Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to make new FEATURE from my ruleset?

5 views
Skip to first unread message

Sciurus

unread,
Jul 14, 2009, 7:22:03 AM7/14/09
to
I use 3 dnsbl and have a lot of false positives with nets of my
region.
Yes, nets that are listed with CONNECT tag in the access map are
skipped by the dnsbl checks.
I need to skip all regional class C nets. It takes up about 700
records.
Using of "CONNECT:domain.ru OK" is impossible due to lack of closed
PTR-A lookup.

I wrote new ruleset and now it takes up only 28 records. It works well
for 3 month. Now 14 blocks with 2 records are listed in the access
file:
# ufanet: 94.41.0-127
NETCONNECT:94.41 0
PRCONNECT:94.41 128

# BIS(BashInformSvyaz), DSL pool: 94.75.0-63
NETCONNECT:94.75 0
PRCONNECT:94.75 64

# bashnet: 213.189.224-255
NETCONNECT:213.189 224
PRCONNECT:213.189 32

The record with tag NETCONNECT: is the net.
The record with tag PRCONNECT: is the number of hosts of this net.

I didn't know how to make my own m4-file so I inserted new ruleset in
the proto.m4 directly.
But I would like to do it more correctly through new FEATURE.
Where is feature's creating described?

Andrzej Adam Filip

unread,
Jul 14, 2009, 11:31:12 AM7/14/09
to
Sciurus <sci...@mail.ru> wrote:

> I use 3 dnsbl and have a lot of false positives with nets of my
> region.
> Yes, nets that are listed with CONNECT tag in the access map are
> skipped by the dnsbl checks.
> I need to skip all regional class C nets. It takes up about 700
> records.
> Using of "CONNECT:domain.ru OK" is impossible due to lack of closed
> PTR-A lookup.

> [...]

Have you considered using a tool to "skip remaining" tests for hosts in
a few near by/friendly countries based e.g. on zz.countries.nerd.dk?
( zz.countries.nerd.dk : IP to country mapping also available via rsync)

* tests for all hosts
[ basic tests ]
* skip remaining tests for hosts in Russia
* additional tests for hosts outside Russia
* skip remaining tests for hosts outside a few "very bad countries"
* additional tests for hosts in a few few "very bad countries"
[ reject on almost any excuse ]


You can use something like FEATURE(`anfi/rsdnsbl') [RS=reputation skip]
available at http://open-sendmail.sourceforge.net/
You may combine it with FEATURE(`anfi/require_rdns) - it allows variable
strength checks of RDNS [ require_rdns provided by sendmail.org does
checks always after all other dnsbl checks ]

P.S.
FEATURE(`anfi/rsdnsbl') and FEATURE(`anfi/require_rdns) require no
patching of sendmail sources. They require adding new files in
cf/feature directory and recompiling sendmail.mc.

--
[pl>en Andrew] Andrzej Adam Filip : an...@onet.eu : Andrze...@gmail.com
Open-Sendmail: http://open-sendmail.sourceforge.net/
The first Rotarian was the first man to call John the Baptist "Jack."
-- H. L. Mencken

Sciurus

unread,
Jul 15, 2009, 8:27:11 AM7/15/09
to
> Have you considered using a tool to "skip remaining" tests for hosts in
> a few near by/friendly countries based e.g. on zz.countries.nerd.dk?
> ( zz.countries.nerd.dk : IP to country mapping also available via rsync)
Thank you for interesting info. I didn't know about this resource.
But my task is not to skip checking for all hosts in Russia. I say
only about nets in my region.

> You can use something like FEATURE(`anfi/rsdnsbl') [RS=reputation skip]
> available at  http://open-sendmail.sourceforge.net/
> You may combine it with FEATURE(`anfi/require_rdns) - it allows variable
> strength checks of RDNS [ require_rdns provided by sendmail.org does
> checks always after all other dnsbl checks ]

Yes, I know about this feature.

But my question is the same as before: where is feature's creating
described?
I often write my own rulesets but cannot write them as a FEATURE.

jma...@ttec.com

unread,
Jul 15, 2009, 1:51:17 PM7/15/09
to


LOCAL_CONFIG

LOCAL_RULESETS

the rest you have to patch proto.m4 which actually works fairly well.

the features usually just turn on some m4 defs.

Otherwise you will be using divert

Andrzej Adam Filip

unread,
Jul 15, 2009, 5:29:03 PM7/15/09
to
Sciurus <sci...@mail.ru> wrote:

> I use 3 dnsbl and have a lot of false positives with nets of my
> region.
> Yes, nets that are listed with CONNECT tag in the access map are
> skipped by the dnsbl checks.
> I need to skip all regional class C nets. It takes up about 700
> records.
> Using of "CONNECT:domain.ru OK" is impossible due to lack of closed
> PTR-A lookup.

> [...]

Why can not you use IP address based connect entries?
[ for */24, */16 and */8 nets possibly with cidprexpand preprocessing]

--
[pl>en Andrew] Andrzej Adam Filip : an...@onet.eu : Andrze...@gmail.com

Progress is impossible without change, and those who cannot change their
minds cannot change anything.
-- G. B. Shaw

Andrzej Adam Filip

unread,
Jul 15, 2009, 5:33:54 PM7/15/09
to
Sciurus <sci...@mail.ru> wrote:

>[...]


> But my question is the same as before: where is feature's creating
> described?

I do not know any such "tutorial".

I think sendmail.org in practice recommends:
Use the force, read/analyze the source.

> I often write my own rulesets but cannot write them as a FEATURE.

Can you "deliver them" *without* patching cf/m4/proto.m4?

I have written a few features/hacks and only one of them
[FEATURE(`mrs')] could not be "delivered" without patching
cf/m4/proto.m4.

--
[pl>en Andrew] Andrzej Adam Filip : an...@onet.eu : Andrze...@gmail.com

Let us endeavor so to live that when we come to die even the undertaker will
be sorry.
-- Mark Twain, "Pudd'nhead Wilson's Calendar"

0 new messages