[Exim] RFC: Fighting Spam due to forgeries of outblaze doma…

Top Page
Delete this message
Reply to this message
Author: Odhiambo G. Washington
Date:  
To: exim-users
Subject: [Exim] RFC: Fighting Spam due to forgeries of outblaze domains
* Suresh Ramasubramanian <linux@???> [20040218 13:02]: wrote:
> <quote who="Odhiambo G. Washington">
> > We receive a lot of spam with forged sender addresses bearing domain
> > names hosted by Outblaze. I have spoken to the man in the driver's
> > seat at hotblaze (Hi Suresh) and he's given me some valuable advise.
>
> They are not just a problem at your end. And god knows, I've posted these
> filters several times in the past.
>
> 1. If you see ".mr.outblaze.com" in any Received: header --> forged spam.
>
> 2. If you see HELO mail.com, HELO email.com etc --> forged spam



I am following through on the above two suggestions and would like to
request for comments. I have written the following rule to use in my
RCPT acl, following Suresh's 1st advise..

deny    message       = OUTBLAZE forgery. Go away! This is not from outblaze address
        !hosts        = 205.158.62.0/24 : 202.86.166.0/24 : 210.177.227.128/28 : 203.86.162.161/28
        condition     = ${if and { \
                         {eq {$sender_helo_name}{outblaze.com}}\
                         {match {$h_Received:}{.*mr.outblaze.com}} \
                         }\
                         {yes}{no}}
        log_message  = OUTBLAZE FORGERY: HELO from $sender_helo_name with ($sender_host_name)



I am mostly worried about the condition, esp the $h_Received part ;)



        cheers
       - wash
+----------------------------------+-----------------------------------------+
Odhiambo Washington                     . WANANCHI ONLINE LTD (Nairobi, KE)  |
<wash at wananchi dot com>              . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223                 . # 10286, 00100 NAIROBI             |
GSM: (+254) 733 744 121                 . (+254) 020 313 985 - 9             |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"
                         --from a /. post