The existence of the acl_ variables (new in 4.12 or so) makes it
possible to simplify the code that checks for forwarded spam that I
sent out a while back. Try this if you're interested:
In the first section of your configuration file define:
----------------------------------------------------------------------
# Hosts to be checked for forwarding spam to us
SPAM_FORWARD_HOSTS = \w+\.forevermail\.com|alum[\w-]*\.mit\.edu
----------------------------------------------------------------------
Note that you have to figure out the actual names of the machines used
by your forwarding server, which might not be what you use as your
e-mail address. For example, I have my mail forwarded through
alum.mit.edu, but the actual machine is alum-2.mit.edu.
Also define a DATA acl, if you haven't already:
----------------------------------------------------------------------
acl_smtp_data = acl_check_data
----------------------------------------------------------------------
Then in your ACL section, define the acl:
----------------------------------------------------------------------
acl_check_data:
# This condition accepts the message without further processing if it is
# addressed to Postmaster. I think the only value it can have is to allow
# someone to report that the following code is broken. Messages should not
# normally be forwarded to Postmaster from other sites.
accept condition = ${if match{$recipients}{\N(?i)\bpostmaster@\N}{yes}{no}}
# Extract from the received header the IP address of the machine which sent
# the message to a forwarding service which then sent it to us.
# The address reversed goes in $acl_m0
# The header should begin with "from" (i.e., "Received: from...")
# and then one of the forwarding hosts. Then we skip lines beginning with
# whitespace to get to the next Received: header. That should have an
# IP address in brackets on the same line, followed by "by"
# and then the same forwarding machine. The "by" can be on a new line,
# but if so there must be whitespace at the beginning, so we can't get
# the IP address from one Received header and the "by" from another.
# For testing, remove ^. Then forwarding host doesn't need to be
# directly before us.
warn set acl_m0 = ${if match{$h_received:}{\N(?i)^from.*(SPAM_FORWARD_HOSTS).*\n(\s.*\n)*from.*\[([012]?\d?\d)\.([012]?\d?\d)\.([012]?\d?\d)\.([012]?\d?\d)\].*(\n\s+)?by \1\N}{$6.$5.$4.$3}}
# List of senders to accept even if they are blacklisted
accept senders = /etc/mail/accept-senders
# Reject message if found on blacklist
# ${if...} code unreverses IP address for reporting.
deny message = Looks like spam: ${if match{$acl_m0}{\N(.+)\.(.+)\.(.+)\.(.+)\N}{$4.$3.$2.$1}} is blacklisted by $dnslist_domain. Complaints to postmaster@$primary_hostname.
condition = ${if def:acl_m0 {yes}{no}}
dnslists = sbl.spamhaus.org/$acl_m0 : \
dnsbl.sorbs.net/$acl_m0 : \
list.dsbl.org/$acl_m0
# Or whatever lists you decide to use.
# If you want to warn instead, use
# warn message = X-Spam: $primary_hostname found ${if match{$acl_m0}{\N(.+)\.(.+)\.(.+)\.(.+)\N}{$4.$3.$2.$1}} on a blacklist at $dnslist_domain.
accept
----------------------------------------------------------------------
Enjoy,
Ken
