Re: [Exim] new spam & virus squasher

Top Page
Delete this message
Reply to this message
Author: Kevin Reed
Date:  
To: exim-users
Subject: Re: [Exim] new spam & virus squasher
Genie said:
> I am a long time lurker here and used some existing work to write a new
> ACL filter that helps to minimize spam and viruses actually getting
> through HELO stage. ...
> Credits should go to all kind folks contibuting to this list
> Using HELO recipes summarized here
> http://exim.got-there.com/forums/viewtopic.php?t=346


[snip]

> - Is it too aggresive to expect all hosts to have RDNS in production ?
> I know there are mail servers who do not have it but more and more
> providers, are now rejecting mail if RDNS not present.


With my own server and that of smaller companies... we would deny any host
that didn't have valid rdns. This actually reduced a large amount of spam
with what was no noticible collateral damage except for a few that we
whitelisted.

However, recently I took that type of setting and tried it with a very
large company and found that I was whitelisting medium to small sized
business at a rate of about 10 or so a day.

After only three days, I had more than 40 sites whitelisted and it didn't
look like it was going to end anytime soon. Many of them were vendors of
some very common household named products that had the most unbelieveably
screwed up dns and mail setups you can imagine...

Not letting their mail reach us because of that one rule was potentially
going to cost a lot in missed shippments, credits for products not
received etc... Ie.. not worth it.

We dropped the requirement of having any rdns as it was simply not worth
the headache of having my boss ask why so many of our vendors and clients
had trouble getting mail in... and changed it to a header that we could
then score with SA.

We still use a similar Helo check that you cited above, because the vast
number of spammers that use those few common domain names get caught and
those domain names do provide rDNS for their hosts. Occassionally, I add
a new one for a domain that really doesn't exist but seems to be used by a
lot of fake sites.

But I think you will quickly see the holy war that is about to follow,
that many simply can't afford to block on that and many would argue that
attempting to so is also a problem with following RFC that on one hand
says that a HELO should be FQDN, but on the other hand it is not right to
block based upon that.

> We have a few domains that get spammed at a rate of 100,000 messages per
> day, many messages originate from forged IP address HELO or forged
> domain HELO hosts, but the hosts vary too much to write a hard coded
> list so this or similar filter seems to be the answer.


I think that if you use other methods along with the basic structure you
will have a better chance at slowing this down.

At the larger company we are blocking well over 80% of the mail presented
and while still accepting a number of spam message which are marked by SA
and passed to our users, we have very little collateral damage evidenced
by the lack of calls from my boss asking why so and so is being blocked.

I think you have to rely on a number of methods rather than one silver
bullet that doesn't exist.

If you are a fairly large sized site which you sound like you are, I think
you will be causing a lot of work for yourself if you try this type of
setup the way you are planning on doing so.

However, sometimes you got to try it to see for yourself... Maybe it will
work for you in your enviroment.

--
Kevin W. Reed - TNET Services, Inc.
Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums