Greylisting alternative based on perl/MySQL
Hello:
I am testing right now a greylisting solution alternative to cpanel, based on perl and MySQL.
Main features are:
[LIST]
If IP whitelisted by Cpanel as from common mail provider, PASSED.
If IP belongs to the same C class for another IP at greylisted-passed database, for the same sender_from and the same receipt_to, PASSED (we are not whitelisting C class for any email, only for same sender/receipt, so could catch mail from legit MTA farms).
Checking PTR and IP:
[LIST]
if PTR record for IP does not exists: GREYLISTED.
if forwarding the PTR answer from the IP, and this IP is not legit or listed: GREYLISTED.
if from's domain does not have MX record: GREYLISTED.
if the IP for the MX server of this domain (from), is the same sending: PASSED.
if no match previously, then:
[LIST]
extract base domain name from MX of the domain.
extract base domain name from PTR record.
if base domain name from MX == base domain name from PTR: PASSED.
(I think this is much better than partials ptr matches).
All code in perl, executed from exim.pl (I know how to make cpanel not rewritting my confs without failing). The database in MySQL.
[LIST]
Every action appears in exim_mainlog.
Every 30 minutes, a perl script does remove hosts greylisted without succeed and add current lines to exim_mainlog for analysis.
When host passes, exim_mainlog does notify which way it did... if not whitelisted but greylisted, and passes finally few minutes later, delay time is also calculated and added to log.
Some debug from exim_mainlog:
As you see, "GREYLIST error" messages happens when cron script each 30 minutes, does remove hosts greylisted for 4 hours without succeeded returns. The log time is set to the first attempt. Also... some debug from perl's PTR checks, for some IPs and Sender_from:
Sorry... I am spanish, so some comments are in Spanish (I use to write in both languages)... but I think you may understand. It is running for hours with complete succeed... very tested. Next week, I may share code and How Tos... Some comments or feature ideas are highly appreciated---- ;) Thanks.
2015-11-28 04:16:32 H=(sta-nsext.example.com) [80.91.85.150]:49892 I=[x.x.x.x]:25 F= temporarily rejected RCPT : Greylisted Host: '80.91.85.150' From: 'noreply@domain.es[/EMAIL]' To: 'info@yyyyyyyyyy.es[/EMAIL]'
2015-11-28 04:18:05 H=mailsrv329.ssomedomain.net [31.24.159.42]:58097 I=[x.x.x.x]:25 F= temporarily rejected RCPT : Greylisted Host: '31.24.159.42' From: 'info@fr.exampletoo.es' To: 'modexpor@yyyyyyyyyy.com[/EMAIL]'
2015-11-28 04:25:01 Greylisting whitelisted by PTR: 62.97.140.236 MD-NO--33177-911-IT-PR--raul=allsol.es@lists.mdirector.com, to: raul@yyyyyyyyyy.es[/EMAIL]
2015-11-28 04:28:19 Greylisting passed: from: root@vpsfrom.ovh.net[/EMAIL] (149.202.49.65), to: ten@yyyyyyyyyy.es[/EMAIL] (delay -893 seconds)
2015-11-28 04:28:38 Greylisting whitelisted by PTR: 91.121.156.144 nuitsecretes@examplethree.com[/EMAIL], to: azul@yyyyyyyyyy.com[/EMAIL]
2015-11-28 00:00:29 GREYLIST error: from IP 213.229.90.155, from: re@examplefour.com[/EMAIL], to: jmlario@yyyyyyyyyy.com[/EMAIL]
2015-11-28 00:05:16 GREYLIST error: from IP 5.135.62.190, from: bounces@leads-marketing.es[/EMAIL], to: administracion@yyyyyyyyyy.com[/EMAIL]
2015-11-28 00:16:17 GREYLIST error: from IP 12.129.200.219, from: Newsletter@email.domainfive.com[/EMAIL], to: jl.lopez@yyyyyyyyyy.com[/EMAIL]
2015-11-28 00:17:20 GREYLIST error: from IP 198.37.146.178, from: bounces+1186681-ae0a-anita=yyyyyyyyy.com@email.examplesix.com, to: anita@yyyyyyyyyy.com[/EMAIL]
2015-11-28 00:26:59 GREYLIST error: from IP 213.229.90.155, from: re@otherdomain.com[/EMAIL], to: ahg@yyyyyyyyyy.com[/EMAIL]
2015-11-28 04:35:46 Greylisting whitelisted by PTR: 195.53.82.211 infomail@exampleseven.com[/EMAIL], to: info@yyyyyyyyyy.es[/EMAIL]
As you see, "GREYLIST error" messages happens when cron script each 30 minutes, does remove hosts greylisted for 4 hours without succeeded returns. The log time is set to the first attempt. Also... some debug from perl's PTR checks, for some IPs and Sender_from:
PROCESANDO: ip: 104.236.150.101 / email: 4e944361-sio-GxIJprnK3J_5BZBq@mk1.example.com[/EMAIL]
DOMAIN: mk1.example.com
PTR (104.236.150.101): mta-wk-0.mk1.example.com
PTR LEGIT: 104.236.150.101 is resolved for mta-wk-0.mk1.example.com
MX (mk1.example.com): mta-wk-0.mk1.example.com
MX SENDING: 104.236.150.101 is current MX
---------------------------------------------------------------------------------
El resultado es: whitelist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 104.236.150.125 / email: bd1eedaa-sio-gTtohW83NxmZlQ69@mk2.example.com[/EMAIL]
DOMAIN: mk2.example.com
PTR (104.236.150.125): mta-wk-0.mk2.example.com
PTR LEGIT: 104.236.150.125 is resolved for mta-wk-0.mk2.example.com
MX (mk2.example.com): mta-wk-3.mk2.example.com
MX NOT SENDING:: 104.236.150.125 is not MX
BASE DOMAIN FOR MX (mta-wk-3.mk2.example.com): example.com
BASE DOMAIN FOR PTR (mta-wk-0.mk2.example.com): example.com
WHITELIST: Dominio base MX es dominio base PTR: coincidencia parcial
---------------------------------------------------------------------------------
El resultado es: whitelist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 104.236.31.3 / email: 6892beb7-sio-cyILGbDda1T2nodO@mk1.domain.com[/EMAIL]
DOMAIN: mk1.domain.com
PTR (104.236.31.3): mta-wk-3.mk1.domain.com
PTR LEGIT: 104.236.31.3 is resolved for mta-wk-3.mk1.domain.com
MX (mk1.domain.com): mta-wk-2.mk1.domain.com
MX NOT SENDING:: 104.236.31.3 is not MX
BASE DOMAIN FOR MX (mta-wk-2.mk1.domain.com): domain.com
BASE DOMAIN FOR PTR (mta-wk-3.mk1.domain.com): domain.com
WHITELIST: Dominio base MX es dominio base PTR: coincidencia parcial
El resultado es: whitelist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 104.238.190.98 / email: someuser@yahoo.com[/EMAIL]
DOMAIN: yahoo.com
PTR (104.238.190.98): 104.238.190.98.somedomain.com
GREYLIST: no legit 104.238.190.98 for 104.238.190.98.somedomain.com
---------------------------------------------------------------------------------
El resultado es: greylist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 104.238.228.181 / email: rebotes@examples.co[/EMAIL]
DOMAIN: examples.co
GREYLIST: PTR does not exist
---------------------------------------------------------------------------------
El resultado es: greylist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 103.230.34.213 / email: newsletter@domain.com
DOMAIN: mail.domain.com
PTR (103.230.34.213): smtp99213.somedomain.com
PTR LEGIT: 103.230.34.213 is resolved for smtp99213.somedomain.com
MX (mail.she-pin.com): postfix.domain.com
MX NOT SENDING:: 103.230.34.213 is not MX
BASE DOMAIN FOR MX (postfix.domain.com): domain.com
BASE DOMAIN FOR PTR (smtp99213.example.com): example.com
GREYLIST: Los dominios base PTR y MX no coinciden
---------------------------------------------------------------------------------
El resultado es: greylist
Sorry... I am spanish, so some comments are in Spanish (I use to write in both languages)... but I think you may understand. It is running for hours with complete succeed... very tested. Next week, I may share code and How Tos... Some comments or feature ideas are highly appreciated---- ;) Thanks.
-
Do you have a specific question? Please be sure to remove any actual domain names and personal details from your posts. 0
Please sign in to leave a comment.
Comments
1 comment