Re: [Exim] Rejecting spam based on a weighted sum of RBL hit…

Top Page
Delete this message
Reply to this message
Author: Giuliano Gavazzi
Date:  
To: ¸ukasz Grochal, exim-users
Subject: Re: [Exim] Rejecting spam based on a weighted sum of RBL hits.
At 12:19 am +0200 2004/06/05, ¸ukasz Grochal wrote:
>The method mentioned in subject has recently been proposed in a
>Polish anti-spam usenet group as an alternative to just rejecting spam
>if sender's IP is listed in some RBL. As it can be easily implemented
>in Exim, I'm attaching a proof of concept implementation (based on
>RBLs and their weights used by SpamAssassin). Hope someone will find
>this useful. And I hope I haven't just reinvented the wheel ;>


well, you have... many of us are already now
using acl variables to build a score from many
criteria, including RBLs. In my setup not even
failed sender callouts alone can reject (except
for those local users with a low score threshold)!

A few observations on your "wheel"

>acl_smtp_mail = check_mail
>acl_smtp_rcpt = check_recipient
>
>[...]
>
>check_mail:
>         # RCVD_IN_BL_SPAMCOP_NET
>         warn    dnslists        = bl.spamcop.net
>                 set             acl_m0 = ${eval:$acl_m0+15}


these checks should all be done at the RCPT
phase. In a normal setup (that is without fake
secondaries traps) we observe a ratio (unknown
recipient)/(spam to known recipient) around 3,
with your method you would waste all those RBL
lookups for messages that are going to be
rejected anyway.
In presence of a fake secondary trap I noticed
this ratio to drop to 1, but you would still
waste 50% of the RBL dns lookups.

>         # RCVD_IN_BSP_OTHER
>         warn    dnslists        = sa-other.bondedsender.org
>                 set             acl_m0 = ${eval:$acl_m0-1}


I did not know of these bondedsender.org
"positive" RBLs. I do not think though that they
are of any use in a MAIL/RCPT check only, their
contribution to the score serves to counteract
content based filtering, I doubt I want them to
counteract RBL based scoring (and it is unlikely
they will even do!).

[...]
>check_recipient:
>[...]
>
>         accept  local_parts     = postmaster
>                 domains         = +local_domains

>
>         deny    message         = Sender's IP listed in too many RBLs.
>                 condition       = ${if >{$acl_m0}{70}{yes}{no}}


Also, you should build the response out of
$dnslist_domain and $dnslist_text and store it in
a variable, so that at rejection (if any) you can
give a detailed (multiline) reason. I use an
expression like:

                 set acl_m2 = $acl_m2 YOUR SERVER
ADDRESS $sender_host_address IS BLACKLISTED AT
$dnslist_domain\n$dnslist_text\n


Giuliano
--
H U M P H
    || |||
  software


Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/