stevejenkins / hardwarefreak.com-fqrdns.pcre Goto Github PK

Can't see a valid reason for this rule to exist:

/.in-addr.arpa$/ REJECT Generic - Please relay via ISP

I was wondering about two rules that I have false positives on.

/^rrcs(-[12]?[0-9]{1,2}){4}.[a-z]{2,10}.biz.rr.com$/ REJECT Generic - Please relay via ISP (rr.com)
/^wsip(-[12]?[0-9]{1,2}){4}.([a-z]{2}.){2}cox.net$/ REJECT Generic - Please relay via ISP (cox.net)

I believe the first one is static, based on the biz, but I am not positive.
The second one I know is static, based on the wsip.

I have whitelisted ip's that match both the above rules.

Based on the last year of logs, For the first rule, the user seems to have fixed their issue, or no longer contacts us.
146 attempts matched the above rule
393 attempts where blocked before matching, due to rbl rules

For the second rule, we still have clients matching it, and using our specific ip exception.
87 matched the second rule above (cox), of them 47 where false positives.
133 attempts where blocked before matching, due to rbl rules.

I know this is small results, but while people are debating other rules, I thought these could use a tine discussion, or if the in-addr.arpa rule was put into a more targeted list, these I think should be moved also.

/^net(-[12]?[0-9]{1,2}){4}.cust.vodafonedsl.it$/ REJECT Generic - Please relay via ISP (vodaphonedsl.it)

You can remove these entries as these greek ISPs don't exist any more:

ontelecoms.gr
acn.gr
vivodi.gr

Steve: Thanks for taking on the maintenance of this. Not really an issue per se, Just a concern. Hopefully it's an OK place to ask. Those pcre files are pretty lengthy. Is there much overhead in applying them to every message that comes through?

Hello,

The following address sent spam today, and it does not occur in the list:
77.47.47.237.dynamic.cablesurf.de

As keeping the list up to date is impossible, I suggest you replace individual entries with a common pattern. For example, the following rules replace about 320 individual entries, they automatically include similar new entries, and help speedup postfix's filtering:

/dyn(amic|adsl|dsl|ip)?[0-9]?[.-]/ REJECT Dynamic - Please relay via your ISP
/dial(in|up|-up|ip|pool|bs)?[0-9]?[.-]/ REJECT Dynamic - Please relay via your ISP
/dhcp[0-9]?[.-]/ REJECT Dynamic - Please relay via your ISP
/(wireless|wifi|wimax)[.-]/ REJECT Dynamic - Please relay via your ISP

I also suggest removing the "static" addresses: offices get those, and some host their own well-configured e-mail servers.

I have only recently started to use fqrdns.pcre and quickly found some domains/senders causing FPs due to

/^dd[1-9][0-9]{3,5}\.kasserver\.com$/ REJECT Generic - Please relay via ISP (kasserver.com)

In many if not all cases the IP addresses + the FQrDNS names have been stable over the course of several months (I checked my logs since January 2019). The domains with the highest volumes are

seiteanseite.at 85.13.147.26 dd28616.kasserver.com
wohlrab.at 85.13.145.46 dd26118.kasserver.com
mailman.pxldsk.com 85.13.153.66 dd36426.kasserver.com
kindertheater.com 85.13.145.208 dd26926.kasserver.com
drehbuchforum.at 85.13.133.140 dd10926.kasserver.com
fluglaerm.at 85.13.152.9 dd34912.kasserver.com
concordia.at 85.13.130.23 dd3712.kasserver.com

EDIT: Found not just 2 but several more FPs.

postmap fqrdns.pcre

postmap: warning: fqrdns.pcre.db: duplicate entry: "if"
postmap: warning: fqrdns.pcre, line 346: expected format: key whitespace value
postmap: warning: fqrdns.pcre, line 347: expected format: key whitespace value
postmap: warning: fqrdns.pcre.db: duplicate entry: "if"
postmap: warning: fqrdns.pcre, line 485: expected format: key whitespace value
postmap: warning: fqrdns.pcre.db: duplicate entry: "if"
postmap: warning: fqrdns.pcre.db: duplicate entry: "/^[12]?[0-9]{1,2}(-[12]?[0-9]{1,2}){3}.3g.claro.net.br$/"
postmap: warning: fqrdns.pcre.db: duplicate entry: "/^[12]?[0-9]{1,2}(-[12]?[0-9]{1,2}){3}.goodline.info$/"
postmap: warning: fqrdns.pcre.db: duplicate entry: "/^broadband(-[12]?[0-9]{1,2}){4}.nationalcablenetworks.ru$/"
postmap: warning: fqrdns.pcre.db: duplicate entry: "/^ppp(-[12]?[0-9]{1,2}){4}.dialup.tiscali.it$/"
postmap: warning: fqrdns.pcre, line 1732: expected format: key whitespace value