add
> such as light-weight greylisting.
> We can model postscreen-like programs in several ways. In all cases
> the program subjects each SMTP client to a number of tests (permanent
> white/blacklist, RBL lookup, pregreet, greylist, other).
> 1) Drop the client as soon as any test fails.
> 2) Drop the client as soon as the combined score exceeds some
> badness threshold.
> 3) Some other approach that may be harder to understand.
> Does it make sense to score RBL results together with PREGREET?
> What kinds of tests would be suitable for scoring together, and
> would these make sense in a postscreen-like program? By design
> postscreen is not a proxy, so it does not participate in mail
> delivering SMTP sessions.
I would say that having the possibility to score would be beneficial. On top of the scoring I would like to see some kind of grouping. So let's say you have:
group 1: dnsbl
group 2: rhsbl
group 3: ip checks
group 4: etc...
It would be great if I could say that (as an example):
- Combined scoring above X -> disconnect client
- Score inside group 1 >= Y -> disconnect client
- Score inside group 2 >= Z -> stop processing and let the client pass
A scenario for group 2 could be where you add a bunch DNSWL checks and if the result is above a certain threshold then don't do the other checks. Just allow the connecting client to pass.
Another thing beside scoring I see is counting. Let's say someone is using DNSBL and has set the combined maximum score to 100. Let's say the person is using zen.spamhaus.org and bl.spamcop.org and a bunch of other DNSBL. Now let's say a hit on zen gets 50 scores. A hit on SpamCop gets 25 scores. And the others get each 5.
Lets say that the connecting IP is in Zen and in SpamCop and in 3 other DNSBL. So the total score would be 90 (50 + 25 + 5 + 5 + 5). If you would add the possibility to count the hits then one could say that getting 100 score is resulting in disconnecting the client OR having 4 (just an example) or more hits is as well resulting in disconnecting the client.
So one has the possibility to add scoring and counting. Two factors that can result in disconnecting the client.
And while I am at it: Add the possibility to have a negative score. So one could combine DNSBL and DNSWL in one group (if you add group support) and have a positive score for hits on DNSBL while having negative scores on hits against DNSWL or have for example a negative score in case the connecting IP is NOT found in a particular DNSBL.
GMX DSL: Internet, Telefon und Entertainment für nur 19,99 EUR/mtl.!