Autor: Alan J. Flavell Data: A: Exim users list Assumpte: [Exim] envelope-sender blacklisting - thoughts?
I've been noticing quite a number of cases where we've been offered
mail from dnsrbl-clean IPs, but with envelope-sender domains which, on
investigation, turn out to be professional spammers.
If we take the envelope-sender domain, and look it up in some RHSBLs
(I try rhsbl.ahbl.org and rhsbl.sorbs.net), then quite often they come
up clean. But if I manually look up via MX and/or A records the IP
address of the MTA(s) for the domain, and then look _that_ up in the
IP-based RBLs, then the IP will turn out to be in level-1 Spews and/or
the SBL (spamhaus block list), if not in others too.
After a while, the domains do tend to turn up in rhsbl.ahbl.org, but
it looks as if there are some gangs who create new domain names like
wallpaper, all linked to the same few IP addresses, and the rhsbl
lists can't keep up with them: I didn't see an obvious way to rate
them in exim ACLs via their IP blacklist entries in the way that I
describe manually above. And their content is sufficiently tuned to
get past Spamassassin, too often for my liking.
However, in a discussion with Chris Edwards recently, he came up with
the idea of putting such IP addresses into the ignore_target_hosts
list of the applicable router. Then the envelope-sender address will
appear to fail verification, and the mail will be rejected on those
grounds.
Now, it might be a high-risk strategy to download the entire Spews
level-1 list and put it into our ignore_target_hosts list. But I
wouldn't mind sticking a moderate number of IP address/ranges into the
list under manual control, if there's no better way: but maybe there
is a more subtle approach that I'm missing at the moment? I'm not at
all experienced in the ways of routers - is there some way that one
could run a router as a test, and rate the result without doing an
absolute rejection? Any other approaches which bring an equivalent
result?