Re: [Exim] rbl-check for forwarded spam

Top Page
Delete this message
Reply to this message
Author: Hanasaki JiJi
Date:  
To: List - Exim
Subject: Re: [Exim] rbl-check for forwarded spam
Will spam get through if the spammer starts adding this "custom header"
that indicates it has already been scaned?

James P. Roberts wrote:
>> If you're talking about checking all the headers, you're making a
>
> mistake.
>
>> Example:
>>
>> 1. Spammer A dials in and gets 1.2.3.4.dialup.xyz.net.
>> 2. Spammer A send 100000 spams and get's the address blacklisted.
>> 3. You dial in and get assigned 1.2.3.4.dialup.xyz.net.
>> 4. You send your legitimate email via mail.xyz.net.
>> 5. Legitimate mail bounced because 1.2.3.4.dialup.xyz.net is in the
>
> received
>
>> headers.
>>
>>Good point. If you block from the dial-up user list, you only want to
>>look at the received line of the site that is forwarding the mail to
>>you and not earlier ones which might have been "sanitized" by going
>>through a legitimate mail server. (Althoguh if you're blocking open
>>relays or static addresses, I don't think it's an issue.)
>>
>> Only reasonable check is the host that's sending to YOU.
>>
>>I don't agree. If I don't accept mail from A.B.C.D, and if I have a
>>forwarding account on, say, forevermail.com, then I can't see why I
>>should accept mail that forevermail.com accepted from A.B.C.D. I can
>>distinguish 1.2.3.4.dialup.xyz.net->mail.xyz.net->me (legitimate) from
>>1.2.3.4.dialup.xyz.net->forevermail.com->me (spam) because I have
>>a forwarding entry on forevermail.com and not on mail.xyz.net.
>>
>>Ken
>>
>
>
> Ken, I agree with you. I have the same problem with spam getting through an
> email forwarding service provided by my alma mater. Said service is adamant
> about not filtering against spam, due to fear of false positives. So, it
> would be desirable to apply RBL checks against mail that is forwarded from
> this one known MTA, by checking the "received from" header added by that known
> MTA.
>
> I agree that checking "all the headers" would be a bad idea.
>
> If you come up with a solution, please share.
>
> How about this... When you get email from the "known MTA," pipe it to an
> external program to extract the IP that sent it to that MTA. Test the IP
> against RBL of choice (basically just a DNS call). Add a header to indicate
> it has already been checked, and the result of the check, and re-inject into
> Exim. Exim can then take action based on the presence/content of the added
> header. This is analogous to SA scanning. You don't get the benefit of
> reject at SMTP time, I suppose, but you do block the spam. Perhaps, with the
> exiscan patch, you could do this at SMTP time? I am not an expert here.
>
> This is called a "trial balloon" or "brain-storming" and should not be
> construed as a recommendation.
>
> Jim Roberts
> Punster Productions, Inc.
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>


--
=================================================================
= Management is doing things right; leadership is doing the     =
=       right things.    - Peter Drucker                        =
=_______________________________________________________________=
=     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
=  www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone  =
=================================================================