• Home
• About
• Download
• Contact, Support & Imprint
• License & Disclaimer
• Roadmap
• Changelog
• Tutorials
  • Install
  • Configure Doorman Server
  • Configure Detective server
  • Doorman and Detective interaction
• Configuration
  • Cache & Database
  • Defender
  • Detective
    • Archive
    • Bogofilter
    • ClamAV
    • CRM114
    • DeepDNSBL
    • DKIM Sign
    • DKIM Verify
    • DSPAM
    • HoneyCollector
    • Razor
    • SpamAssassin
  • Doorman
    • Association
    • Basic
    • CWL and CBL
    • DNSBL
    • Geo Weight
    • Greylist
    • Honeypot
    • Sender Permit
    • SPF

Association

Description

This module tries to figure out associations between the sender IP and the sender domain. Therefore it retrieves the PTR record for the sender IP, compares it to the A, MX and CNAME (resolutes to A) of the sender domain. If any association could be found, the sender might be allowed. This does not imply the mail is not SPAM. However, if the opposite is the case: no association could be found, it is more likely the mail is SPAM (eg someone sending from a Chinese IP a googlemail.com mail..).

The module can be fine tuned. There are three association types which can be identified:

• direct
  The sender domain A- or MX-record is the sender ip (common for small mail servers or http servers which are also mail servers).
  • Eg: Sender = smallcompany.tld which has an A record to the IP 123.123.123.123, where the webserver runs. On the same machine is also a mail server, so the IP addresses match directly (in this case: with the A-Record of the domain.).
• domain
  The sender domain and the PTR record of the sender IP share the same top level,
  • Eg: sender domain is googlemail.com and sender IP PTR is mx-22.googlemail.com.
• subnet
  The sender IP and the IP of the sender domain are in the same subnet. Per default, only subnets up to /24 will be scored positive. The "closer" (eg /31 subnet is closer than a /26 subnet), the higher the positive rating.
  • Eg: The sender has the IP 123.123.123.25 and the sender domain's MX shows to 123.123.123.201, so both are in a /24 subnet.

You can consider this effort as a "lightweight SPF without SPF".

Critics

This approach works to identify / associate mail servers run by companies or small hosters, because they do either run their website on the same host (IP) as the mail server or have only small subnets. Very large scaled shared hosters, which have a very distributed environment, lots of IP ranges and no association whats-o-ever between the actual sender domain and the mail server IP will probably not be identified and therfore score negative, even if the association is given (but not visible).

Configuration

weight_direct_hit

Default: 20
Allowed Values: integer score

Score for a direct hit (see above).

weight_domain_hit

Default: 15
Allowed Values: integer score

Score for a top level hit (see above).

weight_range_hit

Default: { 31:20, 30:20, 29:10, 28:10, 27:10, 26:5, 25:5, 24:5 }
Allowed Values: HashRef of integer

The sender domain is associated via an ip subnet to the client address ..

weight_no_hit

Default: -20
Allowed Values: integer score

If no association could be found, this weight will be applied.

respect_spf_pass

Default: 1
Allowed Values: Bool

Whether any positive SPF result will stop any association tests.

Example

---

disable: 0
timeout: 15

weight_direct_hit: 20
weight_domain_hit: 15
weight_range_hit:
    31: 20
    30: 20
    29: 10
    28: 10
    27: 10
    26: 5
    25: 5
    24: 5
weight_no_hit: -20
respect_spf_pass: 1

Performance

The performance depends strongly on the speed of your local DNS, the complexity of the sender's network structure and the level of subnets you are willing to allow. Reasonable fast is a positive scoring for weight_direct_hit and weight_domain_hit. However, if you receive lots of SPAM from non-existing domains for which the resolution always takes tens of seconds, the performance will be poor.