Anti Spam was Re: [EXIM] Mail bombs

Top Page
Delete this message
Reply to this message
Author: Lee McLoughlin
Date:  
To: John Horne
CC: exim-users
Subject: Anti Spam was Re: [EXIM] Mail bombs
John Horne wrote:
>
> Hello,
>
> We have started to use in earnest the RBL configuration options, and spam
> files from Broomstick Internet Services (http://www.broomstick.com) in order
> to cut down on the chances of spam hitting us. However, does/has anyone taken
> any particular measures to prevent users from being mail-bombed?
>
> Currently we use exim 1.82; 1.891 on a test system.



We are in a slightly odd situation. We have recently separated our
email from another bit of IC. So most people still use our old email
addresses which means mail hops thru another department at IC before
reaching us - and they don't do any anti-spamming.

This means that the RBL stuff doesn't help with most of our email as
most of the mail is being sent to us by the department not by the
originating site.

So we compare the from,sender,reply-to,return-path,to, and cc against
known spam hosts and accounts. However prior to 1.890 it was difficult
to match the "real" part of the address and ignore any full name or
comment bits. Hence my request for a way to grab the local_part and
domain from an email address. In the next release of exim it will be
even easier as ${local_part: and ${domain: will return null on bad
addresses. At the moment bad addresses cause the filter to fail so I
have to try and test the address before calling either local_part or
domain. However making sure an address is syntatically correct its
pretty difficult!

I regularly post to the news and to various mailing lists so I do get a
lot of spam in. I use these as one of the sources of spam addresses. I
then merge this in with the BroomStick lists (mentioned above) and with
information from ftp.cs.huji.ac.il. This gives 1901 bad accounts and
1058 bad hosts (if the entire host is bad then the bad accounts are not
also listed in the bad accounts file).

I think I've passed my list to the BroomStick people in the past. I'm a
little wary about putting my lists on a local FTP archive as I'm worried
about any possible legal implications.


But if anyone wants what I've done I can email it to you. However I
strongly advise not using my .forward rules till the next exim, with the
safer local_part/domain expanders.

--
Lee McLoughlin.                         Phone: +44 171 594 8388
IC-Parc, Imperial College,              Fax:   +44 171 594 8432
South Kensington, London. SW7 2AZ. UK.  Email: lmjm@???


--
*** Exim information can be found at http://www.exim.org/ ***