Le 29/12/2010 16:54, Jason Bertoch a écrit :
>
> I'm starting to see a (new to me) pattern of spam, and only spam, with
> PTR records consisting of a single dot, such as:
>
> Received: from ejru38.pindmosel.info (. [184.154.78.38] (may be forged))
I used to block these and others in postfix:
pcre = pcre:/etc/postfix/maps/pcre
db = cdb:/etc/postfix/maps/cdb
smtpd_recipient_restrictions =
...
reject_unauth_destination
...
check_helo_access ${pcre}/access_host
check_reverse_client_hostname_access ${pcre}/access_host
== /etc/postfix/maps/pcre/access_host
/^\.$/ REJECT invalid PTR (single dot)
/^.(arpa|invalid|inv|local|lokaal|private|root|kornet|speedportw700v|firewall|home)$/
REJECT blah blah
...
>
> It doesn't appear that there is a stock rule yet to identify this
> particular case. RDNS_NONE matches, but I believe a more specific rule
> may be in order, or maybe even something at the MTA level if this
> pattern proves reliable. Has anyone else identified this pattern in
> their mail flow?
>
header PTR_DOT_ONLY X-Spam-Relays-External =~ /^[^\]]+ rdns=\. /i
we can also try catching bogus TLD's: .arpa, kornet, speedportw700v, ...
header PTR_BOGUS_TLD X-Spam-Relays-External =~ /^[^\]]+
rdns=\S+\.(?:arpa|kornet|speedportw700v|invalid) /i
