You asked for suggestions for Exim 4 hope this makes the list
Proposed - EXSB (Exim Spam Blocker)
As we are all aware of spam is a big problem. Blocking an IP just because we
once got spam on it is not valid; it could have come from a dialup account
where legitimate users also use the IP. Dialup IPs and ip that are no longer
used to send spam should not be permanently blocked. RBLs can do this to a
degree, but blocking with a local list is faster than using an RBL. Besides
it puts you in control.
The use of check sums in spam mail can be easily defeated but if they want
a call or a visit to their domain that the phone number or domain name in
the URL must remain consistent. Extracting this information from spam email
is one way to identify spam that should work (unless they quit trying to
sell things in spam there has to be some way to contact the seller.)
What is needed is a way to block ip addresses and then to later clear them
depending on:
1- If an open relay gets closed
2- How many bounces the blocked ip produced
3- If it had been cleared earlier.
It is also important to be able to retrieve a copy of the spam for
non-believers (a web page form interface would be best). Even better would
be a way to automatically update a bind RBL zone file which is quite
possible with Bind 8 and 9.
Generating a blocked IP list
To make a workable system, we should be able to forward a spam message to a
special address i.e. spam@???. Instead of delivering the
message, Exim would pull out the IP from the header (it would have to look
one line down to match the receiving MTA incase the message was relayed) and
then stuff the message into a database indexed by IP called spam_messages.
There would be a total of 7 databases (really could be less but 7 makes it
easer to explain.)
Database Fields
spam_messages ip message
blocked_ips ip date_blocked relay
date_clear_skipped
rejected_ips ip date_first_blocked
times_rejected
cleard_ips ip times_cleared
never_block_ips ip
always_ block_ips ip
spam_id ip phone_number url
Also a couple of settings:
rejects_allowed_number
clearing_interval
eat_bounces
After getting the spams IP, Exim would next run an open relay test on the
IP. If the IP is proves to be an open relay Exim would send a message (and
could send them a copy of the spam) to postmaster at IPs MX and also the
email address in the DNS SOA record informing them that they have an open
relay. Exim should eat bounces to these messages if eat_bounces is true.
Next, Exim would store the ip in the blocked_ips database along with the
date_blocked, and set the relay field. (Exim could also put IPs from RBLs in
this database.)
As the reject log is produced Exim would also generate a database called
rejected_ips with field names ip, date_first_blocked and times_ rejected.
Exim would then extract phone numbers and urls of domains listed in the body
of the message and put them in the spam_id database. Incoming messages that
match this data would get copies forwarded to the postmaster who could then
forward the mail to. spam@???
<
mailto:spam@your.exim.server.com> to add the IP to the list. (a human
review would be necessary because some spam might contain legitimate phone
numbers and domain names.)
Clearing IP numbers from the Blocked IP list
After the clearing_interval (multiplied by the number of times_cleared) Exim
would do one of the following:
On non-relayers , Exim would see if the IP has less times_rejected recorded
in rejected_ips than the rejects_allowed_number . If true, Exim would move
the ip from blocked_ips to cleared_ips and set a times_cleared field to a
number that is incremented each time the IP has been cleared. If it isnt
cleared the field date_clear_skipped is set to the current date as a
starting point for the next clearing interval and times_rejected is set back
to zero.
On open-relays after the clearing_interval, Exim would again run an open
relay test. If the open relay test showed the relay had been closed the IP
would be cleared as above. If the relay test could not get a response, it
would be treated as like a non-relayer.
If spam is again received from an IP in the cleard_ips database, it gets put
back into blocked_ips. If an ip is due to be cleared and it is in the
cleard_ips the clearing_interval would be multiplied by times_cleared in
deciding when to clear the IP. Thus each time you set an IP number to be
blocked it stays around longer.
To allow overriding of this automatic system there would be two other
databases that list IP addresses one would be never_block_ips and always_
block_ips.
Updating a RBL Zone File
DDNS Dynamic DNS is intended to update zone records automatically for DHCP
clients. The same mechanism could be used to update a RBL. The standards
are in RFC2136 and RFC 2137.
Effects of IPv6
One worry is that when (should I add a if?) IPv6 comes on line that
spammers will be given large blocks of IPs. I think that instead of making
IP filtering obsolete it will make it necessary to easily gather IPs and
share them with other via RBLs.
