Re: [Exim] Automatic adding to blacklist if spamtrap adress …

Top Page
Delete this message
Reply to this message
Author: Mark M
Date:  
To: Kevin Reed
CC: exim-users
Subject: Re: [Exim] Automatic adding to blacklist if spamtrap adress is used.
Kevin Reed wrote:
> I think you are going to find that this is not going to work like you
> think. With the large number of Viruses being send around nowdays,
> bouncing all over the place with Forged legit email addresses in them, you
> are invariably going to have stuff sent to that box that didn't come from
> the other victim.
>
> Many of these same forged legit email addresses appear to be being picked
> up by spam engines which send spam in much the same way that the viruses
> do.
>
> You would have to verify the sender is actually who is on the From line
> before making such a block and that can only really be done at SMTP time.
>
> You would be better off using some of the more agressive checks at SMTP
> time to prevent the spam in the first place.



Hi Kevin!

I couldn't agree more with ya! And I understand I have been greedy
with my information...

My first line of defenses are: Virus scanning and spamassassin at SMTP
DATA time, sender verification, dns verification (spamcop, spamhaus,
etc) at SMTP RCPT time.

They all deny addresses when they are bad, and also do Teergrube for
two days. (Hey I can afford it! Once I had some spammer on the hook
for 18 hours!)

But even though all these defenses have been put up, some spam still
gets through.

Thats why I want this the spamtrap thing. As an addendum to my other
spam deterrents. But what you said makes perfect sense. Is there a way
then to block the actual sending IP address?

Thanks again,
Mark

p.s.
For all to view and for your reading pleasure, my config:
***ACL RCPT***
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do
this by
# testing for an empty sending host field.
accept hosts = :

# Deny if the local part contains @ or % or / or | or !. These are
rarely
# found in genuine local parts, but are often tried by people
looking to
# circumvent relaying restrictions.
#
# Also deny if the local part starts with a dot. Empty components
aren't
# strictly legal in RFC 2822, but Exim allows them because this is
common.
# However, actually starting with a dot may cause trouble if the
local part
# is used as a file name (e.g. for a mailing list).
#
deny local_parts = ^.*[@%!/|] : ^\\.


   # Accept mail to postmaster in any local domain, regardless of the
source,
   # and without verifying the sender.
   #
   accept local_parts = postmaster:abuse
          domains = +local_domains


deny message = $sender_host_address is listed at $dnslist_domain
($dnslist_value: $dnslist_text)
     log_message = $sender_host_address is listed at $dnslist_domain
($dnslist_value: $dnslist_text)
     dnslists = relays.ordb.org:sbl.spamhaus.org:bl.spamcop.net
.ifdef TEERGRUBE
       delay = TEERGRUBE
    log_message = Teergrubing $sender_host_address because it is listed
at $dnslist_domain ($dnslist_value: $dnslist_text)
.endif



   # Deny unless the sender address can be verified.
   #
   # This is disabled by default so that DNSless systems don't break. If
   # your system can do DNS lookups without delay or cost, you might want
   # to enable the following line.
   deny !acl = acl_whitelist_local_deny
     !dnslists = dsn.rfc-ignorant.org/$sender_address_domain
           !verify = sender
     message = Sending address does not exist.
     log_message = Cannot verify sender from $sender_host_address


   # Warn if the sender host does not have valid reverse DNS.
   #
   # This is disabled by default so that DNSless systems don't break. If
   # your system can do DNS lookups without delay or cost, you might want
   # to enable the following lines.
   warn message = X-Broken-Reverse-DNS: no host name found for IP
address $sender_host_address
           !verify = reverse_host_lookup


   # deny bad senders (envelope sender)
   # CONFDIR/local_sender_blacklist holds a list of envelope senders that
   # should have their access denied to the local host. Incoming messages
   # with one of these senders are rejected at RCPT time.
   #
   # The explicit white lists are honored as well as negative items in
   # the black list. See /usr/share/doc/exim4-config/default_acl for
details.
   deny message = sender envelope address $sender_address is locally
blacklisted here. If you think this is wrong, get in touch with
postmaster. Until then happy teergrubbing
           !acl = acl_whitelist_local_deny
        senders = ${if exists{CONFDIR/local_sender_blacklist}\
                              {CONFDIR/local_sender_blacklist}\
                              {}}
     log_message = Denied access to locally blacklisted sender
($sender_host_address)
#.ifdef TEERGRUBE
#    delay = TEERGRUBE
#    log_message = Teergrubing Blacklisted sender
#.endif



   # deny bad sites (IP address)
   # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
   # and networks (CIDR notation)  that should have their access denied to
   # The local host. Messages coming in from a listed host will have all
   # RCPT statements rejected.
   #
   # The explicit white lists are honored as well as negative items in
   # the black list. See /usr/share/doc/exim4-config/default_acl for
details.
   deny message = sender IP address $sender_host_address is locally
blacklisted here. If you think this is wrong, get in touch with
postmaster. Until then happy teergrubbing
        !acl = acl_whitelist_local_deny
        hosts = ${if exists{CONFDIR/local_host_blacklist}\
                              {CONFDIR/local_host_blacklist}\
                              {}}
    log_message = Locally denied access to blacklisted host
($sender_host_address)
#.ifdef TEERGRUBE
#    delay = TEERGRUBE
#    log_message = Teergrubing blacklisted host.
#.endif





#############################################################################
# There are no checks on DNS "black" lists because the domains that
contain
# these lists are changing all the time. You can find examples of
# how to use dnslists in /usr/share/doc/exim4-config/examples/acl

#############################################################################

   # Accept if the address is in a local domain, but only if the
recipient can
   # be verified. Otherwise deny. The "endpass" line is the border between
   # passing on to the next ACL statement (if tests above it fail) or
denying
   # access (if tests below it fail).
   #
   accept domains = +local_domains
          endpass
          message = unknown user
          verify = recipient/callout


   # Accept if the address is in a domain for which we are relaying,
but again,
   # only if the recipient can be verified.
   #
   accept domains = +relay_to_domains
          endpass
          message = unrouteable address
          verify = recipient/callout


# If control reaches this point, the domain is neither in
+local_domains
# nor in +relay_to_domains.

# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because
in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should
probably
# add recipient verification here.
#
accept hosts = +relay_from_hosts

# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
#
accept authenticated = *

# Reaching the end of the ACL causes a "deny", but we might as well
give
# an explicit message.
#
deny message = relay not permitted


***ACL DATA***
# 40_exim4-config_check_data

acl_check_data:
    # Deny unless the address list headers are syntactically correct.
    #
    # This is disabled by default because it might reject legitimate mail.
    # If you want your system to insist on syntactically valid address
    # headers, you might want to enable the following lines.
    # deny message = Message headers fail syntax check
    #    !acl = acl_whitelist_local_deny
    #    !verify = header_syntax


    # require that there is a verifiable sender address in at least
    # one of the "Sender:", "Reply-To:", or "From:" header lines.


    deny message = No verifiable sender address in message headers
        !acl = acl_whitelist_local_deny
        !verify = header_sender
.ifdef TEERGRUBE
    delay = TEERGRUBE
.endif


    # enforce a message-size limit
deny message = Message size $message_size is larger than limit of
MESSAGE_SIZE_LIMIT
     condition = ${if >{$message_size}{MESSAGE_SIZE_LIMIT}{yes}{no}}


deny message = Found MIME error ($demime_reason).
     demime = *
     condition = ${if >{$demime_errorlevel}{2}{1}{0}}


deny message = Contains $found_extension file (blacklisted). You
should never send these kinds of files.
     demime =
com:vbs:ba[st]:pif:scr:ad[ep]:chm:cmd:cpl:hlp:hta:in[fs]:isp:lnk:reg:url:vbe


deny message = Another $found_extension file. These types of windows
files often contain viruses. (Blacklisted).
     demime = exe:doc:xls:xlt:dot


deny message = Message contains malware or a virus ($malware_name).
You should buy (and use) a virus scanner.
     log_message = $sender_host_address tried sending $malware_name
     demime = *
     malware = *


    # accept otherwise
    accept


And using exiscan for scanning for viruses at SMTP data time.
Using SA-exim for spamassassin



--
MICROSOFT: Most Intelligent Customers Realize Our Software is Only for
Fools and Teenagers.
spamtrap@???: arnold@??? zebra@???
Sparse binary polynomial matching with a Bayesian Chain Rule evaluator
Yeah.. U-huh.