Re: [Exim] Basic teergrubing with Exim 4.11 (Version 2)

Pàgina inicial
Delete this message
Reply to this message
Autor: Giuliano Gavazzi
Data:  
A: Kevin P. Fleming, Exim users list
Assumpte: Re: [Exim] Basic teergrubing with Exim 4.11 (Version 2)
At 21:04 -0700 2002/12/12, Kevin P. Fleming wrote:
>
>
>acl_check_data:
>   deny    log_message       = Teergrube: Hotmail forgery
>           message           = X-Forgery: NOT HOTMAIL SERVER
>           sender_domains    = hotmail.com
>           condition         = ${if def:header_X-Originating-IP: {0}{1}}
>           delay             = 30s
>   deny    log_message       = Teergrube: AOL forgery
>           message           = X-Forgery: NOT AOL ADDRESS
>      senders           = \N^\d.*@aol\.com$\N
>           delay             = 30s
>   deny    log_message       = Teergrube: AOL forgery
>           message           = X-Forgery: NOT AOL MAILER
>           sender_domains    = aol.com
>      condition         = ${if match {${lc:$h_X-Mailer:}} {(a(?:ol|tlas))}
>{0}{1}}
>           delay             = 30s
>   deny    log_message       = Teergrube: AOL forgery
>           message           = X-Forgery: NOT AOL SERVER
>           sender_domains    = aol.com
>      condition         = ${if match {${lc:$h_Received:}} {by.*aol\.com}
>{0}{1}}
>           delay             = 30s
>   deny    log_message       = Teergrube: Yahoo forgery
>           message           = X-Forgery: NOT YAHOO SERVER
>           sender_domains    = yahoo.com
>      condition         = ${if match {$h_Received:}
>{(yahoo.com.via.(?:HTTP|NNFMP))} {0}{1}}
>           delay             = 30s

>
>Delays for the infamous Hotmail/AOL/Yahoo forgers...


I still think that this is definitely the wrong way of checking for
hotmail/yahoo/aol, still it seems very popular.
In terms of false positives, one should be free to set the envelope
sender to whatever is acceptable, and if roaming, that can be a
hotmail address for instance.
In terms of missed positives, a spammer can easily forge the headers
checked by this rules.
In my opinion a rcpt acl that does a sanity check on the helo/sender
ip/sender reverse lookup, and perhaps sender address domain MX in
case the others fail, is much more accurate. It might require a lot
of DNS lookups, but these generate less traffic than initially
accepting all the message data.
I might add these delays to my rcpt acl though...

Giuliano
--
H U M P H
    || |||
  software


Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/