Closed patrickdk77 closed 7 years ago
stevejenkins
commented
8 years ago Hi, @patrickdk77. Thanks for joining the discussion!
If the list were split into three (conservative, moderate, aggressive), do you feel these two would belong on the moderate or aggressive? My gut says "moderate."
stevejenkins
commented
8 years ago I've created a new branch (develop) and have moved these rules in that branch to a new file called fqrdns-plus.pcre.
patrickdk77
commented
8 years ago I was really hoping someone else could provide more data. My data here is kindof a targeted group (mainly usa gov and dod contractors). I have another system that is 100x larger, and not targeted at all, would be a great sample, but I also have no way to know what would be false/positive hit on it at all (other than the normal rbl/helo/from/to checks and making assumptions).
But yes, while I do agree the dynamic ones and generic ones should be on the more agressive, I think it can be debated the static ones should be on the medium level. I know it took me a few attempts to get some isp's to change, and sometimes they will accidentally reset it back.
stevejenkins
commented
8 years ago That's exactly what I was thinking, too. I've made three files in the "develop" branch: fqrdns, fqrdns-plus, and fqrdns-max.
I moved the iana, the two rules you mentioned initially when opening this issue, and all the static hosts (which could potentially be businesses hosting their own well-configured mail servers) to the fqrdns-plus file.
The fqrdns-max file has new and very general patterns that will block all dynamic hosts.
Hopefully this will allow admins to customize their use of the fqrdns project and decide what's right for them.
stevejenkins
commented
8 years ago
I was wondering about two rules that I have false positives on.
/^rrcs(-[12]?[0-9]{1,2}){4}.[a-z]{2,10}.biz.rr.com$/ REJECT Generic - Please relay via ISP (rr.com) /^wsip(-[12]?[0-9]{1,2}){4}.([a-z]{2}.){2}cox.net$/ REJECT Generic - Please relay via ISP (cox.net)
I believe the first one is static, based on the biz, but I am not positive. The second one I know is static, based on the wsip.
I have whitelisted ip's that match both the above rules.
Based on the last year of logs, For the first rule, the user seems to have fixed their issue, or no longer contacts us. 146 attempts matched the above rule 393 attempts where blocked before matching, due to rbl rules
For the second rule, we still have clients matching it, and using our specific ip exception. 87 matched the second rule above (cox), of them 47 where false positives. 133 attempts where blocked before matching, due to rbl rules.
I know this is small results, but while people are debating other rules, I thought these could use a tine discussion, or if the in-addr.arpa rule was put into a more targeted list, these I think should be moved also.