For each check_ns or each check_mx, the value is not cached?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

For each check_ns or each check_mx, the value is not cached?

Justin Piszcz
I have multiple check_ns and check_mx for different rule sets but it also
looks like it tries to lookup the NS or MX per each rule set.

It appears I should try and combine all my files into one and use a single
check, or is there another way to do it so this does not occur?

May  6 07:16:04 l1 postfix/smtpd[8626]: connect from unknown[122.162.120.129]
May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS host
for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX host
for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX host
for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS host
for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX host
for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS host
for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found

Example:
             check_client_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
             check_helo_mx_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
             check_helo_ns_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
             check_sender_mx_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
             check_sender_ns_access cidr:/etc/postfix/sbl_drop_peer_list.cidr

Thanks,

Justin.
Reply | Threaded
Open this post in threaded view
|

Re: For each check_ns or each check_mx, the value is not cached?

Justin Piszcz


On Tue, 6 May 2008, Justin Piszcz wrote:

> I have multiple check_ns and check_mx for different rule sets but it also
> looks like it tries to lookup the NS or MX per each rule set.
>
> It appears I should try and combine all my files into one and use a single
> check, or is there another way to do it so this does not occur?
>
> May  6 07:16:04 l1 postfix/smtpd[8626]: connect from unknown[122.162.120.129]
> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS host
> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX host
> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX host
> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS host
> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX host
> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS host
> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
>
> Example:
>            check_client_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>            check_helo_mx_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>            check_helo_ns_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>            check_sender_mx_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>            check_sender_ns_access cidr:/etc/postfix/sbl_drop_peer_list.cidr
>
> Thanks,
>
> Justin.
>

The other checks/different rules I was mentioning:

           check_client_access cidr:/etc/postfix/spam_check_mxaccess.cidr,
             check_client_access pcre:/etc/postfix/spam_check_clients.pcre,
             check_helo_access pcre:/etc/postfix/spam_check_helos.pcre,
             check_helo_mx_access cidr:/etc/postfix/spam_check_mxaccess.cidr,
             check_sender_access pcre:/etc/postfix/spam_check_senders.pcre,
             check_sender_mx_access cidr:/etc/postfix/spam_check_mxaccess.cidr,
             warn_if_reject check_helo_ns_access cidr:/etc/postfix/spam_check_mxaccess.cidr,
             warn_if_reject check_sender_ns_access cidr:/etc/postfix/spam_check_mxaccess.cidr

Reply | Threaded
Open this post in threaded view
|

Re: For each check_ns or each check_mx, the value is not cached?

mouss-2
Justin Piszcz wrote:

>
>
> On Tue, 6 May 2008, Justin Piszcz wrote:
>
>> I have multiple check_ns and check_mx for different rule sets but it
>> also looks like it tries to lookup the NS or MX per each rule set.
>>
>> It appears I should try and combine all my files into one and use a
>> single check, or is there another way to do it so this does not occur?
>>
>> May  6 07:16:04 l1 postfix/smtpd[8626]: connect from
>> unknown[122.162.120.129]
>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS
>> host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host
>> not found
>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX
>> host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host
>> not found
>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX
>> host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host
>> not found
>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS
>> host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host
>> not found
>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX
>> host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host
>> not found
>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS
>> host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host
>> not found
>>
>> Example:
>>            check_client_access
>> cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>            check_helo_mx_access
>> cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>            check_helo_ns_access
>> cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>            check_sender_mx_access
>> cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>            check_sender_ns_access
>> cidr:/etc/postfix/sbl_drop_peer_list.cidr

what are
    check_helo_mx_access
    check_helo_ns_access
    check_sender_ns_access
?

I don't see what you're trying to achieve anyway.

>>
>> Thanks,
>>
>> Justin.
>>
>
> The other checks/different rules I was mentioning:
>
>           check_client_access cidr:/etc/postfix/spam_check_mxaccess.cidr,
>             check_client_access
> pcre:/etc/postfix/spam_check_clients.pcre,
>             check_helo_access pcre:/etc/postfix/spam_check_helos.pcre,
>             check_helo_mx_access
> cidr:/etc/postfix/spam_check_mxaccess.cidr,
>             check_sender_access
> pcre:/etc/postfix/spam_check_senders.pcre,
>             check_sender_mx_access
> cidr:/etc/postfix/spam_check_mxaccess.cidr,
>             warn_if_reject check_helo_ns_access
> cidr:/etc/postfix/spam_check_mxaccess.cidr,
>             warn_if_reject check_sender_ns_access
> cidr:/etc/postfix/spam_check_mxaccess.cidr
>

Reply | Threaded
Open this post in threaded view
|

Re: For each check_ns or each check_mx, the value is not cached?

Justin Piszcz


On Tue, 6 May 2008, mouss wrote:

> Justin Piszcz wrote:
>>
>>
>> On Tue, 6 May 2008, Justin Piszcz wrote:
>>
>>> I have multiple check_ns and check_mx for different rule sets but it also
>>> looks like it tries to lookup the NS or MX per each rule set.
>>>
>>> It appears I should try and combine all my files into one and use a single
>>> check, or is there another way to do it so this does not occur?
>>>
>>> May  6 07:16:04 l1 postfix/smtpd[8626]: connect from
>>> unknown[122.162.120.129]
>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS host
>>> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX host
>>> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX host
>>> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS host
>>> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up MX host
>>> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up NS host
>>> for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in: Host not found
>>>
>>> Example:
>>>            check_client_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>>            check_helo_mx_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>>            check_helo_ns_access cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>>            check_sender_mx_access
>>> cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>>            check_sender_ns_access
>>> cidr:/etc/postfix/sbl_drop_peer_list.cidr
>
> what are
>   check_helo_mx_access
>   check_helo_ns_access
>   check_sender_ns_access
> ?
>
> I don't see what you're trying to achieve anyway.
>

For some reason, one of the domains I help manage has been targetted by
spammers that are listed in the sbl_drop list.  So, I use every method
available that associates itself with those IP addresses in anyway to block
and reject the e-mail that comes from them.

Justin.

Reply | Threaded
Open this post in threaded view
|

Re: For each check_ns or each check_mx, the value is not cached?

mouss-2
Justin Piszcz wrote:

>
>
> On Tue, 6 May 2008, mouss wrote:
>
>> Justin Piszcz wrote:
>>>
>>>
>>> On Tue, 6 May 2008, Justin Piszcz wrote:
>>>
>>>> I have multiple check_ns and check_mx for different rule sets but
>>>> it also looks like it tries to lookup the NS or MX per each rule set.
>>>>
>>>> It appears I should try and combine all my files into one and use a
>>>> single check, or is there another way to do it so this does not occur?
>>>>
>>>> May  6 07:16:04 l1 postfix/smtpd[8626]: connect from
>>>> unknown[122.162.120.129]
>>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up
>>>> NS host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in:
>>>> Host not found
>>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up
>>>> MX host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in:
>>>> Host not found
>>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up
>>>> MX host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in:
>>>> Host not found
>>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up
>>>> NS host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in:
>>>> Host not found
>>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up
>>>> MX host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in:
>>>> Host not found
>>>> May  6 07:16:05 l1 postfix/smtpd[8626]: warning: Unable to look up
>>>> NS host for ABTS-NCR-Dynamic-129.120.162.122.airtelbroadband.in:
>>>> Host not found
>>>>
>>>> Example:
>>>>            check_client_access
>>>> cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>>>            check_helo_mx_access
>>>> cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>>>            check_helo_ns_access
>>>> cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>>>            check_sender_mx_access
>>>> cidr:/etc/postfix/sbl_drop_peer_list.cidr,
>>>>            check_sender_ns_access
>>>> cidr:/etc/postfix/sbl_drop_peer_list.cidr
>>
>> what are
>>   check_helo_mx_access
>>   check_helo_ns_access
>>   check_sender_ns_access
>> ?
>>
>> I don't see what you're trying to achieve anyway.
>>
>
> For some reason, one of the domains I help manage has been targetted by
> spammers that are listed in the sbl_drop list.  So, I use every method
> available that associates itself with those IP addresses in anyway to
> block
> and reject the e-mail that comes from them.

The SBL DROP list is for your firewall. it's not for helo, NS or MX.

if you know of domains that set their NS or MX to a client in the DROP
list, please share it so that the domains are blocklisted.

if you get too much spam "for your taste", show logs or headers and we
will suggest how to better block it. there are various checks that you
can use, but as usual, there is a tradeoff (when you increase your spam
hit rate, you also increase "some measure" of false positives).

Here,
- reject_non_fqdn_helo_hostname rejects between 15% and 40% of spam (in
terms of transactions, not in terms of clients).
- "literal IP helo" rejects between 13% and 42% (again, in terms of
transactions).

these checks may however be too aggressive for your site.