Re: selective (greylisting|DNSBL|...) (Re: selective greylisting?)

• Previous message: Javier Viegas: "Re: Block multipart picture spam?"
• Maybe in reply to: SATOH Kiyoshi: "selective (greylisting|DNSBL|...) (Re: selective greylisting?)"
• Next in thread: Ralf Hildebrandt: "Re: selective greylisting?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

SATOH Kiyoshi wrote:
> Hi.
>
> On Thu, 02 Nov 2006 17:07:55 -0500
> Jorey Bump <> wrote:
> Subject: Re: selective (greylisting|DNSBL|...) (Re: selective greylisting?)
>
>> mouss wrote:
>>> SATOH Kiyoshi wrote:
>>>> /^unknown$/ check_greylist
>>>> /^[^\.]*[0-9][^0-9\.]+[0-9]/ check_greylist
>>>> /^[^\.]*[0-9]{5}/ check_greylist
>>>> /^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[a-z]/ check_greylist
>>>> /^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/ check_greylist
>>>> /^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./ check_greylist
>>>> /^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/ check_greylist
>>> you can add 'dynamic', 'pool'...
>>> you can also include these when not at start (for instance
>>> /\.dynamic\./), though some care is needed.
>> This is actually a place where the SORBS DUL would come in handy. It
>> casts too wide a net to use as a blacklist, but it does a lot of this
>> kind of categorization already (and more). It would be suitable for
>> flagging hosts to greylist.
>
> The aim of my idea is to check selectively clients which seem to have a
> dynamic IP address by greylisting or DNSBL. Then, hopefully false
> positives will get fewer and resource load will get lower.
>
> Of course SORBS DUL can be used to check out clients which seem to have
> a dynamic IP address. However, pattern matching of client's FQDNs must
> need far less resource load than referring to DNS does. Also resource
> load of DNSBL will get lower.

That may or may not be true. Pattern matching may in fact be far more
resource intensive, as it must be performed on every connection, while a
DNSBL will enjoy the advantage of cached lookups.

The reason I suggest the SORBS DUL is because it seems to already use
such pattern matching and additional techniques that they believe are
strong indicators of dynamic addresses. Note that I don't agree with all
of their methods, especially where it involves marking a host as dynamic
if it doesn't conform to their Internet Draft for Generic DNS Naming
Schemes:

<http://tools.ietf.org/wg/dnsop/draft-msullivan-dnsop-generic-naming-schemes-00.txt>

In the context you've described, however, it would be mostly harmless
and spare you from the chore of maintaining patterns.

• Previous message: Javier Viegas: "Re: Block multipart picture spam?"
• Maybe in reply to: SATOH Kiyoshi: "selective (greylisting|DNSBL|...) (Re: selective greylisting?)"
• Next in thread: Ralf Hildebrandt: "Re: selective greylisting?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]