Tony Earnshaw [8/17/2003 5:35 PM] :
> Suresh, hserus/outblaze (your domain[s]) [is|are] *still* damned to h*ll
> by many, if not all proxy and relay RBLs. For you, Suresh, and you alone
> I have to SA-whitelist the whole Exim mailing list using a SpamAssassin
hserus.net is my personal domain. It is neither an open relay or proxy,
and is colocated on a box frodo.hserus.net with a static IP that isn't
anywhere on the outblaze.com network.
Unfortunately I have a box on home dsl line with a dynamic IP, that is
in an ISP infested with proxies and relays. Till now I used to relay my
mail using a server on this IP, that then smarthosts through frodo.
Some people - not just you - run spamassasin to check IPs in all headers
in the email (not just the connecting IP) so pick up my home IP - which
as I said is in a proxy infested netblock.
OK - for your sake I decided to ssh tunnel all my mail through frodo so
that you will not have to whitelist me. Check my headers, and pronounce
yourself satisfied with the arrangement :)
However the point remains that this is a feature that can easily be
turned off in spamassasin, without much trouble at all. Checking the
connecting IP, plus all of spamassasin's spamware header body checks
should nail all the spam without scanning all IPs in the Received:
headers against DNSBLs.
If he can use postfix body filtering regexps, he can use them in
spamassasin, which gives him a great deal more flexiblity, and more
importantly, allows him to whitelist - which postfix body filters don't
let him do.
> What Chateauneuf is asking, is if Exim is any different in this respect.
> He's probably thinking about Exim ACLs making exceptions before smtp
> data time, in headers for example. This would probably involve using
> multiple ACLs and multiple headers for each message, or doing 'if ...
> then' multiple header comparisons. In as much as I use SA, I have no
> experience of this.
It would mean reinventing the wheel where you have the advantage of
deploying spamassasin - but I do think we can exempt senders / hosts
from the body check ACL altogether, without much trouble.
> I've cut out the CC replies to the Postfix mailing list, as well as to
> Suresh. No-one gains by them.
cc'ing you just to see what happens when my mta connects directly to
yours - will this hit your filters and need whitelisting, or not? :)
srs
ps - As for Outblaze, as I said, though I and my team do run a very
tight ship and enforce a zero tolerance antispam policy, our domains are
among the most heavily forged on the planet (only hotmail / yahoo are
more forged than we are, I think). So, look at my post on HELO
filtering in check_rcpt, a few days ago
(Message-ID: <3F37375B.3020401@???> and subject: [Exim]
HELO filtering with exim (for exim config.samples / Marc Merlin
generalized exim.conf)
Then modify those to
1. Reject all mail with HELO mail.com, email.com, iname.com,
cheerful.com etc (go to
http://www.mail.com and click the "signup"
button there - you get a list of a whole lot of domains you can signup
for an account under, grab that list). Our machines will *never* emit
HELOs of mail.com etc.
2. Reject all mail with HELO outblaze.com unless it comes from an IP
with outblaze.com reverse DNS. To further help, such HELOs can only
come from our IP blocks -
205.158.62.0/24
202.86.166.0/24
210.177.227.128/28
203.86.162.161/28
3. For bonus points, do this for HELO yahoo.com etc.
That should cut down a ton of your inbound spam / virus load.
regards
- -srs