stevejenkins / hardwarefreak.com-fqrdns.pcre Goto Github PK

View Code? Open in Web Editor NEW

26.0 19.0 10.0 63 KB

Archive copy of Stan Hoeppner's Postfix PCRE bot spam killer (fqrdns.pcre)

License: MIT License

pcre regular-expression postfix postscreen dnsbl dnsbl-rejections bot-spam

hardwarefreak.com-fqrdns.pcre's Introduction

Postfix PCRE Bot Spam Killer

(no longer available at www.hardwarefreak.com/fqrdns.pcre)

v2015-11-18

The original version of the fqrdns.pcre file was originally created and maintained by Stan Hoeppner.

If you have suggested modifications to this file, please create a new issue or a pull request here on GitHub so I can consider the proposed changes after others have had a chance to comment. You can use the History function here on GitHub to see the most recent changes.

There are now three separate PCRE files in the fqrdns.pcre project. They are:

fqrdns.pcre - the primary list of bot spam killer rules. The goal of this list is to have virtually zero chance of false positives.
fqrdns-plus.pcre - slightly more restrictive rules that have been moved from the original fqrdns.pcre file due to a slightly increased risk of false positives. Overall, however, this file still has a low chance of false positives. This file should be used in addition to the original fqrdns.pcre file.
fqrdns-max.pcre - new rules that were never part of the original fqrdns.pcre file and which use more general patterns to take more a aggressive approach to blocking bot spam, including a maximum number of dynamic hosts and/or misconfigured senders. These patterns help enforce a more strict and "forensically sound" route of static addresses from sender to recipient, but with an increased risk of blocking potentially legitimate mail from misconfigured senders. This file should be used in addition to the original fqrdns.pcre file and the fqrdns-plus.pcre file.

Mail admins should deploy the primary fqrdns.pcre first, then add the fqrdns-plus.pcre and fqrdns-max.pcre files to their setup as desired. The three separate files work together to create a tiered approach to progressively blocking spam and misconfigured mailers.

The following paragraphs were included in Stan's original README:

*The following set of regular expressions attempt to stop bot spam connections by matching the FQrDNS name of the sending IP against known consumerish rDNS patterns or other rDNS patterns likely to be sources of bot spam and not legit email. This methodology is not without error, but time has proven it to be very accurate. If it blocks a sender you know to be legit and from whom you need to receive mail I recommend whitelisting that source instead of removing an expression below as a means to solve the problem. The expressions are POSIX regular expressions and can be used with either the PCRE or REGEXP table type. The PCRE engine is typically faster.

This file is provided AS IS with no WARRANTY. It is free software, without attribute or copyright, and without license. As such, you are completely free to use it and modify it as you see fit, for your purposes, with absolutely no strings attached.*

Usage

Save any of the .pcre files included in this project in /etc/postfix/.

Add them to the smtpd_client_restrictions section of main.cf. When using multiple files from this project, it is recommended to include them in your main.cf file in order of most aggressive to least aggressive:

smtpd_client_restrictions =
    ...
    check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns-max.pcre
    check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns-plus.pcre
    check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre
    ...

If using Postfix 2.5 or earlier, use check_client_access instead of check_reverse_client_hostname_access.

smtpd_client_restrictions =
    ...
    check_client_access pcre:/etc/postfix/fqrdns-max.pcre
    check_client_access pcre:/etc/postfix/fqrdns-plus.pcre
    check_client_access pcre:/etc/postfix/fqrdns.pcre
    ...

If you use the "everything under smtp_recipient_restrictions" approach in your main.cf, add fqrdns.pcre toward the very top of your restrictions list, with your IP whitelist first, such as:

smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_client_access hash:/etc/postfix/whitelist
    check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre
    ...

Additional Patterns

If you would like to propose a pattern which isn't currently covered, please create a new issue or pull request here on GitHub so it it can be considered for inclusion in the appropriate list.

Downloading Updates

The file doesn't change very often so a wget every few weeks is usually sufficient. Each file change is normally one or more new expressions or minor fixes.

hardwarefreak.com-fqrdns.pcre's People

Contributors

Stargazers

Watchers

Forkers

silaman jcbf kre80r megahall smando87 jlpoller w3bservice lucasdiedrich rakhithjk alsyundawy

hardwarefreak.com-fqrdns.pcre's Issues

FPs due to dd.*\.kasserver\.com

I have only recently started to use fqrdns.pcre and quickly found some domains/senders causing FPs due to

/^dd[1-9][0-9]{3,5}\.kasserver\.com$/ REJECT Generic - Please relay via ISP (kasserver.com)

In many if not all cases the IP addresses + the FQrDNS names have been stable over the course of several months (I checked my logs since January 2019). The domains with the highest volumes are

seiteanseite.at 85.13.147.26 dd28616.kasserver.com
wohlrab.at 85.13.145.46 dd26118.kasserver.com
mailman.pxldsk.com 85.13.153.66 dd36426.kasserver.com
kindertheater.com 85.13.145.208 dd26926.kasserver.com
drehbuchforum.at 85.13.133.140 dd10926.kasserver.com
fluglaerm.at 85.13.152.9 dd34912.kasserver.com
concordia.at 85.13.130.23 dd3712.kasserver.com

EDIT: Found not just 2 but several more FPs.

Removal of some greek ISP

You can remove these entries as these greek ISPs don't exist any more:

ontelecoms.gr
acn.gr
vivodi.gr

Overhead?

Steve: Thanks for taking on the maintenance of this. Not really an issue per se, Just a concern. Hopefully it's an OK place to ask. Those pcre files are pretty lengthy. Is there much overhead in applying them to every message that comes through?

Drop rule for in-addr.arpa

Can't see a valid reason for this rule to exist:

/.in-addr.arpa$/ REJECT Generic - Please relay via ISP

>postmap fqrdns.pcre

postmap fqrdns.pcre

postmap: warning: fqrdns.pcre.db: duplicate entry: "if"
postmap: warning: fqrdns.pcre, line 346: expected format: key whitespace value
postmap: warning: fqrdns.pcre, line 347: expected format: key whitespace value
postmap: warning: fqrdns.pcre.db: duplicate entry: "if"
postmap: warning: fqrdns.pcre, line 485: expected format: key whitespace value
postmap: warning: fqrdns.pcre.db: duplicate entry: "if"
postmap: warning: fqrdns.pcre.db: duplicate entry: "/^[12]?[0-9]{1,2}(-[12]?[0-9]{1,2}){3}.3g.claro.net.br$/"
postmap: warning: fqrdns.pcre.db: duplicate entry: "/^[12]?[0-9]{1,2}(-[12]?[0-9]{1,2}){3}.goodline.info$/"
postmap: warning: fqrdns.pcre.db: duplicate entry: "/^broadband(-[12]?[0-9]{1,2}){4}.nationalcablenetworks.ru$/"
postmap: warning: fqrdns.pcre.db: duplicate entry: "/^ppp(-[12]?[0-9]{1,2}){4}.dialup.tiscali.it$/"
postmap: warning: fqrdns.pcre, line 1732: expected format: key whitespace value

+1 (infinite loop)

Hello,

The following address sent spam today, and it does not occur in the list:
77.47.47.237.dynamic.cablesurf.de

As keeping the list up to date is impossible, I suggest you replace individual entries with a common pattern. For example, the following rules replace about 320 individual entries, they automatically include similar new entries, and help speedup postfix's filtering:

I also suggest removing the "static" addresses: offices get those, and some host their own well-configured e-mail servers.

New rule addition for vodaphonedsl.it

/^net(-[12]?[0-9]{1,2}){4}.cust.vodafonedsl.it$/ REJECT Generic - Please relay via ISP (vodaphonedsl.it)

ISP Static ranges

I was wondering about two rules that I have false positives on.

/^rrcs(-[12]?[0-9]{1,2}){4}.[a-z]{2,10}.biz.rr.com$/ REJECT Generic - Please relay via ISP (rr.com)
/^wsip(-[12]?[0-9]{1,2}){4}.([a-z]{2}.){2}cox.net$/ REJECT Generic - Please relay via ISP (cox.net)

I believe the first one is static, based on the biz, but I am not positive.
The second one I know is static, based on the wsip.

I have whitelisted ip's that match both the above rules.

Based on the last year of logs, For the first rule, the user seems to have fixed their issue, or no longer contacts us.
146 attempts matched the above rule
393 attempts where blocked before matching, due to rbl rules

For the second rule, we still have clients matching it, and using our specific ip exception.
87 matched the second rule above (cox), of them 47 where false positives.
133 attempts where blocked before matching, due to rbl rules.

I know this is small results, but while people are debating other rules, I thought these could use a tine discussion, or if the in-addr.arpa rule was put into a more targeted list, these I think should be moved also.