Le 07/03/2011 11:47, Stan Hoeppner a écrit :
> mouss put forth on 3/6/2011 7:03 PM:
>
>> /^.*foo/
>> means "it starts with something followed by foo". and this is the same
>> thing as "it contains foo", which is represented by
>> /foo/
>
> I was taught to always start my expressions with "/^" and end them with
> "$/". Why did Steven teach me to do this if it's not necessary? Steven
> being the author of the Enemies List: http://enemieslist.com/ which
> contains over 65,000 regexes matching FQrDNS patterns.
>
>> well, you know I know these:) we all got spam from these...
>
> As with most/all dynamic ranges.
>
>> 1) first use IP ranges.
>> 2) then domains (hash/cdb)
>> for example:
>> .alshamil.net.ae REJECT blah blah
>> because there is no point to try to match something like
>> auh-b113917.alshamil.net.ae
>>
>> 3) then use regular expressions, but only when IPs and domains aren't
>> the way to go.
>
> Well, you know I know these mouss. :)
yes, but we're talking on a public list, so it's good to say "it all".
coz' all this stuff is archived and used in way we can't imagine.
> Have ever been locked in a
> certain train of thought and simply forgot to consider something
> related, later putting hand to forehead and saying "Duh!". My mindset
> was focused on showing how a single PCRE can block the same number of
> hosts as using IP addresses in a CIDR or hash table. I just didn't
> consider the domain blocking aspect of hash tables at the time. That's
> the "Duh!". I've been blocking domains with my hash table for something
> like 6 years now... I think some folks call this a "brain fart". ;)
>
>> no. IPs and domains are different things.
>>
>> cidr is about IPs. hash/cdb/pcre is about names. these are different
>> things and you know that. use each as appropriate.
>
> Of course. But IPs are valid in a hash table. You can even list them
> by the equivalent of a /24, /16, and /8 if you like, simply by omitting
> the last 1, 2, or 3 octets of the dotted quad. Just as I "brain farted"
> WRT using domains in a hash table, it appears you have done the same WRT
> to using IP addresses in a hash table. :)
>
not really. I never put IPs in hash tables. more precisely, I never mix
domains and IPs. be it just for the fact that postfix first looks up
domains/hostnames before looking up IPs, which is the opposite of what I
want. the /24, /16, /8 in postfix is a "sendmail compat" thing.
something I don't need.
> I agree it makes more sense to block domains with hash/cdb and IPs with
> CIDR. I've been doing exactly that for 5 of the 6 years I've been
> running Postfix. The first year (maybe less) I blocked IPs with a hash
> table, until I joined this list and learned about CIDR tables. I'm
> guessing most other new Postfix OPs go through the same
> progression--most "beginners docs" returned via Google teach the hash
> table and nothing else.
>
>> if the ISP makes it too much, then you should reduce it:
>> .embarqhsd.net REJECT blah blah
>
> Yeah, but then you end up potentially blocking large numbers of ham
> servers in SOHO land, in this case "*.sta.embarqhsd.net". Even in 2011
> there are still hundreds of thousands or more SOHO MTAs on static IP
> aDSL and cable circuits with generic rDNS. I should know as I'm one of
> them. (Please let's not allow this to turn into yet another flame war
> WRT generic rDNS, real OPs rent a VPS/colo, yada yada--I'm not directing
> this at you mouss but to those predisposed to flog this dead, stripped
> to the bone, horse carcass).
believe it or not, I have nothing against "dynamic" IPs. my approach is
as follows:
- whitelisted IPs get whitelisted. this includes "public" whitelists and
local whitelists
- I do not include an expression for "generic rdns" until I get spam
- after N spam, I add an expression. well, I do check if it's ok to add
a blocking rule
- I do not care if it's "static", ".sta" or whatever. as I said above,
it's not about dynamic, it's about accountability. if I get spam from
joe.example, I know I can complain to (abuse|postmaster)@joe.example. if
I get junk from 1.2.3.4.largeisp.example, I know I have no right to
complain, because I'm not part of the "money circuit".
>
>>>> a "better" example would be
>>>> /(\W\d+){4}\..*\.embarqhsd\.net$/ REJECT ...
>>>
>>> "Better" in what way?
>>
>> in the sense that this can't be represented using hash or the like.
>
> Ok. So you're not showing this PCRE above because it better matches the
> target rDNS string, or that the engine executes it faster or something,
> etc. You're simply saying don't use a PCRE for something you can match
> using a simpler table, such as hash/cdb. Correct?
>
yep. but that said, if you don't have performance problems, using a
single map is probably better than splitting it into a pcre and a
has/cdb map. so what I said doesn't apply to _you_. it was about the
example (showing a better example).
