[Exim] .forward files and spam leaks

Top Pagina
Delete this message
Reply to this message
Auteur: Alan J. Flavell
Datum:  
Aan: Exim users list
Nieuwe Onderwerpen: [Exim] Re: .forward files and spam leaks
Onderwerp: [Exim] .forward files and spam leaks
As I've noted in a recent posting on a somewhat related topic: quite
a few of our users need to maintain an account elsewhere, from which
they set a .forward file to their local email address here.

Some of the measures taken locally to keep spam out (spam-rating of
body content, headers, envelope-sender address) are equally effective
on such mail as on mail that's directly offered to us: but one key
item for spam control is the address of the MTA from which the mail is
offered - and by the time that forwarded mail is offered to us, that
address is deeply nested in "Received" headers.

So, if the remote site is forwarding mail with relatively weak control
of spam, we get complaints from our users that too much spam is
leaking in. Now sure: the proper place to cure that is at the remote
site, but those sites are not under our direct control, so I decided
to try out some kind of local damage-limitation measure, for those
remote sites which are of importance to our users (you'll excuse me
for not naming names...).

So I've lashed-up the following kind of recipe in our DATA ACL, and
after a couple of days running it does seem to be quite effective. The
idea is to recognise the specific pattern of the "Received" header
with which the remote MTA reports its receipt of mail from "outside"
(shown as "mailin.remote.example" here), picking out the IP octets of
the MTA from which it accepted the mail, and then using those to set a
$acl_m* variable (back-to-front for DNSrbl lookup).

So we're trying to recognise a header like:

Received: from cpe-68-116-192-33.ma.charter.com
    (cpe-68-116-192-33.ma.charter.com [68.116.192.33])
        by mailin.remote.example (8.12.1-xxxx/8.12.1) with SMTP id
    [...]


(I'm anonymising the following recipe "on the fly" - I hope I don't
introduce any syntax errors. You'll get the general idea, anyhow)

  warn hosts = mailout.remote.example
       message = X-PH-FW: leaky forwarder, $dnslist_domain=$dnslist_value
       set acl_m4 = ${if match {$h_received:}\
                    {\N\[(\d+)\.(\d+)\.(\d+)\.(\d+)\]\)\s+by \
                    mailin\.remote\.example\N}\
                    {$4.$3.$2.$1}fail}
       dnslists = dnsbl.sorbs.net/$acl_m4


And then we rate the extra header in the spamassassin recipe.

I've shown just the one DNSrbl in the example, but one can of course
use several.

As you see, this relies on matching the specific pattern of "Received"
header that's seen when the remote site accepts mail from an "outside"
source: so it needs to be tuned for each such site.

At the moment, my actual recipe has two forwarding sites hard-coded
which are of particular importance to users.

I suppose if we needed to deal with an increasing number of sites,
then we could set up a data base relating each forwarding site to a
suitable regex for picking the right "Received:" header. Then we'd do
a lookup in the "hosts =" clause, and plug the resulting regex into
the subsequent match. I haven't been quite that adventurous in an ACL
before, but I think it would be do-able.

Hope this is of use to someone else.