Re: [Exim] rbl-check for forwarded spam

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MM\Ken Olum at <-
.MMHanasaki JiJi at ->
Delete this message
Reply to this message
Author: James P. Roberts
Date:  
To: Ken Olum
CC: exim-users
Subject: Re: [Exim] rbl-check for forwarded spam
> If you're talking about checking all the headers, you're making a
mistake.
>    Example:

>
>    1. Spammer A dials in and gets 1.2.3.4.dialup.xyz.net.
>    2. Spammer A send 100000 spams and get's the address blacklisted.
>    3. You dial in and get assigned 1.2.3.4.dialup.xyz.net.
>    4. You send your legitimate email via mail.xyz.net.
>    5. Legitimate mail bounced because 1.2.3.4.dialup.xyz.net is in the
received
>    headers.

>
> Good point. If you block from the dial-up user list, you only want to
> look at the received line of the site that is forwarding the mail to
> you and not earlier ones which might have been "sanitized" by going
> through a legitimate mail server. (Althoguh if you're blocking open
> relays or static addresses, I don't think it's an issue.)
>
>    Only reasonable check is the host that's sending to YOU.

>
> I don't agree. If I don't accept mail from A.B.C.D, and if I have a
> forwarding account on, say, forevermail.com, then I can't see why I
> should accept mail that forevermail.com accepted from A.B.C.D. I can
> distinguish 1.2.3.4.dialup.xyz.net->mail.xyz.net->me (legitimate) from
> 1.2.3.4.dialup.xyz.net->forevermail.com->me (spam) because I have
> a forwarding entry on forevermail.com and not on mail.xyz.net.
>
> Ken
>

Ken, I agree with you. I have the same problem with spam getting through an
email forwarding service provided by my alma mater. Said service is adamant
about not filtering against spam, due to fear of false positives. So, it
would be desirable to apply RBL checks against mail that is forwarded from
this one known MTA, by checking the "received from" header added by that known
MTA.

I agree that checking "all the headers" would be a bad idea.

If you come up with a solution, please share.

How about this... When you get email from the "known MTA," pipe it to an
external program to extract the IP that sent it to that MTA. Test the IP
against RBL of choice (basically just a DNS call). Add a header to indicate
it has already been checked, and the result of the check, and re-inject into
Exim. Exim can then take action based on the presence/content of the added
header. This is analogous to SA scanning. You don't get the benefit of
reject at SMTP time, I suppose, but you do block the spam. Perhaps, with the
exiscan patch, you could do this at SMTP time? I am not an expert here.

This is called a "trial balloon" or "brain-storming" and should not be
construed as a recommendation.

Jim Roberts
Punster Productions, Inc.



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] PAM problems on exim4.14 debian sargeRe: [Exim] compile date format issue->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)