Re: [Exim] Header Data

smacked into the keyboard previously by exim-users-admin@???:

>Date: Sun, 6 Jan 2002 01:36:41 -0500 (EST)
>From: Dave C. <djc@???>
>To: Joseph Kezar <jkezar@???>
>Cc: exim-users@???
>Subject: Re: [Exim] Header Data
>
>
>Blocking spam by sender address is of little value, becuase usually,
>they make up a new, random sender address, in a new, random forged
>domain everytime they send a new spam. So usually, you'll not often see
>the same address twice anyway.
>
>
>On Thu, 3 Jan 2002, Joseph Kezar wrote:
>
>> I'll tell you what I did now.
>> Let me know if this is the correct way of finding the envelope-sender.:
>> cat /var/log/exim_mainlog | grep 16M8YJ-0006ut-00(messageid from a SPAM
>> email)
>> proves:
>> 2002-01-03 09:09:05 16M8YJ-0006ut-00 <= opt-in@???
>> H=(mx2.state.vt.us) [170.222.64.130] P=esmtp S=6091
>> id=20020103135240.24285.qmail@???
>>
>> I am strongly guessing 'opt-in@???' is the
>> envelope-sender.
>> And this is the sender that needs to be added to my /usr/exim/rejectlist
>> Am I correct?
>>
>> Joseph Kezar wrote:
>> >
>> > I now know that it doesn't block on the From: header field but on the
>> > "envelope sender".
>> > I have spam coming in with these headers, how do I determine the
>> > "envelope sender" and how can I stop this message from getting into my
>> > email server
>> > ________________________________________________________________________
>> > Return-path: <32-1785-475039@???>
>> > Envelope-to: message filter
>> > Delivery-date: Thu, 03 Jan 2002 08:49:07 -0500
>> > Received: from [159.105.23.130] (helo=mx1.state.vt.us) by
>> > mail1.doc.state.vt.us with esmtp (Exim 3.33 #13) id 16M8F1-0006KY-00 for
>> > linm@???; Thu, 03 Jan 2002 08:49:07 -0500
>> > Received: from transport5e.azoogle.com ([66.197.140.44]) by
>> > mx1.state.vt.us (Post.Office MTA v3.5.4 release 224 ID# 0-0U10L2S100V35)
>> > with SMTP id us for <linm@???>; Thu, 3 Jan 2002 08:49:29
>> > -0500
>> > Received: from azoogle by transport5e.azoogle.com with local (Azoogle
>> > 2.1) id 32-1785-475039 for linm@???; Thu, 03 Jan 2002
>> > 08:49:25 -0500
>> > Content-Type: text/plain; charset="us-ascii"
>> > Content-Disposition: inline
>> > Content-Transfer-Encoding: 7bit
>> > MIME-Version: 1.0
>> > From: "WIN $1000cash/prizes" <fsnews@???>
>> > To: linm@???
>> > Date: Thu, 03 Jan 2002 08:49:25 -0500
>> > Subject: Get $20 in FREE-Gifts! It's still CHRISTMAS -
>> > Message-ID: <32-1785-475039@???>
>> > X-Info: please report abuse of this service to abuse@???
>> > Content-Length: 1291
>> > X-Envelope-To: linm@???
>> > _______________________________________________________________________
>> >
>> > Matthew Byng-Maddick wrote:
>> > >
>> > > On Thu, Jan 03, 2002 at 08:35:40AM -0500, Joseph Kezar wrote:
>> > > > My question, does this reject clause block the From:,Return-path: or
>> > > > the Reply-To:
>> > >
>> > > My question, did you read the archives?
>> > >
>> > > > I am going through emails that I want to add to my reject list and I am
>> > > > taking out the From: header and adding that info to my reject file.
>> > > > It seems some are sneaking in still. Is it because it doesn't reject on
>> > > > the From: header?
>> > >
>> > > A quick search later, and I find the thread:
>> > > http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20011217/033300.html
>> > >
>> > > Which may be instructive. Note the date, it wasn't very long ago.
>> > >
>> > > MBM
>> > >

 >> > > --
 >> > > Matthew Byng-Maddick         <mbm@???>           http://colondot.net/
 >> > --
 >> > Joseph Kezar
 >> Joseph Kezar

Well, I found a nice tidbit of information from the O'Reilly book: If you
have a list of common spammer domains in /etc/exim/spammers then adding:
sender_reject_recipients = @@lsearch;/etc/exim/spammers

to your exim configuration file will block those domains from dumping
their spam in your mail system. I retrieved a list of spammer domains
from http://www.rhyolite.com/anti-spam/freemail-adb and with a little awk
I got my list of domains from that url.

I also have in my system filter a search based on words in the
subject header. If the search matches then the message is put into
catchall which then I can delete or move the emails to their proper lists.
This was done by:

if ${lc:$h_subject:} matches ".spam|loan|profit|ejaculation|free
shipping|snoring|funds|iso-2022-jp|koi8-[ur]|invest[ment]|spy/security|great
offer|incredible|teens|xxx|sex[y]|refinancing|pill|mortgage|credit|rates|big5|big-5|shocking|wholesale|prescription|consolidate|penis|cock|adv:|pharmacy|make
\\$|debt|guranteed|paycheck."
then save /path/to/file
endif

The search is rather crude, but effective.

Scott Nolde
GPG Key 0xD869AB48