> This is great. Tx! > I've already started to incorporate some of the rules > provided by Suresh and Mark who wrote on this before, but > this seems much more comprehensive. >
You're welcome. Please post anythign you work out, find, or improve. I borrowed much of this and adapted the rest from those sources and/or ideas from other products. Tonight I just got the two "warn"s, on Invalid HELO or NO reverse record, into the Greylisting and it started catching right away. I also added a regex for likely "dynamic addresses" on both $sender_host_name AND $sender_Helo_name -- it bothers me to block on these tests, but using them to DRIVE the greylist seems like the best of all choices. Greylisting is up to 83% "never returns" -- only 17% of the greylisted senders bother to try again and so far I haven't found any evidence of losing anything to the greylist. (I do see SOME good, but low priority mail being delay, but not much of that since we only send the "smelly" mail through the greylist test.) Combining the Blacklists to DRIVE the Greylist was already very effect, adding the warns to do that without a "cold block" is helping. Next project is to see about driving SpamAssassin "high scores" back through the greylist to cover that stuff coming from 1) static looking addresses 2) not in blacklists 3) Valid helo, etc BUT WITH that high SA score. No test is an "all or nothing" decision -- it takes at least two separate tests for the greylist to cause a block and that second test is only if the sending server doesn't do SMTP retries. I also started adding some simple "block" if these patterns are seen right into the Exim config (but this will get moved to an include file soon.) Herb Martin, MCT, MCSD, MCSE, MVP [EMAIL PROTECTED] http://LearnQuick.Com 512 388 7339 -or- 1 800 MCSE PRO Accelerated MCSE in a Week Seminars > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ilan Aisic > Sent: Thursday, August 04, 2005 2:12 AM > To: Herb Martin > Cc: [email protected] > Subject: Re: [exim] How to Reject Remote Mail Server > Imposters (to self) > > This is great. Tx! > I've already started to incorporate some of the rules > provided by Suresh and Mark who wrote on this before, but > this seems much more comprehensive. > > --ilan > > On 8/3/05, Herb Martin <[EMAIL PROTECTED]> wrote: > > > As we know, spammers often fake their identity and their > mail server > > > /ratware fakes their identity as well. > > > I've noticed that occasionaly I get spam that is supposedly sent > > > from my own server (tivon1.pointer.co.il) but clearly > arrives from > > > an outside IP address. > > > > I filtered these recently and was SHOCKED how much spam was hit by > > simply blocking on my "own server name" and "my own server address" > > given the HELO. > > > > > I written a rule in SpamAssassin that rejects this kind > of spam but > > > I think it really should be stopped inside Exim. > > > > It should be stopped at the SMTP transaction, before even accepting > > the email. > > > > acl_check_helo: > > accept hosts = : +KNOWN_HOSTS > > > > deny message = HELO/EHLO with my ip address60. You are not me. > > log_message = -- HELO/EHLO my ip > > condition = ${if match {$sender_helo_name}{68.178.144.60} > > {yes}{no}} > > > > deny message = HELO/EHLO with my domain name. You are > not LearnQuick. > > log_message = -- HELO/EHLO learnquick.com > > condition = ${if match {$sender_helo_name}{learnquick.com} > > {yes}{no}} > > > > deny message = Fine, then the mail I accept is also none > > log_message = -- HELO/EHLO none > > condition = ${if match {$sender_helo_name}{none} {yes}{no}} > > > > deny message = You're not localhost--your admin > misconfigured your email > > server. > > log_message = -- HELO/EHLO localhost > > condition = ${if match {$sender_helo_name}{localhost} > {yes}{no}} > > > > accept > > ###################################### > > acl_check_mail: > > > > accept authenticated = * > > accept hosts = : +KNOWN_HOSTS > > > > .ifdef RBL > > accept message = X-whitelisted-at: $dnslist_domain > > dnslists = ALL_DNS_WHITELISTS .endif RBL > > > > #Stopping Spam in the ACL > <http://vamos-wentworth.org/exim-tricks.html > > deny message = Invalid HELO. Your SMTP server is misconfigured. > > condition = ${if match{$sender_helo_name}{\\.}{no}{yes}} > > > > ### The following three checks were too agressive for DENY, > so ### I > > set to warn, and use them to drive Greylist checks... > > > > warn message = -- not listed as reverse record. \ > > > > log_message = -- WARN: not listed as reverse record. > > > > !verify = reverse_host_lookup > > > > warn message = -- listed invalid HELO. \ > > > > log_message = -- WARN: listed invalid HELO. > > > > !verify = helo > > > > .ifdef RBL > > warn message = X-blacklisted-at: $dnslist_domain > > dnslists = ALL_DNS_BLACKLISTS > > > > .endif RBL > > accept > > > > The combinations of simple sanity checks, other SMTP > checks, and then > > blacklists to drive greylisting is FAR better than I > expected -- and > > all before we get to SpamAssassin and custom filters.... > > > > Herb Martin, MCT, MCSD, MCSE, MVP > > [EMAIL PROTECTED] http://LearnQuick.Com > > 512 388 7339 -or- 1 800 MCSE PRO > > Accelerated MCSE in a Week Seminars > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Ilan Aisic > > > Sent: Wednesday, August 03, 2005 9:15 AM > > > To: [email protected] > > > Subject: [exim] How to Reject Remote Mail Server > Imposters (to self) > > > > > > Hi, > > > As we know, spammers often fake their identity and their > mail server > > > /ratware fakes their identity as well. > > > I've noticed that occasionaly I get spam that is supposedly sent > > > from my own server (tivon1.pointer.co.il) but clearly > arrives from > > > an outside IP address. > > > I written a rule in SpamAssassin that rejects this kind > of spam but > > > I think it really should be stopped inside Exim. > > > See the short log snippet below where you can see that > the mail was > > > sent from a dynamic comcast.net address but the server had the > > > audacity in the "helo" command to identify itself as > > > "tivon1.pointer.co.il". > > > My Exim is configured to require sender verify but apparently it > > > does not include "server" verify. Is there's a command/parameter > > > for this? > > > > > > ------------- exim log snippet starts ------------ > > > 2005-08-01 00:59:03 1DzLpi-0006TB-7u > > > H=c-24-131-41-83.hsd1.ga.comcast.net (tivon1.pointer.co.il) > > > [24.131.41.83] F=<[EMAIL PROTECTED]> rejected after DATA: > > > - Classified as spam (scored 28.8 points). Congratulations! > > > Envelope-from: <[EMAIL PROTECTED]> > > > Envelope-to: <[EMAIL PROTECTED]> > > > P Received: from c-24-131-41-83.hsd1.ga.comcast.net > ([24.131.41.83] > > > helo=tivon1.pointer.co.il) > > > by tivon1.pointer.co.il with smtp (Exim 4.50) > > > id 1DzLpi-0006TB-7u > > > for [EMAIL PROTECTED]; Mon, 01 Aug 2005 00:58:58 +0300 F > > > From: [EMAIL PROTECTED] > > > ------------- exim log snippet ends ------------ > > > > > > -- > > > Ilan Aisic > > > Registered Linux User 8124 http://counter.li.org > > > > > > -- > > > ## List details at http://www.exim.org/mailman/listinfo/exim-users > > > ## Exim details at http://www.exim.org/ ## Please use the > Wiki with > > > this list - http://www.exim.org/eximwiki/ > > > > > > > > > > -- > Ilan Aisic > Registered Linux User 8124 http://counter.li.org > > -- > ## List details at http://www.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://www.exim.org/eximwiki/ > -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
