[Exim] I knew there was something ... spam

Top Page
This message is part of the following thread:
M+-+\the complete thread tree sorted by date
MM.MM-\ 
.MM.M\MSteven A. Reisman at ->
Delete this message
Reply to this message
Author: Tony Earnshaw
Date:  
To: Exim Users
Subject: [Exim] I knew there was something ... spam
--
O.k.

Exim 4.01: God bless you Philip, WHAT an improvement. "Improvement on
excellence? Is that possible?"

I get a lot of spam via the Netfilter (Linux kernel firewall and NAT)
mail group. No moderator, all the spam comes from Korea. As soon as
anyone mentions spam, everybody else tells him/her to shut up and
concentrate on what's technical in the mailing list. Not that that's
worth much, there aren't many people in the group who've heard of RTFM
("plz help me").

So I got Exim's acl_smtp_rcpt = acl_check_rcpt to work, with an
unmodified Sendmail spam database from Vortex.com (around 9,000 domain
and IP host addresses) and the Exim ACL lookup spam filter. The Vortex
spam database is updated daily.

Can't be bothered with the DUL or mail-abuse databases any more.

I never want mail from Korea anyway, so i did 'whois -h whois.apnic.net'
on all the first "Received: from"s and built up a second database. Cut
out about 1/2 of the available Korean IP blocks, but what the heck. As I
said ...

Cost me a tear or two (and much RTFMing and searching in the Exim mail
group missives), but it works. But only if all those people send me spam
directly. Not if the Netfilter people send me spam as the first
"Received: from" in the envelope body, though.

So now I need help in building rules for searching envelope bodies
(acl_smtp_data = check_message) for strings.

Example:

----------------------

Return-path: <netfilter-admin@???>
Envelope-to: tonni@???
Delivery-date: Sun, 17 Mar 2002 08:30:25 +0100
Received: from punt-15.mail.nl.demon.net ([194.159.73.24]) by
billy.demon.nl with smtp (Exim 4.01) id 16mV7Y-0001UI-00 for
tonni@???; Sun, 17 Mar 2002 08:30:25 +0100
Received: from punt-14.mail.nl.demon.net by mailstore for
tonni@??? id 1016335120:14:29994:0; Sun, 17 Mar 2002 03:18:40
GMT
Received: from samba.sourceforge.net ([198.186.203.85]) by
punt-12.mail.nl.demon.net id aa1200071; 17 Mar 2002 3:18 GMT
Received: from va.samba.org (localhost [127.0.0.1]) by lists.samba.org
(Postfix) with ESMTP id 811E74190; Sat, 16 Mar 2002 19:14:20 -0800 (PST)
Delivered-To: netfilter@???
Received: from localhost (unknown [211.190.93.196]) by lists.samba.org
(Postfix) with SMTP id D4A614111 for <netfilter@???>; Sat,
16 Mar 2002 19:13:06 -0800 (PST)

----------------------------

"211.190.93.196" is what I want to filter on.

Anybody any ideas?

Best,

Tonni

--

Tony Earnshaw 

e-post:        tonni@???
www:        http://www.billy.demon.nl


Telefoon:    (+31) (0)172 530428
Mobiel:        (+31) (0)6 51153356


GPG/PGP Fingerprint: 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
--
Content-Description: Dette er en digitalt signert meldingsdel

[ signature.asc of type application/pgp-signature deleted ]
--




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] Why I love EximRe: [Exim] Home network mailhub->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)