Reverse DNS

Junior Member
User avatar
Posts: 60
Joined: Wed Sep 19, 2007 3:31 pm

Reverse DNS

Postby SteveT » Mon Jan 28, 2008 2:00 pm

Alex,
I was going to try your sample Reverse DNS filter:

if tag X-User-Host is blank
then set reply 550 Reverse Address Required
and disconnect and stop all filters

My problem is that I don't have 550 Reverse Address Required in my set Reply options. Can I add this?
--
Regards,
Steve Topilnycky
ArGoStuff [color="Red"]|[/color] Top Cat Computing

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Postby Alexander Telegin » Mon Jan 28, 2008 3:24 pm

Sure, just type it.

Junior Member
User avatar
Posts: 60
Joined: Wed Sep 19, 2007 3:31 pm

Postby SteveT » Mon Jan 28, 2008 3:30 pm

That was to darn easy.. When I saw the drop down, I thought it was predefined somewhere.. Duh...

Once again your a life saver Alex.

Thanks
--
Regards,
Steve Topilnycky
ArGoStuff [color="Red"]|[/color] Top Cat Computing

Expert
Posts: 265
Joined: Tue May 04, 2004 1:07 pm

Postby dave » Sun Feb 10, 2008 2:55 pm

While I know this is a relatively old topic, I'd like to know, does anyone else here have problems with this filter?

I've found that on some emails, for whatever reason, reverse DNS lookup failed. The first way I found to "fix" it was to add a test for "and SPF not equal to PASS", but it didn't totally help.

I'm finally resigned to put a warning in the subject line [POSSIBLE SPAM - NO RNDS], so that when my customer calls me, I can explain what it means. However, there doesn't seem to be a distinction in eWall between failed DNS and no reverse DNS (in other words, eWall being unable to connect to the DNS servers and get an appropriate response).

Anyone else have this problem?

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Postby Alexander Telegin » Sun Feb 10, 2008 6:11 pm

Would be great to have some unworking example, then I could if this problem with eWall or DNS server.

Expert
Posts: 265
Joined: Tue May 04, 2004 1:07 pm

Postby dave » Mon Feb 11, 2008 12:36 am

Here's an email that failed. A subsquent email passed (not included here):
Code: Select all
Return-Path: <JennyLastname@bizchair.com>
Received: from EVS01-NETWORK.bizchair.local (servername [192.168.147.2])
   by mail.iwps.cam with CMailServer 5.4.6 SMTP;
   Tue, 29 Jan 2008 08:34:35 -0500
Received: from EVS01-NETWORK.bizchair.local (192.168.147.2) by mail via JSpamFilter; Tue, 29 Jan 2008 08:34:03 -0500
X-JSpamFilter-Version: 3.8 Enterprise (IWPS.cam) (Score: 0, 16ms)
Subject: POSSIBLE SPAM (NO RDNS) - BizChair.com Order bizchair1-206598
Date: Tue, 29 Jan 2008 08:33:36 -0500
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Message-ID: <B0CBB043875E1E40BC80FD4E01A51E4038847B@EVS01-NETWORK.bizchair.local>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: BizChair.com Order bizchair1-206598
Thread-Index: Achie40GN+8/JRnFS9GuS3UJb7MOYA==
From: "Jenny Lastname" <JennyLastname@bizchair.com>
To: "Dave" <MyEmail@Address.com>
X-Antivirus: AVG for E-mail 7.5.516 [269.19.14/1247]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-479F84CA4AFD======="

--=======AVGMAIL-479F84CA4AFD=======
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C8627B.8D08BD1E"

------_=_NextPart_001_01C8627B.8D08BD1E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

=20

Thank you very much for placing an order with Bizchair.com.  The WL-1156
chair you purchased is composed of special, resilient, molded and
sculptured high density foam that occasionally becomes wrinkled or
indented during transit.  If you open the carton and find indentations
or crinkles of any sort do not worry.  Simply get a blow dryer, turn it
on the high heat setting and blow it on the crinkled area.  The wrinkles
will vanish before your eyes in a matter of a few seconds and the foam
padding will return to its original position. =20

=20

If you have any questions, please call Gary at 1-800-924-2472 extension
8224.

=20

ENJOY YOUR NEW CHAIR AND THANK YOU FOR BUYING FROM BIZCHAIR.COM

=20

=20

=20


------_=_NextPart_001_01C8627B.8D08BD1E
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"City" =
downloadurl=3D"http://www.5iamas-microsoft-com:office:smarttags"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place" downloadurl=3D"http://www.5iantlavalamp.com/"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
   {font-family:Georgia;
   panose-1:2 4 5 2 5 4 5 2 3 3;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
   {margin:0in;
   margin-bottom:.0001pt;
   font-size:12.0pt;
   font-family:"Times New Roman";}
a:link, span.MsoHyperlink
   {color:blue;
   text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
   {color:purple;
   text-decoration:underline;}
span.EmailStyle17
   {mso-style-type:personal-compose;
   font-family:Arial;
   color:windowtext;}
@page Section1
   {size:8.5in 11.0in;
   margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
   {page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thank you very much for placing an order with
Bizchair.com.  The WL-1156 chair you purchased is composed of =
special, <b><span
style=3D'font-weight:bold'>resilient, molded and sculptured high density =
foam</span></b>
that occasionally becomes wrinkled or indented during transit.  If =
you
open the carton and find indentations or crinkles of any sort do not
worry.  Simply get a blow dryer, turn it on the high heat setting =
and blow
it on the crinkled area.  The wrinkles will vanish before your eyes =
in a
matter of a few seconds and the foam padding will return to its original
position.  <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><b><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;font-weight:bold'>If you have any questions, please =
call <st1:place
w:st=3D"on"><st1:City w:st=3D"on">Gary</st1:City></st1:place> at =
1-800-924-2472
extension 8224.<o:p></o:p></span></font></b></p>

<p class=3DMsoNormal><font size=3D2 face=3DGeorgia><span =
style=3D'font-size:10.0pt;
font-family:Georgia'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><b><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial;font-weight:bold'>ENJOY YOUR NEW CHAIR AND THANK YOU =
FOR
BUYING FROM BIZCHAIR.COM<o:p></o:p></span></font></b></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C8627B.8D08BD1E--
--=======AVGMAIL-479F84CA4AFD=======
Content-Type: text/plain; x-avg=cert; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.14/1247 - Release Date: 1/28/2008 =
10:59 AM

--=======AVGMAIL-479F84CA4AFD=======--


Here is the relevant log snippet for this email:
Code: Select all
1/29/2008 8:34:13 AM   6575   1627   Checking condition 'message URI(s) listed in 'black.uribl.com' or 'multi.surbl.org''
1/29/2008 8:34:35 AM   6574   31804   'www.5iamas-microsoft-com' not listed
1/29/2008 8:34:35 AM   6574   31805   -> Processing filter 'Country Warning'
1/29/2008 8:34:35 AM   6574   31805   Checking condition 'sender country is 'Afghanistan' or 'Albania' or 'Algeria' or 'American Samoa' or 'Andorra'...'
1/29/2008 8:34:35 AM   6574   31805   -> Processing filter 'No RDNS'
1/29/2008 8:34:35 AM   6574   31805   Checking condition 'X-User-Host is blank'
1/29/2008 8:34:35 AM   6574   31805   Is blank
1/29/2008 8:34:35 AM   6574   31805   Checking condition 'sender is not authenticated'
1/29/2008 8:34:35 AM   6574   31805   Checking condition 'sender IP not in white list'
1/29/2008 8:34:35 AM   6574   31806   Checking condition 'SPF result is None or Neutral or Fail or Soft Fail or Error (permanent)'
1/29/2008 8:34:35 AM   6574   31806   SPF result: None (Domain BIZCHAIR.COM does not publish SPF record)
1/29/2008 8:34:35 AM   6574   31806   Applying action 'add POSSIBLE SPAM (NO RDNS) -  to the subject'
1/29/2008 8:34:35 AM   6574   31806   -> Processing filter 'Questionable Attachments'
1/29/2008 8:34:35 AM   6574   31806   Checking condition 'message has '*.386' or '*.ADE' or '*.ADP' or '*.APP' or '*.ASP' or '*.BAS' or '*.BAT'... attachment'
1/29/2008 8:34:35 AM   6574   31806   -> Processing filter 'GIF PDF or PNG Attachment'
1/29/2008 8:34:35 AM   6574   31807   Checking condition 'message has '*.GIF' or '*.PNG' attachment'
1/29/2008 8:34:35 AM   6574   31896   < 250 OK
1/29/2008 8:34:35 AM   6574   31990   > QUIT
1/29/2008 8:34:35 AM   6574   32005   < 221 SMTP SERVICE CLOSED
1/29/2008 8:34:35 AM   6574   32074   Disconnect


The filter called "No RDNS" tests for:
a) 'X-User-Host is blank', and
b) 'sender is not authenticated', and
c) 'sender IP not in white list', and
d) 'SPF result is [not pass]', then
e) "Possible spam...to the subject"

Junior Member
User avatar
Posts: 60
Joined: Wed Sep 19, 2007 3:31 pm

Postby SteveT » Mon Feb 11, 2008 1:37 am

Dave,
Side note: How do you implement the URI Scan?
--
Regards,
Steve Topilnycky
ArGoStuff [color="Red"]|[/color] Top Cat Computing

Expert
Posts: 265
Joined: Tue May 04, 2004 1:07 pm

Postby dave » Mon Feb 11, 2008 1:16 pm

Sorry Steve, I don't understand the question. Could you set "Explaination" mode to "Verbose" and try again? ;)

Junior Member
User avatar
Posts: 60
Joined: Wed Sep 19, 2007 3:31 pm

Postby SteveT » Mon Feb 11, 2008 1:27 pm

Dave,

In the log you posted, you have a filter that is checking URI's:

Checking condition 'message URI(s) listed in 'black.uribl.com' or 'multi.surbl.org''
1/29/2008 8:34:35 AM 6574 31804 'www.5iamas-microsoft-com' not listed

How do you do this? Do you have an external program that will check URI's?
--
Regards,
Steve Topilnycky
ArGoStuff [color="Red"]|[/color] Top Cat Computing

Expert
Posts: 265
Joined: Tue May 04, 2004 1:07 pm

Postby dave » Mon Feb 11, 2008 1:31 pm

Sorry again Steve, it appears that if I read the question, it makes a difference. Oops!

Attached is the filter I use. Please rename it to "SURBL.MFR" to import it (for some reason the upload feature here was blocking ".mfr" file extension). Alex? Some points about the filter:

- I exclude AOL, as I can't afford to ban all of AOL just becase one spammer abuses an AOL account. Too many customers complain.
- I use two SURBL services...extra cautious I guess.
- I give out obscure error responses (numeric only). I don't want to give spammers a clue as to why they are blocked. I keep a list in my wallet of what each error code means, that way I can assist legitimate users.
- I add them to the eWall blacklist for 2 days, to minimize load on the SURBL servers. Heck, once I've marked them as spam, why waste their resources?

Hope this helps!

Dave
Attachments

[The extension txt has been deactivated and can no longer be displayed.]


Next

Return to Filters and scripts

Who is online

Users browsing this forum: No registered users and 1 guest