SQLGrey and only 3 octects in src

stusmith · Post by **stusmith** » 08 Mar 2017 16:29

I've noticed some strange behavior with sqlgrey. I see a number of 'waiting' addresses in the greylist with only 3 octets in the ip address of the src.

download/file.php?mode=view&id=224&sid= ... 9c3f8bc11f

I've verified this by connecting to mysql as root. ( this will find them all )

Code: Select all

#mysql sqlgrey -u root -p

mysql> select * from connect where src like '%.%.%' and src not like '%.%.%.%';

A more specific check to drill-down:

Code: Select all

mysql> select * from connect where sender_domain = 'digitalrealty.com';
+------------------+----------------------+--------------+-------------------------------------------+---------------------------+
| sender_name | sender_domain    | src           | rcpt                                              | first_seen                 |
+------------------+----------------------+--------------+-------------------------------------------+---------------------------+
| xxxxxxx         | digitalrealty.com | 104.47.32 | xxxxxxxxxxxxxx@xxxxxxxxxxxxxxx | 2017-03-07 19:40:55 |
| xxxxxxx         | digitalrealty.com | 104.47.32 | xxxxxxxxxxx@xxxxxxxxxxxxxxx      | 2017-03-07 19:40:55 |
+------------------+----------------------+--------------+-------------------------------------------+---------------------------+

Next I felt I should search the maillog to make sure that this was legitimate and not a mailer error...

Code: Select all

sudo zgrep -i 'digitalrealty.com' /var/log/maillog-*.gz | grep '104.47.32'

I did find the matches, and I expect that I'm confused as sqlgrey shows a:

Code: Select all

/var/log/maillog-20170224.gz:Feb 23 17:38:22 foster-spam sqlgrey: grey: throttling: 104.47.32(104.47.32.121), etc...etc...

There is a correspondinng NEW: in there, I just didn't paste it in. I suppose it's an assumption on my part that IPs would be whitelisted individually as opposed to per as a subnet?

A quick reverse lookup shows:

Code: Select all

 dig -x 104.47.32.107

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -x 104.47.32.107
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 302
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;107.32.47.104.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
107.32.47.104.in-addr.arpa. 3600 IN     PTR     mail-sn1nam01on0107.outbound.protection.outlook.com.

So I'm guessing that the way to resolve this is to add *.outbound.protection.outlook.com to the /etc/sqlgrey/clients_fqdn_whitelist.local file as per the thread dealing with SQLGrey and Office 365: viewtopic.php?f=13&t=1733&p=6727&hilit=sqlgrey

/etc/sqlgrey/clients_fqdn_whitelist.local

Code: Select all


*.messagelabs.com
messagelabs.com

*.mxlogic.com
mxlogic.com

*.outbound.protection.outlook.com
outbound.protection.outlook.com

Is anyone aware of any other services that should be explicitly bypassed for greylisting?

Ramas · Post by **Ramas** » 27 Mar 2017 16:54

Hi,
look at /etc/sqlgrey/sqlgrey.conf option "greymethod".
Read text above option line.

Seems that your setting is "smart" now, use "greymethod = full" if you wish greylist by full ip address.

Ramas

efa-project.org

SQLGrey and only 3 octects in src

SQLGrey and only 3 octects in src

Re: SQLGrey and only 3 octects in src