Jeremy Harris wrote:
> Tony Finch wrote:
>
>>I suggested using defer rather than deny because (a) they are spammers and
>>are unlikely to retry,
>
>
> I think (woolly-level feeling from watching mainlog and
> assorted graphs) that this is unfortunately becoming less
> so.
>
> Whether it's because zombies are starting to use system's
> configured smarthosts, or just spamware is being complexified,
> I can't say.
>
> - Jeremy
>
Second that observation - they do retry, for the last 8 months
or so, at least.
OTOH, these tend to come in 'waves' from a pool of dynamic /
allocated portable IP's and have other common defects , so can
be shed by assigning weighted demerit points for each of:
- failure to forward/reverse resolve IP/hostname at CONNECT.
Demerits added
- forged / mismatched HELO.
Demerits added
+ found in local whitelist (ex: NetSol idjuts).
Skipped forward
- found in local black list at HELO.
Terminated
- found in local blacklist at MAIL FROM.
Terminated
- fail recipient at RECPT TO.
Terminated
For surviving traffic, at RECPT TO we copy scores from acl_c(x)
to acl_m(x) variables, then pull corresponding per-user
threshold preferences from the user DB for further tests against:
- general protocol violations.
above, plus MIME, format, syntax, attachment, RBL or AV hit
These will nail most bad-actors before need to invoke SA.
Then, in pre_data and DATA acl's:
- spam warning / X-header add score level
- spam quarantine / subject mod score level
- spam outright-discard score level
Where:
- the demerit points are weighted as to severity of the offense.
- 'terminated' may be deny/drop/discard, as appropriate
- optionally a variable delay is imposed.
Several things get 'immediately fatal' score-weights:
- HELO'ing as our own box
- forging the dozen or so largest ISP's
- local blacklist entry (IP or REGEX)
- forbidden attachment types
- trusted RBL hits
- ClamAV hits
Some tests have rather low demerits applied, simply because too
many otherwise-legit senders fail these.
As scores are cumulative, users with 'strict' preferences can
still block effectively when there are 'too many small things'
not right.
At near-zero false-positives, these tests consume a very small
fraction of the system resources SA would need if invoked
earlier / more often, and are far more effective.
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
