We're using Exim 1.82 and have written a message filter to intercept spam
messages that RBL doesn't catch. Since we have met with reasonable success
since installing (and refining) the filter -- 566 genuine spam messages
intercepted during a time period where there were 67 RBL rejections -- I
thought that the rest of the list may be interested in reviewing our filter
as a starting point for their own system message filter.
There are a number of caveats, however:
1. The suspected spam is not automatically rejected as RBL hosts are, but
is saved to a folder that should be read/writable by the mail
administrators. The reason for this is that the filter catches also
some legitimate mail and these messages should be bounced to their
originally intended recipient(s) (ala X-Envelope-To:) and the filter
refined and/or the databases (described below) updated.
Alan Thew <Alan.Thew@???> write:
>
> In some cases, the best thing is to just block IP address ranges etc.
> However all attacks seen here so far have blank To: and From: fields.
2. My filter traps blank/non-existent To: lines as well as To: lines
contained in From: lines, but firsts exempts the following categories
from this check: mailing lists, local mail, mail originating in the
country (e.g. in our case *.il) and mail coming from autosupport servers.
Beyond implicit checks, it uses four DBM databases: two that exempt the
message from any spam (beyond RBL) checks (software servers and strange mailing
lists need to be here) -- one based on $sender_address and the other on
$header_to: lines -- and, conversely, two databases for known spammers that
have valid mail headers that aren't caught by implicit checks. All entries
in these databases are lowercase so that we don't need two lines for
'friend@???' and 'Friend@???'.
The sample filter package is at
ftp://ftp.cs.huji.ac.il/pub/exim/spam_filter/
Comments and suggestions are welcome.
N.B. When testing with 'exim -bf' you will get
Filter error: [...] : unknown variable: recipients
every time something is flagged as suspected spam
so one can just ignore the error message.
___________________________________________________________________________
Ephraim Silverberg, CS System Group, Phone number: 972-2-6585521
Hebrew University, Jerusalem, Israel. Fax number: 972-2-6585439
WWW: http://www.cs.huji.ac.il/~ephraim E-mail: ephraim@???
--
*** Exim information can be found at
http://www.exim.org/ ***
