Re: [Exim] SPAM problems : reject by X-Mailer?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Bradford Carpenter
Datum:  
To: exim-users
Betreff: Re: [Exim] SPAM problems : reject by X-Mailer?
On 2004-01-12 03:09:30 -0800 Rory Campbell-Lange
<rory@???> wrote:

> I am using exim4 and exiscan.
>
> I have seen a large increase in emails with subjects like "annoy idea
> handsome" and bodies such as "peace euphorbia lillian scout b
> centerline
> cleat scapular citron pacify centigrade icicle eh imperate cupid
> fireplace gentlemen cocaine". Presumably the sender is trying to
> generate a response?
>
> Many of these spam senders have the following X-Mailer listed:
>     X-Mailer: mPOP Web-Mail 2.19

>
> Is this possible to generate an SMTP-time rejection of a message based
> on its X-Mailer? Is this sensible?



I've been getting many of these messages recently as well. Hadn't
noticed the X-Mailer.

These mails have a few other distinctive features as well. One is the
structure of the subject line:

Subject: Re: QCQCWLZ, the procurator began
Subject: Re: RPJBIMP, i
don't even
Subject: Re: IFOYTBHE, throwing a wave
Subject: Re: NMRFNK,
dressinggown a completely
Subject: Re: WXMQDEQ, of haze
before
Subject: Re: UTSPZNR, asphalt path under

or occasionally

Subject: Re: %RND_UC_CHAR[2-8], then the slain

You could add a condition like

condition = ${if or{ \

{match{$header_subject:}{\N(?s)[Rr][Ee]\:\s*([A-Z]{2,8})\,(\s+[a-z]+){3}\N}}
\
             {match{$header_subject:}{\N^(?s).*\%RND_UC_CHAR\N}} \


            } {yes} {no}}


to your deny block in addition to your X-Mailer check to increase
confidence that you're actually rejecting spam. Or add something
similar to SpamAssassin if you're going that route.

Also these multipart mails contain a plain text part that contains
only a list of random words. Haven't come up with a reasonable test
for this yet, but Tom Kistner, the author of exiscan, is apparently
working on a acl_smtp_mime addition that will make this easier.

Best Regards,
Brad