Mercurial > dnsbl
view ChangeLog @ 280:2b77295fb9a7 stable-6-0-37
add limits on unique ip addresses per hour per authenticated user
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Thu, 19 Dec 2013 09:47:00 -0800 |
parents | 3d894d09c198 |
children | e276180647ab |
line wrap: on
line source
6.37 2013-12-17 Add unique ip connection limits per authenticated id or email address. 6.36 2013-09-09 Code cleanup, increase minimum hostname length for uribl checking. 6.35 2013-09-09 Use mozilla prefix list for tld checking. Enable surbl/uribl/dbl rhs lists. 6.34 2013-05-22 Add require_rdns checking. 6.33 2012-07-21 Fix unauthenticated rate limit bug for empty mail from. Move unauthenticated rate limit checks after spam filtering. 6.32 2012-07-21 Allow rate limiting for unauthentication connections by mail from address or domain. 6.31 2012-07-01 Fix uribl lookups on client dns name, need to strip the ip address in brackets. 6.30 2012-04-09 Allow dnswl_list and dnsbl_list to be empty, to override lists specified in the ancestor contexts. Add daily recipient limits as a multiple of the hourly limits. 6.29 2012-04-08 Add dnswl support. 6.28 2011-09-30 Add prvs decoding to envelope addresses. 6.27 2011-08-15 const correctness fixes from new gcc 6.26 2010-11-19 64 bit fixes for libresolv.a 6.25 2009-09-29 Add surbl checks on the smtp helo value, client reverse dns name, and mail from domain name. 6.24 2009-06-09 Add SRS decoding to envelope addresses. 6.23 2009-05-25 Add whitelisting by regex expression filtering. Add queueid to whitelist extension log message. 6.22 2009-05-08 Prevent auto whitelisting due to outgoing multipart/report delivery notifications. Fix memory leak in suppressed auto whitelisting. 6.21 2009-01-03 Fixes to compile on old systems without memrchr or string::clear(). Fix bug in spamassassin interface trying to clear a string with string::empty(). 6.20 2008-12-27 Never whitelist self addressed mail. Spammers are once again sending mail from A to A trying to get around filters. Changes for Fedora 10 and const correctness. 6.19 2008-06-10 Fixes to compile on Fedora 9 and for const correctness. 6.18 2008-03-22 Extend auto-whitelisting when receiving mail even if the auto whitelist is specified in a parent context. Fixes for Solaris from sm-archive. 6.17 2008-03-04 Verify from/to pairs even if they might be explicitly whitelisted. Document DCC greylisting and bulk detection usage. Fix DCC bulk thresholds of many. Update spec file for fedora packaging. 6.16 2008-02-02 Switch to Mercurial source control. 6.15 2007-12-07 Fix null pointer dereference if macro _ not passed to this milter. Default sendmail config passes that in the connect call. 6.14 2007-11-11 Delay auto whitelisting until we see the headers, to prevent auto whitelisting due to bulk out of office reply bots. 6.13 2007-11-10 HELO command is optional, and if missing caused a null pointer dereference. Use smfi_progress in libmilter if it is available. 6.12 2007-10-13 SMTP rejections take precedence over greylisting. 6.11 2007-10-07 Add DCC filtering via dccifd. Drop to 60 seconds the time we will keep idle smtp verify sockets around. This needs to be about half the value of confTO_COMMAND configured on the verify targets. Fix potential race condition or buffer overflow caused by static buffer referenced by multiple threads. 6.10 2007-09-23 Don't whitelist addresses with embedded blanks, or the empty path. Allow manual removal of auto whitelist entries. 6.09 2007-09-06 Fix memory leak in auto-whitelisting code. Update auto-whitelist timestamps when receiving mail from auto-whitelisted senders. 6.08 2007-08-30 Don't do generic reverse dns filtering on authenticated connections. 6.07 2007-08-30 Add generic reverse dns filtering with regular expression. Fix pre/post scripts in the rpm spec file. 6.06 2007-08-27 Fix bug that effectively disabled spamassassin filtering. Improve spamassassin filtering documentation. Generate warning if the config file specifies spam assassin filtering, but spamc is not found by autoconf. 6.05 2007-08-26 Fix unitialized variable in my spamassassin code. 6.04 2007-08-26 Add spamassassin integration via spamc, code from spamass-milter. 6.03 2007-07-14 Don't add auto whitelist entries for our own domains. 6.02 2007-07-10 Allow manual updates to the auto whitelisting files, mainly for scp or rsync synchronization between primary and backup mx systems. 6.01 2007-07-07 GPL3. Block mail to recipients that cannot reply. Start auto whitelisting. 5.30 2007-06-09 Selinux fix - redirect stdout for useradd to make selinux happy. 5.29 2007-03-27 Limit dns resolver to two retries five seconds apart. 5.28 2007-02-19 Change the conflict resolution algorithm to "second one wins" if we have two contexts that both define env_to user@. Update ICANN tld list. 5.27 2007-01-30 Allow 'inherit' as an env_from target. Documentation cleanup from G.W. Haywood. 5.26 2006-12-04 Fix bug in content filtering introduced in 5.23 that prevented seeing any host names in the body. 5.25 2006-10-15 DNSBL lists are inherited, so dump the effective list with the -c switch. 5.24 2006-10-15 Allow child and parent context to specify the same fully qualified env_to address. Only dump the rate limit for the default context with -c switch. 5.23 2006-10-10 Require two periods in ip addresses. 5.22 2006-09-27 Change syntax for default rate limit. Improve hourly reset of limits. Warning for rate limits in non default contexts to allow nesting of client configurations. 5.21 2006-09-26 Add SMTP AUTH recipient rate limits, to help throttle infected client machines and accounts with weak cracked passwords. 5.20 2006-08-02 Fully qualify all dns lookups. Fix my_read() bug. Try to convert names that might be ip addresses via inet_aton before doing dns lookups. 5.19 2006-08-01 Bug fix - add trailing dot to uribl dns lookups to make them fully qualified. Check host names with only two components, since spammers are now using bare http://domain.tld references. Spec file now creates an rpm that properly creates the dnsbl user. 5.18 2006-04-27 Bug fix - newer sendmail versions don't guarantee envelope addresses enclosed in <> wrapper. Document backscatter prevention configuration for systems that are used to mainly spam filter and then forward to mail to the internal server. Never ask uribl blacklists about rfc1918 address space. 5.17 2006-03-25 Never ask dns blacklists about rfc1918 address space. 5.16 2006-03-16 Bug fix - the smtp error message for uribl filtering needs to reference the host name, not the ip address. 5.15 2006-03-15 Bug fix - we failed to properly set the return code to indicate the reason when rejecting mail for content filtering. 5.14 2006-03-13 Fix a typo in the default config file and documentation for using multi.surbl.org 5.13 2006-03-12 patch from Jeff Evans <jeffe@tricab.com> add SURBL/URIBL lookups, remove trailing dots from hostnames, allow ip address literals as hostnames. add configuration for surbl/uribl list and reject message 5.12 2006-01-08 Use larger resolver buffer to accomodate spammers with many name servers. A current example is life-all.com which needs to retry in tcp mode to fetch the 1444 byte response. 'make chkconfig' now creates the dnsbl user if it does not exist. 5.11 2005-12-20 switch to autoconf/automake/docbook 5.10 2005-10-16 Fix a compile error on Fedora Core 3. Discovered by Nigel Horne <njh@bandsman.co.uk> 5.9 2005-09-26 Fix a bug with empty return paths passed to the verification code. That resulted in 'MAIL FROM:<<>>' being sent to the verification mail server. 5.8 2005-09-25 Allow empty env_to at global context level to remove restrictions on env_to values in child contexts. 5.7 2005-09-23 Failed to return a value from parse_verify() which caused failures to load the configuration. 5.6 2005-09-22 Tokenizer errors now go thru the syslog code, so they are visible when generated during config file reloads during normal operation. 5.5 2005-09-21 Cleanup debug logging. Verify from/to pairs now remembers the last from value sent to the remote server to prevent unnecessary rset commands. 5.4 2005-09-18 Add verify statement to specify the smtp host to be used to verify envelope from / recipient pairs. Authenticated clients are now exempt from all white/black listing in addition to the dnsbl lookups. dcc_to should not look at substitute mail_host. That is only used by dcc_from. 5.3 2005-08-07 Properly quit if the config file has syntax errors on startup. Send mail to root if the config file needs to be reloaded since it was modified, but contains syntax errors. In this case, we continue to use the old configuration. 5.2 2005-08-02 Patch from Stephen Johnson <stephen.johnson@arkansas.gov> fixing the lack of a default return value in CONTEXT::acceptable_content(). 5.1 2005-07-20 Add multiple syslog debug levels. Detect and silently remove duplicate DNSBL definitions. That allows us to accept mail to recipients in multiple domains that use the same blacklist and yet only check that blacklist once. This may happen when your config file directly includes as child contexts the config files used on your clients mail servers. 5.0 2005-07-16 Major changes to the syntax of the config file. Content filtering is no longer a global mail server setting. 4.6 2005-04-02 Fix enum compilation error on Fedora Core 3. Discovered by Nigel Horne <njh@bandsman.co.uk> Remove bad html tag command from the default conf file. Spammers seem to have abandoned this. Add toolbar.msn.click-url.com in hosts-ignore.conf. These are all commented, but you might want to uncomment them. 4.5 2005-01-22 Add uuencode decoding for old style attachments. 4.4 2005-01-18 Bug fix in forked process termination that left zombies. 4.3 2005-01-16 Only keep 20% of the resolver sockets in the ready pool. 4.2 2005-01-08 Use the separate resolver processes even if we don't have the resolver interfaces and need gethostbyname. 4.1 2005-01-06 Use a local unix domain socket for the resolver process communication, rather than a tcp/ip socket. 4.0 2005-01-03 Initialize the thread mutex objects early, before they are needed by possible calls to my_syslog. Fork off a separate resolver listener process, so we can do multiple dns operations in parallel. For each simultaneous inbound email, we have a separate sendmail process, a milter thread, and a dns resolver process. 3.7 2004-10-28 Added an 'ignore' command to the conf file, used to ignore some hosts that might end up on the SBL and otherwise trip the content scanning filter. In particular, many recent Microsoft Word documents contain the string www.5iantlavalamp.com which is associated with their smart tags stuff. That is currently hosted at 216.168.224.70, which is shared with a site that ended up on the SBL. 3.6 2004-09-08 Contributions from Dan Harkless <software@harkless.org> Better documentation for disabling the content filtering. Don't bother looking at the body text if we are not doing content filtering. 3.5 2004-07-17 Extend the error message for content filtering when the NS record points to an ip address on the SBL. Include the original host name that referenced that NS name. 3.4 2004-07-15 Tokens with two consecutive periods cannot be ip addresses or host names. Updated dnsbl.spec file for building rpms from John Gunkel. 3.3 2004-07-09 Drop root priviledges properly, including the group id. 3.2 2004-07-09 Contributions from John Gunkel <jgunkel@palliser.ca>: Add .spec file for building rpms, contributed by John Gunkel Changes to file layout to conform to RedHat/LSB standards. Add some html (actually xml) tags used by Apple mac print subsystem that were tripping the html tag detector. Help with changes required to allow dnsbl to drop root priviledges. Move the socket to /var/run/dnsbl/dnsbl.sock Change parser to handle &#xnnn; obfuscated urls with charaters specified in hex. Make bad_html tags more sensitive to binary tags, to reduce false positives in .zip or .tar.gz file attachments. Add sendmail queueid to the dnsbl syslog messages. Fix one place where host names were not forced to lower case. Discovered by Nigel Horne <njh@bandsman.co.uk> Remove duplicate dns queries within the same smtp transaction from the body content filtering. This helps if the mail server does not have a nearby caching dns server. Add host_soft_limit config keyword. Use only one of host_limit or host_soft_limit, since the last one wins. The host_limit is a hard upper limit on the number of host names in a message. The host_soft_limit allows unlimited host names, but only checks a random sample of them against the dnsbl. The main thread has dropped root priviledges, but other threads are still running as root. This needs to be fixed.