[Exim] forwarded spam again

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Ken Olum
Date:  
À: exim-users
Sujet: [Exim] forwarded spam again
The existence of the acl_ variables (new in 4.12 or so) makes it
possible to simplify the code that checks for forwarded spam that I
sent out a while back. Try this if you're interested:

In the first section of your configuration file define:

----------------------------------------------------------------------
# Hosts to be checked for forwarding spam to us
SPAM_FORWARD_HOSTS = \w+\.forevermail\.com|alum[\w-]*\.mit\.edu
----------------------------------------------------------------------

Note that you have to figure out the actual names of the machines used
by your forwarding server, which might not be what you use as your
e-mail address. For example, I have my mail forwarded through
alum.mit.edu, but the actual machine is alum-2.mit.edu.

Also define a DATA acl, if you haven't already:
----------------------------------------------------------------------
acl_smtp_data = acl_check_data
----------------------------------------------------------------------

Then in your ACL section, define the acl:

----------------------------------------------------------------------
acl_check_data:

# This condition accepts the message without further processing if it is
# addressed to Postmaster. I think the only value it can have is to allow
# someone to report that the following code is broken. Messages should not
# normally be forwarded to Postmaster from other sites.

accept condition = ${if match{$recipients}{\N(?i)\bpostmaster@\N}{yes}{no}}


# Extract from the received header the IP address of the machine which sent
# the message to a forwarding service which then sent it to us.
# The address reversed goes in $acl_m0

# The header should begin with "from" (i.e., "Received: from...")
# and then one of the forwarding hosts. Then we skip lines beginning with
# whitespace to get to the next Received: header. That should have an
# IP address in brackets on the same line, followed by "by"
# and then the same forwarding machine. The "by" can be on a new line,
# but if so there must be whitespace at the beginning, so we can't get
# the IP address from one Received header and the "by" from another.

# For testing, remove ^. Then forwarding host doesn't need to be
# directly before us.

warn set acl_m0 = ${if match{$h_received:}{\N(?i)^from.*(SPAM_FORWARD_HOSTS).*\n(\s.*\n)*from.*\[([012]?\d?\d)\.([012]?\d?\d)\.([012]?\d?\d)\.([012]?\d?\d)\].*(\n\s+)?by \1\N}{$6.$5.$4.$3}}

# List of senders to accept even if they are blacklisted
accept senders = /etc/mail/accept-senders

# Reject message if found on blacklist
# ${if...} code unreverses IP address for reporting.

  deny  message = Looks like spam: ${if match{$acl_m0}{\N(.+)\.(.+)\.(.+)\.(.+)\N}{$4.$3.$2.$1}} is blacklisted by $dnslist_domain.  Complaints to postmaster@$primary_hostname.
    condition = ${if def:acl_m0 {yes}{no}}
    dnslists = sbl.spamhaus.org/$acl_m0 : \
               dnsbl.sorbs.net/$acl_m0 : \
           list.dsbl.org/$acl_m0
# Or whatever lists you decide to use.


# If you want to warn instead, use
# warn message = X-Spam: $primary_hostname found ${if match{$acl_m0}{\N(.+)\.(.+)\.(.+)\.(.+)\N}{$4.$3.$2.$1}} on a blacklist at $dnslist_domain.

accept
----------------------------------------------------------------------

Enjoy,

                Ken