RE: [Exim] IS it possible? An idea may be

Top Page
Delete this message
Reply to this message
Author: David Markham
Date:  
To: 'Suresh Ramasubramanian', 'Dave C.'
CC: 'Exim User \(E-mail\)'
Subject: RE: [Exim] IS it possible? An idea may be
Ok I wasnt going to get into what I implement at the moment but it seems
that there's some interest.

I am not pretending to be proficient in exim as I don't have too much time
to play around, but when I do get some time I like to improve things.

We get Spam alot. Full stop. offering a freeisp people just dial up and then
can send email through our outbound servers as they have a dial up ip
address contained in host_accept_relay

Some spammers do dictionary spamming at the same domain. Some mix domains.
The harder ones seem to send to a few recipients at a time and change the
from addresses, making it hard to spot in the queue. Now normally I would do
a sender_verify to make sure they are in a list of domains we are isp for
but the company wants users to be able to use their own domains so they can
have their from addresses as joeblogs@???

We have monitoring for when the queue builds to past a certain number then
we react.
I have a blocked senders file which I add bad people too in the form of
domain localpart
and if its not a domain I host such as sexkittens.com then I block the whole
domain with sexkittens.com *

I also have a system_filter in place and when I look at an actual mail and
it is "buy this new thing from our wicked website" I add it with

if $message_body matches "buy this......"
then
seen finish
endif

Also I have something which monitors the queue and if there are more than 70
mails from the same email address then I automatically remove them.

The problem is most of this is very reactive and does not detect a new
spammer without intervention.

The clever ones who seem to use the same message with different from
addresses to now show up as obviously in the queue I have done a very crude
script which searches through all messages in the queue, greps for what I
say eg " buy this new..." and invokes exim -Mrm <msg id> but again I have
to find an offending message and then do this.

My original question was what config if possible could I use to prevent
people sending to more than 20 localpaarts@??? to protect against
one aspect of the Spam.

Hope I haven't bored people and if there are any suggestions on making this
easier please let me know. Its an uphill struggle.




-----Original Message-----
From: exim-users-admin@??? [mailto:exim-users-admin@exim.org]On
Behalf Of Suresh Ramasubramanian
Sent: 09 August 2002 04:05
To: Dave C.
Cc: David Markham; 'Exim User (E-mail)'
Subject: Re: [Exim] IS it possible? An idea may be


djc@??? (Dave C.) [Friday, August 09, 2002 10:35 AM]:

> I hope you arent providing SMTP relay service with that freemail
> account. And spammers dont actually send using any webmail service -
> too slow. They only use them as drop boxes.


That *used* to be the case. My job was far easier. Spammers seem to have
discovered LWP scripts and how to daisy-chain these through multiple open
proxies. These scripts

* Sign up for dozens of webmail accounts (often with randomized usernames
and passwords, taken from /usr/dict/words or whatever)

* Automate logging into our service and posting through these webmail
accounts.

We have to heavily rate limit our webmail service, and install some fairly
fascist inbound and outbound mail controls (any accounts hitting that rate
limit are automatically frozen).

    -srs



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##