-----Original Message-----
>I see H= in my logs with MY domain name in them.
>The [ ip ] is NOT mine, and these are almost always SPAMMERS.
>
>Could someone suggest an ACL which
>rejects a connection which offers MY domain name in the H= but which
>also does NOT have my IP number?
>
>I would like a caseless partial search for "qcislands" in the H= , and
>for a partial IP match.
>
>any help would be appreciated.
>
>Jim
I use the following ACL care of some-helpful-guy-from-this-list-whose-name-alludes-me :)
#put this at the beginning of your conf'
REJECTHELO=/etc/exim/acls/heloreject
#in rcpt ACL
# Deny rcpts if the HELO given is one in our REJECTHELO file
deny condition = ${lookup {$sender_helo_name}nwildlsearch{REJECTHELO}{yes}{no}}
hosts = ! +relay_from_hosts
message = Blacklisted Host
and in /etc/exim/acls/heloreject I have lines such as:
mydomain.com
myhost.mydomain.com
200.0.0.1 #my public ip
somestupidhelo
*.cable.mindspring.com
^dialup-
^dial-
^\d+-\d+-\d+
etc...fell free to make use of wildcards and regex's (precede them with ^)
If you run a script such as the following against your main.log file, you'll see that there are many other stoopid HELOs that you can blacklist by. (You may have to replace "Unknown user" with "unrouteable address" or whatever you have in your config)
grep -i ": Unknown user" /var/log/exim/main.log |
sed 's/^.*H=(//;s/).*$//' |
awk '{ if ($0 in cnt) cnt[$0]++
else cnt[$0] = 1
}
END {
for (hn in cnt) printf "%7d %s\n", cnt[hn], hn
}' |
sort -rn
A very 'cheap' and effective method for cutting down on spam before accepting the entire message, especially if a mail server is behind some port forwarded firewall with unhelpful translation (i.e mail appears to come from your firewall's IP).
Cheers
Scott
