Am 13.02.2016 um 16:46 schrieb Alex:
DNS is very effective to block at the MTA level. I setup my own private RBL on the DNS servers my SA boxes point to. Dump your IPs into a rbldnsd formatted zone file and setup your private RBL zone (doesn't have to be a real zone on the Internet) to forward to rbldnsd. Rbldnsd will detect changes to it's zone files and reload them automatically to keep current.Do you have some kind of whitelist that includes gmail, yahoo, etc? I'm not looking to compete with spamhaus, just compliment it, but rejecting outright at the SMTP level for IPs reaching my honeypots could be dangerous if not checked
something PTR based like below is a good startsnippet of our in PHP written honeypot daemon at the bottom, and yes you can write a proper network service in PHP listening not only on port 25
_________________________________
/** chroot to runtime directory and change basedir for later operations */
if(chroot(__DIR__))
{
$chroot_basedir = '/honeypot-chroot';
}
else
{
$chroot_basedir = __DIR__;
}
/** drop privileges to 'nobody' */
if(!posix_initgroups('nobody', $nobody_group) ||
!posix_setgid($nobody_group) || !posix_setuid($nobody_user))
{
error_log('ERROR: Drop privileges failed (' . $port . ')');
exit('ERROR: Drop privileges failed (' . $port . ')' . "\n");
}
_________________________________
/**
* Grosse Provider und offensichtliche Mailserver von automatischem
* Blacklisting ausnehmen Basis ist der Reverse-DNS
*
* Gibt 'true' zurueck wenn die IP zu ignorieren ist
* Honeypot speichert somit nur die Spam-Samples
*
* @param string $ptr
* @return boolean
* @access public
*/
function ignore_blacklist_ptr($ptr)
{
/** Sonderbehandlung */
if(strpos($ptr, 'smtp') !== false || strpos($ptr, 'mail') !== false
|| strpos($ptr, 'mxout') !== false)
{
return true;
}
/** Zu ignorierende PTR-Ends */
$ignored = array
(
'.ac.at',
'.apple.com',
'.ebay.com',
'.eyepin.com',
'.facebook.com',
'.gmx.at',
'.gmx.com',
'.gmx.de',
'.gmx.net',
'.google.com',
'.gv.at',
'.itronic.at',
'.itronic.at',
'.kundenserver.de',
'.microsoft.com',
'.mx.aol.com',
'.mx.aol.com',
'.observer.at',
'.office-vienna.at',
'.orf.at',
'.outlook.com',
'.paylife.at',
'.paypal.com',
'.phx3.secureserver.net',
'.pinterest.com',
'.skype.com',
'.smtp-out.amazonses.com',
'.thelounge.net',
'.twitter.com',
'.web.de',
'.wetransfer.com',
'.xing.com',
'.yahoo.co.jp',
'.yahoo.com',
'taro.utanet.at',
'tatiana.utanet.at',
);
/** Durchlaufen und gegen PTR testen */
foreach($ignored as $test)
{
if(strpos($ptr, $test) !== false)
{
$xtest = substr($ptr, strlen($ptr)-strlen($test));
if($xtest == $test)
{
return true;
break;
}
}
}
/** Wenn nicht gelistet 'false' zurueckgeben */
false;
}
signature.asc
Description: OpenPGP digital signature
