Re: [Exim] Inspecting headers in DATA ACL

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MGreg Ward at <-
M 
Delete this message
Reply to this message
Author: Greg Ward
Date:  
To: exim-users
Subject: Re: [Exim] Inspecting headers in DATA ACL
On 04 April 2002, I said:
> I couldn't get a regex-based rejection working last night, but I was
> tired and cranky. I'll give it another shot now, and whine to the list
> again if I still can't make it work.

Success! Naturally, when I built up the condition I was trying to get
working last night from little bits and pieces, it worked fine. And in
the end, it was byte-for-byte identical to the condition that didn't
work last night... and it works perfectly now. Whatever.

Anyways, here's my collection of anti-spam ACLs for Exim 4. First,
the ACL run after RCPT TO: 

check_recipient:
  deny    senders = /etc/exim/spammers
          message = message from known spammer rejected
  # Only spammers use 8-bit envelope senders, and it violates
  # RFC 2821 to boot.
  deny    senders = \N^[^@]*[\x80-\xFF][^@]*\@.*\N
          message = 8-bit characters not allowed in envelope sender\n\
                    (see RFC 2821, section 4.1.2)
  require verify = sender
  deny    message = unknown address
          hosts = !127.0.0.1
         !verify = recipient
  accept  domains = +local_domains
  accept  hosts = +relay_hosts
  deny    message = relay not permitted


The second "deny" is the interesting one here -- if someone supplies a
sender address with 8-bit chars, they are booted out without having to
read the message body. This doesn't catch much, but I have seen spam
with 8-bit junk in the envelope sender, so it can't hurt. Note that my
regex is probably more complex than it needs to be -- I went to the
trouble to look for 8-bit junk in the local part only, which is probably
overkill.

Now the really fun stuff, the ACL run after DATA: 

check_message:
  require message = invalid address in message header
          verify = header_syntax
  # Again, only spammers put 8-bit junk in "Subject" and "From".
  # This should keep the Asian spammers out, at least until
  # they figure out about RFC 2047 (sigh).
  deny    condition = ${if match {$h_subject:}{\N[\x80-\xFF]{3,}\N} {yes}{no}}
          message = 8-bit characters not allowed in subject\n\
                    (see RFC 2822, sections 3.6.5, 2.2.1)
  deny    condition = ${if match {$h_from:}   {\N[\x80-\xFF]{3,}\N} {yes}{no}}
          message = 8-bit characters not allowed in header addresses\n\
                    (see RFC 2822, sections 3.4, 3.2.4, 3.2.5)
  accept


Note that I do permit isolated 8-bit characters in headers, mostly
because all the Asian spam I see has big blocks of 8-bit junk. I
suppose this is more evidence of cultural bias on anti-spam measures --
if a European sends me mail with the occasional unquoted 8-bit
character, it's still against RFC 2822, but I accept it anyways. So sue
me.

Hope this is useful to someone -- 

        Greg
--
Greg Ward - software developer                gward@???
MEMS Exchange                            http://www.mems-exchange.org



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re[2]: [Exim] TLS and certificate chainsRe: [Exim] PSH flag problems->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)