Re: [Exim] rbl-check for forwarded spam

Top Pagina
Delete this message
Reply to this message
Auteur: Ken Olum
Datum:  
Aan: punster
CC: exim-users
Onderwerp: Re: [Exim] rbl-check for forwarded spam
OK. It turns out to be possible to do this check without perl or
external programs. Here's what I'm currently trying.

Caveat emptor: this has not been tested very much at all. And of
course you'll have to customize it for your forwarding site and the
particular format of received headers that it inserts, and which
blacklists you want to use. Doubtless there are more general
techniques.


In the top part of my configuration file I put:
----------------------------------------------------------------------
# This enables the dnsbl system to check for the the host which sent the
# message to a forwarding account

# Tell whether there is such an IP address to check.
SPAM_FORWARD_CHECK = ${if SPAM_FORWARD_MATCH {yes}{no}}

# Return IP address reversed for dnsbl checking
SPAM_FORWARD_IP_REV = ${if SPAM_FORWARD_MATCH {$4.$3.$2.$1}fail}

# Return the IP address
SPAM_FORWARD_IP = ${if SPAM_FORWARD_MATCH {$1.$2.$3.$4}fail}

# The match expression for finding the IP address.
# It looks for a header beginning with from (i.e., "Received: from...")
# and then an IP address in brackets on the same line, followed by "by"
# and some machine at forevermail. The "by" can be on a new line,
# but if so there must be whitespace at the beginning, so we can't get
# the IP address from one Received header and the "by" from another.
SPAM_FORWARD_MATCH = match{$h_received:}{\N(?im)^from.*\[([012]?\d?\d)\.([012]?\d?\d)\.([012]?\d?\d)\.([012]?\d?\d)\].*(\n\s+)?by \w+\.forevermail\.com\N}

acl_smtp_data = acl_check_data

----------------------------------------------------------------------

and then in the ACL section:

----------------------------------------------------------------------
acl_check_data:

  warn  message = X-blacklisted: $primary_hostname found SPAM_FORWARD_IP at $dnslist_domain
    dnslists = sbl.spamhaus.org/SPAM_FORWARD_IP_REV : \
               dnsbl.sorbs.net/SPAM_FORWARD_IP_REV : \
           list.dsbl.org/SPAM_FORWARD_IP_REV
    condition = SPAM_FORWARD_CHECK


accept
----------------------------------------------------------------------

I'm only putting on warning headers the moment. It would be
straightforward to change it to reject the message, or to reject it in
a per-user filter later. Rejecting in acl_check_data has the
advantage that someone else has to deal with the bounce message
(probably the forwarding site will just discard it), but the
disadvantage that you have to reject or accept the entire message and
can't do it on a per-user basis. That only matters if multiple users
at your site get their mail from the same forwarder.

                Ken