Greylisting alternative based on perl/MySQL

feanorknd

Member
Sep 28, 2005
21
1
153
Hello:

I am testing right now a greylisting solution alternative to cpanel, based on perl and MySQL.

Main features are:
  • If IP whitelisted by Cpanel as from common mail provider, PASSED.
  • If IP belongs to the same C class for another IP at greylisted-passed database, for the same sender_from and the same receipt_to, PASSED (we are not whitelisting C class for any email, only for same sender/receipt, so could catch mail from legit MTA farms).
  • Checking PTR and IP:
    • if PTR record for IP does not exists: GREYLISTED.
    • if forwarding the PTR answer from the IP, and this IP is not legit or listed: GREYLISTED.
    • if from's domain does not have MX record: GREYLISTED.
    • if the IP for the MX server of this domain (from), is the same sending: PASSED.
    • if no match previously, then:
      • extract base domain name from MX of the domain.
      • extract base domain name from PTR record.
      • if base domain name from MX == base domain name from PTR: PASSED.
(I think this is much better than partials ptr matches).


All code in perl, executed from exim.pl (I know how to make cpanel not rewritting my confs without failing). The database in MySQL.

  • Every action appears in exim_mainlog.
  • Every 30 minutes, a perl script does remove hosts greylisted without succeed and add current lines to exim_mainlog for analysis.
  • When host passes, exim_mainlog does notify which way it did... if not whitelisted but greylisted, and passes finally few minutes later, delay time is also calculated and added to log.

Some debug from exim_mainlog:

Code:
2015-11-28 04:16:32 H=(sta-nsext.example.com) [80.91.85.150]:49892 I=[x.x.x.x]:25 F=<[email protected]> temporarily rejected RCPT <[email protected]>: Greylisted Host: '80.91.85.150' From: '[EMAIL][email protected][/EMAIL]' To: '[EMAIL][email protected][/EMAIL]'
2015-11-28 04:18:05 H=mailsrv329.ssomedomain.net [31.24.159.42]:58097 I=[x.x.x.x]:25 F=<[email protected]> temporarily rejected RCPT <[email protected]>: Greylisted Host: '31.24.159.42' From: '[EMAIL][email protected]' To: '[EMAIL][email protected][/EMAIL]'
2015-11-28 04:25:01 Greylisting whitelisted by PTR: 62.97.140.236 [email protected], to: [EMAIL][email protected][/EMAIL]
2015-11-28 04:28:19 Greylisting passed: from: [EMAIL][email protected][/EMAIL] (149.202.49.65), to: [EMAIL][email protected][/EMAIL] (delay -893 seconds)
2015-11-28 04:28:38 Greylisting whitelisted by PTR: 91.121.156.144 [EMAIL][email protected][/EMAIL], to: [EMAIL][email protected][/EMAIL]
2015-11-28 00:00:29 GREYLIST error: from IP 213.229.90.155, from: [EMAIL][email protected][/EMAIL], to: [EMAIL][email protected][/EMAIL]
2015-11-28 00:05:16 GREYLIST error: from IP 5.135.62.190, from: [EMAIL][email protected][/EMAIL], to: [EMAIL][email protected][/EMAIL]
2015-11-28 00:16:17 GREYLIST error: from IP 12.129.200.219, from: [EMAIL][email protected][/EMAIL], to: [EMAIL][email protected][/EMAIL]
2015-11-28 00:17:20 GREYLIST error: from IP 198.37.146.178, from: [email protected], to: [EMAIL][email protected][/EMAIL]
2015-11-28 00:26:59 GREYLIST error: from IP 213.229.90.155, from: [EMAIL][email protected][/EMAIL], to: [EMAIL][email protected][/EMAIL]
2015-11-28 04:35:46 Greylisting whitelisted by PTR: 195.53.82.211 [EMAIL][email protected][/EMAIL], to: [EMAIL][email protected][/EMAIL]
As you see, "GREYLIST error" messages happens when cron script each 30 minutes, does remove hosts greylisted for 4 hours without succeeded returns. The log time is set to the first attempt.

Also... some debug from perl's PTR checks, for some IPs and Sender_from:



Code:
PROCESANDO: ip: 104.236.150.101 / email: [EMAIL][email protected][/EMAIL]
DOMAIN: mk1.example.com
PTR (104.236.150.101): mta-wk-0.mk1.example.com
PTR LEGIT: 104.236.150.101 is resolved for mta-wk-0.mk1.example.com
MX (mk1.example.com): mta-wk-0.mk1.example.com
MX SENDING: 104.236.150.101 is current MX
---------------------------------------------------------------------------------
El resultado es: whitelist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 104.236.150.125 / email: [EMAIL][email protected][/EMAIL]
DOMAIN: mk2.example.com
PTR (104.236.150.125): mta-wk-0.mk2.example.com
PTR LEGIT: 104.236.150.125 is resolved for mta-wk-0.mk2.example.com
MX (mk2.example.com): mta-wk-3.mk2.example.com
MX NOT SENDING:: 104.236.150.125 is not MX
BASE DOMAIN FOR MX (mta-wk-3.mk2.example.com): example.com
BASE DOMAIN FOR PTR (mta-wk-0.mk2.example.com): example.com
WHITELIST: Dominio base MX es dominio base PTR: coincidencia parcial
---------------------------------------------------------------------------------
El resultado es: whitelist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 104.236.31.3 / email: [EMAIL][email protected][/EMAIL]
DOMAIN: mk1.domain.com
PTR (104.236.31.3): mta-wk-3.mk1.domain.com
PTR LEGIT: 104.236.31.3 is resolved for mta-wk-3.mk1.domain.com
MX (mk1.domain.com): mta-wk-2.mk1.domain.com
MX NOT SENDING:: 104.236.31.3 is not MX
BASE DOMAIN FOR MX (mta-wk-2.mk1.domain.com): domain.com
BASE DOMAIN FOR PTR (mta-wk-3.mk1.domain.com): domain.com
WHITELIST: Dominio base MX es dominio base PTR: coincidencia parcial
El resultado es: whitelist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 104.238.190.98 / email: [EMAIL][email protected][/EMAIL]
DOMAIN: yahoo.com
PTR (104.238.190.98): 104.238.190.98.somedomain.com
GREYLIST: no legit 104.238.190.98 for 104.238.190.98.somedomain.com
---------------------------------------------------------------------------------
El resultado es: greylist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 104.238.228.181 / email: [EMAIL][email protected][/EMAIL]
DOMAIN: examples.co
GREYLIST: PTR does not exist
---------------------------------------------------------------------------------
El resultado es: greylist
_________________________________________________________________________________
---------------------------------------------------------------------------------
PROCESANDO: ip: 103.230.34.213 / email: [EMAIL][email protected]
DOMAIN: mail.domain.com
PTR (103.230.34.213): smtp99213.somedomain.com
PTR LEGIT: 103.230.34.213 is resolved for smtp99213.somedomain.com
MX (mail.she-pin.com): postfix.domain.com
MX NOT SENDING:: 103.230.34.213 is not MX
BASE DOMAIN FOR MX (postfix.domain.com): domain.com
BASE DOMAIN FOR PTR (smtp99213.example.com): example.com
GREYLIST: Los dominios base PTR y MX no coinciden
---------------------------------------------------------------------------------
El resultado es: greylist
Sorry... I am spanish, so some comments are in Spanish (I use to write in both languages)... but I think you may understand.

It is running for hours with complete succeed... very tested.

Next week, I may share code and How Tos...

Some comments or feature ideas are highly appreciated---- ;)

Thanks.
 
Last edited by a moderator: