google netblocks records etc - SpamAssassin

This is a discussion on google netblocks records etc - SpamAssassin ; ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 21

Thread: google netblocks records etc

  1. Re: google netblocks records etc


  2. Re: google netblocks records etc


  3. Re: google netblocks records etc


  4. Re: google netblocks records etc


  5. google netblocks records etc

    Since they seem to have zillions of outbound mx machines

    I did this in response to some email latency issues.

    dig google.com txt

    google.com. 31 IN TXT "v=spf1
    include:_netblocks.google.com ~all"

    then i

    dig _netblocks.google.com txt

    _netblocks.google.com. 47 IN TXT "v=spf1 ip4:216.239.32.0/19
    ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18
    ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20
    ip4:207.126.144.0/20 ?all"

    Are most of you whitelisting these blocks ?

    has anyone noticed if these are pretty static or do these TXT records change
    frequently or otherwise?

    - rh


  6. Re: google netblocks records etc



    Robert - elists wrote:
    > Since they seem to have zillions of outbound mx machines
    >
    > I did this in response to some email latency issues.
    >
    > dig google.com txt
    >
    > google.com. 31 IN TXT "v=spf1
    > include:_netblocks.google.com ~all"
    >
    > then i
    >
    > dig _netblocks.google.com txt
    >
    > _netblocks.google.com. 47 IN TXT "v=spf1 ip4:216.239.32.0/19
    > ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18
    > ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20
    > ip4:207.126.144.0/20 ?all"
    >
    > Are most of you whitelisting these blocks ?
    >
    > has anyone noticed if these are pretty static or do these TXT records change
    > frequently or otherwise?
    >
    > - rh
    >
    >


    What I do is what I call "yellow listing" which means don't blacklist or
    whitelist. Google is a mixed source of spam and nonspam and the IP
    address caries no information as to the spam status.

    So what I do is I check the FCrDNS of the host that connect to my server
    and if it ends in google.com then it's yellow.


  7. RE: google netblocks records etc

    Ok

    Yellow then.

    What I am talking about is not greylisting google based upon those addresses
    and sending right to SA for scoring

    - rh


  8. Re: google netblocks records etc


    On Mon, June 2, 2008 21:20, Robert - elists wrote:

    > Are most of you whitelisting these blocks ?


    no whitelist here


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  9. Message-ID:Reply-To:References:MIME-Version:Content-Type:In-Reply-To; b=Dyzorek4znHmH3ZiJf0pt8eUAcg+HgUVve/QKVykH0u0/5x7jVIdqR775mh3UxuCDEza37RPtkzWuI5NsDp54vdgB+xDBr8 SOiKj4EgGmDXs6T6TmDVPG0DPaEuo/gGoUOp2pUNRk2rkENckX0fkJTfwaf/QXJSjwi69dXmmNGY=

    On Mon, Jun 02, 2008 at 01:23:33PM -0700, Robert - elists wrote:
    > Ok
    >
    > Yellow then.
    >
    > What I am talking about is not greylisting google based upon those addresses
    > and sending right to SA for scoring


    Why would you care about the IP addresses? Just whitelist by *.google.com.

    You shouldn't even greylist anything with *smtp* in the hostname:

    http://hege.li/howto/spam/etc/postfi...st_client.pcre


  10. Re: google netblocks records etc


    On Tue, June 3, 2008 08:32, Henrik K wrote:

    >> What I am talking about is not greylisting google based upon those addresses
    >> and sending right to SA for scoring


    try spf, and skip greylist based on pass, well still not good since spammers
    can olso use spf, but still alot better then below here

    > Why would you care about the IP addresses? Just whitelist by *.google.com.


    super let me change my reverse dns :-)

    > You shouldn't even greylist anything with *smtp* in the hostname:


    super one more time let me include smtp in my reverse

    > http://hege.li/howto/spam/etc/postfi...st_client.pcre


    crap :-)


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  11. Message-ID:Reply-To:References:MIME-Version:Content-Type:In-Reply-To; b=BWvoS4nU5Xspcjes27h5zkbwUJu0ARa58+6TD9bLp3qrHxa7 IO8DYVLCoAwXct+OuWY0LLlYqCuTfaK3jNKTkl8mds/GbHBMD2JxK+LorWnuEsfge22Nir8tBKGuaM6u874jjhQY7XmJJ c2BGVHhoVt1f6jVkWmtyjXhY8zp5po=

    On Tue, Jun 03, 2008 at 11:56:41AM +0200, Benny Pedersen wrote:
    >
    > On Tue, June 3, 2008 08:32, Henrik K wrote:
    >
    > >> What I am talking about is not greylisting google based upon those addresses
    > >> and sending right to SA for scoring

    >
    > try spf, and skip greylist based on pass, well still not good since spammers
    > can olso use spf, but still alot better then below here
    >
    > > Why would you care about the IP addresses? Just whitelist by *.google.com.

    >
    > super let me change my reverse dns :-)


    Dear Benny, I can't forgive your cluelessness, even if you are a dane.

    Do you have access to google's DNS?

    http://en.wikipedia.org/wiki/Forward...ed_reverse_DNS


  12. Re: google netblocks records etc


    On Tue, June 3, 2008 12:34, Henrik K wrote:

    > Do you have access to google's DNS?


    only use it from spf

    > http://en.wikipedia.org/wiki/Forward...ed_reverse_DNS


    i know this fact, but OP question only based on reverse :/


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  13. Re: google netblocks records etc


    On Tue, June 3, 2008 12:38, mouss wrote:

    > I think he meant whitelisting when the rDNS is verified (FcrDNS) by a
    > "double lookup". That's what a postfix check_client_access will do.


    whitelist_dnsname in policyd does it, i will test if postfix does the same,
    thanks for pointing it out :-)


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  14. Message-ID:Reply-To:References:MIME-Version:Content-Type:In-Reply-To; b=Y804NwFTaKmYnD5hEJFfzhx+LvFU/IfzeXlKsi8PI900x8073WokKDg0ZVpsmfEu85xXP6tnYuxem9O ZTTfyWFJQTs61porALEvJoTkq1BKhQCWAE2tqXUPLBFNJkwnJi QBda0jQmtet1xWFASbmYW/VI3nkuPo0LcQIpZrrRzw=

    On Tue, Jun 03, 2008 at 02:02:29PM +0200, Benny Pedersen wrote:
    >
    > > http://en.wikipedia.org/wiki/Forward...ed_reverse_DNS

    >
    > i know this fact, but OP question only based on reverse :/


    One should always assume "reverse" means _confirmed_ reverse. I don't know
    why anyone would assume otherwise by default. Especially if we are
    talking about serious software like postfix etc.


  15. Re: google netblocks records etc

    On Tue, 3 Jun 2008 at 15:42 +0300, hege@hege.li confabulated:

    > On Tue, Jun 03, 2008 at 02:02:29PM +0200, Benny Pedersen wrote:
    >>
    >>> http://en.wikipedia.org/wiki/Forward...ed_reverse_DNS

    >>
    >> i know this fact, but OP question only based on reverse :/

    >
    > One should always assume "reverse" means _confirmed_ reverse. I don't know
    > why anyone would assume otherwise by default. Especially if we are
    > talking about serious software like postfix etc.


    In Postfix:

    reject_unknown_reverse_client_hostname
    Reject the request when the client IP address has no address->name
    mapping.

    reject_unknown_client_hostname
    Reject the request when 1) the client IP address->name mapping fails,
    2) the name->address mapping fails, or 3) the name->address mapping
    does not match the client IP address.

    reject_unknown_client_hostname would be what you are calling confirmed
    reverse. If I were to use that, support would start getting phone calls
    and customers would start getting upset.


  16. Message-ID:Reply-To:References:MIME-Version:Content-Type:In-Reply-To; b=pqP1cqDo9c+ybBJK3VH7VXmBeBVp/KatJPNwpxCS5DJug2nisgweSYpJC4ACE2y/YSPtAUybDJgSFuUjwI96gPB2SegJf+JtG2d+SXnKeZq1wHdBLb yaaFu4r5J8MuFyIV1mVByIXwpNDMJS7A8jjfh1O7BgbWhMXeWG FF5cJ/k=

    On Tue, Jun 03, 2008 at 01:08:07PM +0000, D Hill wrote:
    > On Tue, 3 Jun 2008 at 15:42 +0300, hege@hege.li confabulated:
    >
    >> On Tue, Jun 03, 2008 at 02:02:29PM +0200, Benny Pedersen wrote:
    >>>
    >>>> http://en.wikipedia.org/wiki/Forward...ed_reverse_DNS
    >>>
    >>> i know this fact, but OP question only based on reverse :/

    >>
    >> One should always assume "reverse" means _confirmed_ reverse. I don't know
    >> why anyone would assume otherwise by default. Especially if we are
    >> talking about serious software like postfix etc.

    >
    > In Postfix:
    >
    > reject_unknown_reverse_client_hostname
    > Reject the request when the client IP address has no address->name
    > mapping.
    >
    > reject_unknown_client_hostname
    > Reject the request when 1) the client IP address->name mapping fails,
    > 2) the name->address mapping fails, or 3) the name->address mapping
    > does not match the client IP address.
    >
    > reject_unknown_client_hostname would be what you are calling confirmed
    > reverse. If I were to use that, support would start getting phone calls
    > and customers would start getting upset.


    You are talking about rejecting clients with bad DNS. Not only it's
    guaranteed to reject legimate mail in both cases, but it's not even in scope
    of this thread. We are talking about identifying mail coming from google.


  17. Re: google netblocks records etc

    On Tue, 3 Jun 2008 at 16:15 +0300, hege@hege.li confabulated:

    > On Tue, Jun 03, 2008 at 01:08:07PM +0000, D Hill wrote:
    >> On Tue, 3 Jun 2008 at 15:42 +0300, hege@hege.li confabulated:
    >>
    >>> On Tue, Jun 03, 2008 at 02:02:29PM +0200, Benny Pedersen wrote:
    >>>>
    >>>>> http://en.wikipedia.org/wiki/Forward...ed_reverse_DNS
    >>>>
    >>>> i know this fact, but OP question only based on reverse :/
    >>>
    >>> One should always assume "reverse" means _confirmed_ reverse. I don't know
    >>> why anyone would assume otherwise by default. Especially if we are
    >>> talking about serious software like postfix etc.

    >>
    >> In Postfix:
    >>
    >> reject_unknown_reverse_client_hostname
    >> Reject the request when the client IP address has no address->name
    >> mapping.
    >>
    >> reject_unknown_client_hostname
    >> Reject the request when 1) the client IP address->name mapping fails,
    >> 2) the name->address mapping fails, or 3) the name->address mapping
    >> does not match the client IP address.
    >>
    >> reject_unknown_client_hostname would be what you are calling confirmed
    >> reverse. If I were to use that, support would start getting phone calls
    >> and customers would start getting upset.

    >
    > You are talking about rejecting clients with bad DNS. Not only it's
    > guaranteed to reject legimate mail in both cases, but it's not even in scope
    > of this thread. We are talking about identifying mail coming from google.


    Sorry. Response retracted.


  18. Re: google netblocks records etc

    On Tue, 3 Jun 2008 at 15:30 +0200, mouss@netoyen.net confabulated:

    > D Hill wrote:
    >> [snip]
    >> In Postfix:
    >>
    >> reject_unknown_reverse_client_hostname
    >> Reject the request when the client IP address has no address->name
    >> mapping.
    >>
    >> reject_unknown_client_hostname
    >> Reject the request when 1) the client IP address->name mapping fails,
    >> 2) the name->address mapping fails, or 3) the name->address mapping
    >> does not match the client IP address.
    >>
    >> reject_unknown_client_hostname would be what you are calling confirmed
    >> reverse. If I were to use that, support would start getting phone calls and
    >> customers would start getting upset.

    >
    > He is about check_client_access.
    >
    > recent postfix also have check_reverse_client_hostname_access which acts on
    > PTR (unconfirmed rDNS), but is intended for blocking, not whitelisting.


    Yes. Don't know where my head was...


  19. Re: google netblocks records etc



    Robert - elists escreveu:
    > Since they seem to have zillions of outbound mx machines
    >
    > Are most of you whitelisting these blocks ?
    >
    > has anyone noticed if these are pretty static or do these TXT records change
    > frequently or otherwise?
    >


    the only whitelist i apply to gmail is whitelist their servers from
    greylist measures. All hosts which match:

    '__-out-____.google.com'

    wont be greylisted. No more whitelists and no more privileges than
    that. If the message cames in, it will be SPAM/virus scanned just like
    all the others.




    --


    Atenciosamente / Sincerily,
    Leonardo Rodrigues
    Solutti Tecnologia
    http://www.solutti.com.br

    Minha armadilha de SPAM, NÃO mandem email
    gertrudes@solutti.com.br
    My SPAMTRAP, do not email it


  20. Re: google netblocks records etc



    Benny Pedersen escreveu:
    > whitelist_dnsname in policyd does it, i will test if postfix does the same,
    > thanks for pointing it out :-)
    >
    >


    policyd does whitelist_dnsname based on reverse passed by postfix.
    policyd itself does NOT reverse lookups.

    The good is that postfix only passes reverses do policy servers,
    including policyd, if the reverse is OK in forward and reverse
    configurations. if the ip->name is OK, but name->ip is not OK, than
    policy server will receive 'unknown' as reverse name, even if the
    ip->name do have some reverse.

    that way, whitelist_dnsname feature from policyd can be used with no
    more worries, because it will only match those 100% Ok reverse names.

    --


    Atenciosamente / Sincerily,
    Leonardo Rodrigues
    Solutti Tecnologia
    http://www.solutti.com.br

    Minha armadilha de SPAM, NÃO mandem email
    gertrudes@solutti.com.br
    My SPAMTRAP, do not email it


+ Reply to Thread
Page 1 of 2 1 2 LastLast