> -----Original Message-----
> From: Odhiambo Washington [mailto:wash@wananchi.com]
> * Scott Truman <Scott@???> [20040406 13:35]: wrote:
> > -----Original Message-----
> > >I see H= in my logs with MY domain name in them.
> > >The [ ip ] is NOT mine, and these are almost always SPAMMERS.
> > >
> > >Could someone suggest an ACL which
> > >rejects a connection which offers MY domain name in the H=
> but which
> > >also does NOT have my IP number?
> > >
> > >I would like a caseless partial search for "qcislands" in
> the H= , and
> > >for a partial IP match.
> > >
> > >any help would be appreciated.
> > >
> > >Jim
> >
> > I use the following ACL care of
> some-helpful-guy-from-this-list-whose-name-alludes-me :)
> >
> > #put this at the beginning of your conf'
> > REJECTHELO=/etc/exim/acls/heloreject
> >
> > #in rcpt ACL
> > # Deny rcpts if the HELO given is one in our REJECTHELO file
> > deny condition = ${lookup
> {$sender_helo_name}nwildlsearch{REJECTHELO}{yes}{no}}
> > hosts = ! +relay_from_hosts
> > message = Blacklisted Host
> >
> > and in /etc/exim/acls/heloreject I have lines such as:
> >
> > mydomain.com
> > myhost.mydomain.com
> > 200.0.0.1 #my public ip
> > somestupidhelo
> > *.cable.mindspring.com
> > ^dialup-
> > ^dial-
> > ^\d+-\d+-\d+
> >
> > etc...feel free to make use of wildcards and regex's
> (precede them with ^)
>
>
> Hi scott,
>
> That was quite splendid. I've decided to use that in conjunction with
> other options that I have.
> I'd like to seek your recommendation on how to use the following:
> http://users.aber.ac.uk/auj/spam/dialupnets.txt as read with
> http://users.aber.ac.uk/auj/spam/
> I believe that would also cut spam by a good percentage.
>
That's a handy list. You could include that entire list in your heloreject file if you wish, with slight modification.
i.e [0-9-]+.wan.networktel.net from the list would need the preceding '^' and the 'dots' would need to preceded with a '\' giving us:
^[0-9-]+\.wan\.networktel\.net
Remember though that we are only working with HELOs, not proper FQDN's and they may/will not necessarily follow the source IP...but it is a start. Also, if your list gets too long, you may wish to convert it to db so that it is parsed faster.
The best way, I have found, is to parse your log files through a script such as that supplied below, so you can see the most common HELO's used...I'd be suprised if you don't find that your public IP is not the most common! I have this before my RBL checking and it is currently stopping four times the number of spam/dictionary attack rcpts, than my RBL blocking...all good.
>
> > If you run a script such as the following against your
> main.log file,
> > you'll see that there are many other stoopid HELOs that you can
> > blacklist by. (You may have to replace "Unknown user" with
> > "unrouteable address" or whatever you have in your config)
> >
> > grep -i ": Unknown user" /var/log/exim/main.log |
> > sed 's/^.*H=(//;s/).*$//' |
> > awk '{ if ($0 in cnt) cnt[$0]++
> > else cnt[$0] = 1
> > }
> > END {
> > for (hn in cnt) printf "%7d %s\n", cnt[hn], hn
> > }' |
> > sort -rn
> >
> > A very 'cheap' and effective method for cutting down on spam before
> > accepting the entire message, especially if a mail server is behind
> > some port forwarded firewall with unhelpful translation (i.e mail
> > appears to come from your firewall's IP).
>
> That command snippet, does it have something missing, especially just
> before the "else"??
>
I just copied and pasted this from the script I use; are you getting an error?
>
> Thanks in advance.
>
>
> -Wash
Cheers
Scott
