Re: [Exim] Nice way to cut down on spam.

Top Page
Delete this message
Reply to this message
Author: Eric Bullen
Date:  
To: juha
CC: Phil.Pennock, exim-users
Subject: Re: [Exim] Nice way to cut down on spam.
> On Mon, 13 Aug 2001, Eric Bullen wrote:
>
>> This is hardly anything to get confused about. I appreciate the
>> concern though- with a 99.5% hitrate, I'll take my chances (which is
>> hardly one). Wait- it's down to 99% since Juha replied to me, and that
>> bounced.
>
> Risking another mail bounce here, but... the reality of spam is that
> next to none comes directly from .cn, .kr or .jp. In the vast majority
> of cases it's US spammers relaying via Asian servers.


Very likely and unfortunate, but nevertheless, it's still spam. :-/

> If you are the only user on your system, or the other users are in
> total agreement with you, refusing mail from various IP blocks is fine.
> However, it's a very blunt weapon, as you've noticed, because the NIC
> information doesn't always tell you exactly where a certain IP range
> has been
> allocated. You are guaranteed to block mail that you want to receive.


It's a personal e-mail server for a small group of people that I know very
well, so I would *never* do this for a corporation (except to add a header
to the message, or for scoring, etc.). That is something that I did not
divulge- thankfully, I can block with extreme prejudice in this case.

> Unfortunately, I can't think of a good alternative, short of monitoring
> mail logs and keeping a manual blacklist.


I agree. Another thing that I noticed is that the ip-block list I keep has a
*huge* number of lookup problems. Such as the IP doesn't have a name (which
is of course valid, but makes it hard to filter), and the HELO argument that
doesn't even come close to mapping back to the actual IP (which is also
valid). Yes, there are many other servers outside of that region that are
also guilty of this, but it seems to be much less.

I could use strict HELO checking, but from what I've seen, exim ends the
connection, and does not allow for the addition of a header like
"X-Failed-Helo: <helo arg>". Forgive me if I am wrong here, I haven't looked
to closely on this one...

> Hey... that would be a nice feature for Exim... a simple way to create
> and maintain a file or database of blocked senders. I don't mean
> keeping the addresses in exim.conf -- wouldn't it be good to have an
> "exim_blocked" file (e.g) for lookups, without exim.conf ju-ju?


I am a little ignorant in this dept, but this approach has more holes than a
sieve- no fault of the postmaster, but does one use the Reply-To, Sender:,
From:, or the Return-Path: field (when you know they are forged or
non-compliant)? Also, most spammers forge the domain, and of course the user
which is almost always random characters (and thus never used again). I
went down this path by having procmail do an auto-bounce on known spam
emails, and they almost never worked. I was using formail with the "-r
-xTo:" argument, and it failed all the time.

Spammers are starting to catch on that they way to do it is to put the
*valid* email address in the messagebody which pretty much ties both hands
behind our backs...


-E