--
* Ron McKeating <R.J.Mckeating@???> [20031218 13:59]: wrote:
> Hi all, hope you are all getting ready for a nice festive season.
Hi Ron,
> Just thinking, today we upgraded all our servers to exim 4.3 and
> spamassassin 2.61. We still get some of our local users email caught in
> our spamtrap because they use OE with html and do silly things like odd
> fonts etc.
>
> I was thinking of either not spam filtering email from our own ip range,
> or adding a spamassassin rule to give a big neg score for email from our
> own ip range. Is anybody doing similar and if so how are you doing it?
Can your "ip range" be simplified to mean just a singe domain name or do
you also have virtual domains? If the former, then you can simply
whitelist the domain name in local.cf
whitelist_from our.domain.name
Alternatively, you can start your DATA ACL with
accept hosts = +relay_from_hosts
I hope that should solve your problem if you are using SA via Exiscan.
> I don't want to add neg scores for our own domain in the from as a lot
> of spam seems to forge our domain in the from line.
Did you say forged? How do they (spammers) send that mail to your
server? They say HELO with what name? Your domain name?
There are some rules that were posted to this list that you can use.
Take care of line wraps:
# Check and see if some one is trying to impersonate my server/hosts
# check and see if the HELO is a match on my domain
# would catch wananchi.com, somehost.wananchi.com, etc
# or if the HELO is my address
deny message = No you are not ME or OURS (HELO was $sender_helo_name)
hosts = !+relay_from_hosts
log_message = Forged hostname detected in HELO: $sender_helo_name
condition = ${if or {\
{eq{$sender_helo_name}{$interface_address}}\
{match{${lc:$sender_helo_name}}{${lc:$qualify_domain}}}}\
{yes}{no}}
# Now check the hostname.
# First check and see if the HOSTNAME is a match on my domain
# But skip if the hostname is blank
deny message = No you are not ME or OURS (HOSTNAME was $sender_host_name)
hosts = !+relay_from_hosts
log_message = Forged IP detected in HELO: $sender_helo_name
condition = ${if and {\
{!eq{$sender_host_name}{}}\
{eq{$sender_host_name}{$interface_address}}}\
{yes}{no}}
# Next check and see if the HOSTNAME is my IP address
# But skip if the hostname is blank
deny message = No you are not ME or OURS (HOSTNAME was $sender_host_name)
hosts = !+relay_from_hosts
log_message = Forged hostname detected in HELO: $sender_helo_name
condition = ${if and {\
{!eq{$sender_host_name}{}}\
{match{${lc:$sender_host_name}}{${lc:$qualify_domain}}}}\
{yes}{no}}
Again come to think of it: If there is only one server that is mandated
to send out mail for your domain, I think it's possible to deny any
other server that tries to impersonate your domain:
deny !hosts = 127.0.0.1 : @[]
senders = lsearch;/etc/exim/our_users
message = Forged sender address. Invalid use of sender address.
where /etc/exim/our_users is a list of user@your_domain.name, which can
be generated periodically depending on how often you add mail users to
your system. My thinking here is that wash@??? _should_not_
be sending mail to wash@???. Why would I? ;)
If that is gonna be a possibility, then perhaps you need to add the
+relay_from_hosts to that list.
I think it should be possible to conjure some method to use the passwd
lookup here, but I'll leave that to some expert ;)
cheers
- wash
+----------------------------------+-----------------------------------------+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) |
<wash at wananchi dot com> . 1ere Etage, Loita Hse, Loita St., |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"
--from a /. post
--
[ Content of type application/pgp-signature deleted ]
--
