Re: [Exim] Using ACL to block spaam... possible?

Hi Lukas, on Sat, 22 Mar 2003 16:11:12 CET you wrote:

> I am experiencing the plague of spam.

No, you are helping to cause it. Let's hope you don't manage to succeed in
doing what you want, which is to configure Exim so that it's an open relay
but doesn't necessarily appear as such in some tests.

> I know that the answer is "Use SMTP AUTH!" but let's suppose that for
> some reasons I cannot use it.

I have yet to see a claim that "I can't use SMTP AUTH" to be true. As
such, I think you will find little inclination amongst this list to
entertain the idea that you can't use it. If you feel you really are an
exception, please explain the extraordinary circumstances that make you
different to every other person with an open relay who claims not to be
able to use SMTP AUTH, and who are without fail proved wrong.

> Lets' suppose I want my Exim to be a relay server only for my client
> everywhere they are with their (dial up) computer.

Fair enough, so how are you going to tell than a relay attempt is from
your client and not from a spammer?

<snip stupid idea>
> (where passwd is a MySQL database table containing users' data and id is
> the name of the field containing the user's email address)

Ah yes, the old favourite for people whinging that they are not really an
open relay when they are: let's check the address they're sending from.

This is not the way to control relaying. Use SMTP AUTH, trusted IPs or
even invent your own (sane) authentication scheme if you want, but
whatever you do, don't base relaying decisions on envelope senders. What's
to stop a spammer sending e-mails with an envelope sender of <your user>?

> My question is: is there a way to tell Exim to make a difference between
> a remote server trying to deliver a message to my server and a directly
> connected client trying to use my server as an open relay?

I really don't mean to sound nasty, and if you read the archives of this
list, you will find that there are many people (including myself) more
than happy to help. However, you are not going to get much sympathy when
you ask completely meaningless questions like this, and demonstrate that
you:

a) don't even understand fundamental concepts, without which understanding
we can't even begin to discuss this at any intelligent level

b) clearly know FULL WELL what the correct thing to do here is (SMTP AUTH,
or similar), but are arrogant enough to insist that you're somehow
special and different to all the other people in the same circumstance
who have been told that checking envelope senders isn't the way to do
things, and insist that you have to do it your own stupid way instead.


Tim