SPAM[check_dynamic_reverse_dns]

[jovic]

Hello,
why is the following record blocked as dynamic reverse dns?

85.13.135.175:dd14134.kasserver.com (helo=<dd14134.kasserver.com>)?
Thanks in advance.

[magicspam]

That hostname pattern has been blocked as dynamic reverse DNS because a great deal of spam has been seen coming from hostnames with that pattern in the past.

Ideally, mail servers should all reserve to the domain of the party responsible for the mail server, rather than their service provider (e.g: mail.example.com rather than customer123.subnet45.isp.com or vm123.hostingcompany.com).

[jovic]

I had to turn of the dynamic_reverse_dns filter because of many complaints from our clients. A big german web hoster (all-inkl.com) uses the reverse dns naming pattern ddxxxxx.kasserver.com, which matches the mentioned filter criteria.

The result is, that a lot of spam passes MagicSpam. Is there a way to define an exemption based on a regex, because whitelisting all IP addresses, that match the reverse dns pattern is quite painful, since there are dozens of them in our log files...?

Thanks in advance,

[magicspam]

You should be able to add an exemption for the domain in question (I'm assuming the email addresses are @kasserver.com). You should be able to exempt the pattern *@kasserver.com to allow those email addresses to bypass the spam checks.

[jovic]

You should be able to add an exemption for the domain in question (I'm assuming the email addresses are @kasserver.com). You should be able to exempt the pattern *@kasserver.com to allow those email addresses to bypass the spam checks.

Unfortunately not, the hosting provider is using the naming scheme ddxxxxx.kasserver.com for their hosting, where xxxxx seems to be the customer ID. The from line is using the customer's domain. In the meantime I have found the approproate entry in the
dyna.regexes file:

# Generic Host Name
# Example: (dd11506.kasserver.com) Supplied by: Michael
^dd[0-9]+\.kasserver\.com$

I would like to send you an excerpt of the log file via private message. What is your email address? There you can see - and confirmed by our customers by complaint, that the majority of filtered entries are either false positives or would have been filtered by other rules (empty from line).

I know that it is not best practice for using such a naming scheme as rDNS, but the rDNS matches the helo line and the hosting provider is responsible for the mail servers, so postmaster@kasserver.com or abuse@kasserver.com would be the correct recipients for complaints. And the addresses are no DUN IP's.

Is there a way for me to exclude the aforementioned regex on our server? Beacuse disabling the whole rule (check_dynamic_reverse_dns) is not an option.

Thanks in advance,

[magicspam]

If the log sample is short, you can post it here. As all posts are moderated, we can examine it and remove the logs from your post before it is approved and visible on the site (if you want us to remove the information).

Unfortunately, there is no way to disable a single regex. There are a few approaches you can use to resolve this situation:

1) Whitelist each IP from kasserver.com that you need to be able to receive from. This may, unfortunately, result in spam being allowed to pass through if it originates from one of those servers.
2) Whitelist *@domain.com for each domain that sends from those kasserver IPs. Again, this may allow spam to pass through.
3) Add an entry in /etc/hosts for the kasserver IPs to "trick" your server into thinking they have a proper reverse DNS entry. For example:
1.2.3.4 mail.kasserver.com

Using approach 3 may be the easiest, particularly because you can script it if you have a range of IPs (just append to the file). You may want to avoid using the same hostname for all of the IPs, however, as it may result in issues with outbound traffic being routed to the wrong servers.

[jovic]

Here is the log file...

MODERATOR EDIT: Removed log entries for user's privacy.

[magicspam]

Assuming you can determine the CIDR notation for the IPs that kasserver uses, you can add it to your trusted networks by going into your Plesk control panel and going to System > Mail Server Settings > White List. There may or may not be an existing entry for "127.0.0.0 / 8".

If you add their IPs to the trusted networks, you will see that the "mua" portion of your logs changes from "mua=0" to "mua=1". That indicates that either the connection is coming from a trusted network, or the sender is authenticating with your server.

[jovic]

Thanks for your suggestions. But it seems, that the kasserver.de-entry is not the only questionable record in your dyna.regexes. Today I've found, that another big German hosting provider - Strato - is in that list too:

# DUL Network, Rate Limiter Detected
# Example: (cg-p07-fb.rzone.de) Supplied by: Michael
^[a-z]{2}-p[0-9]{2}-[a-z]{2}\.rzone\.de$

Strato uses the following server as MTAs and all of them are blocked by that regex:

#strato rechenzentrum ag
81.169.146.144 #mi-ob.rzone.de
81.169.146.145 #mi-ob.rzone.de
81.169.146.146 #mi-ob.rzone.de
81.169.146.147 #mi-ob.rzone.de
81.169.146.148 #mi-ob.rzone.de
81.169.146.149 #mi-ob.rzone.de
81.169.146.160 #mo-p00-ob.rzone.de
81.169.146.161 #mo-p00-ob.rzone.de
81.169.146.188 #mo-p07-ob.rzone.de
81.169.146.189 #mo-p07-ob.rzone.de
81.169.146.190 #mo-p07-ob.rzone.de

How were the regexes submitted and how do you confirm their correctness? Wouldn't it be a better soultion to provide a more conservative list along with magicspam, without the user contributed records?

I could whitelist these IP addresses, but I lost confidence in this list, as this record is obviously wrong and has nothing to do with a DUN. So I will keep the [check_dynamic_reverse_dns] turned off - what leaves magicspam less useful by far.

[jovic]

Hi,
I checked your last suggestion: If I would add the kasserver.com IP addresses into the mail server's white list, I would allow relaying for that network, which is defenitely not an option!