Graham,
On Fri, 25 Jun 2004, Graham Dodd wrote:
> Hello exim-users,
>
> my mail server is being flooded by a SPAM (if your in Germany then you have
> probably seen this already)
You don't have to be in Germany :-(
> which doesn't get caught by SA.
You can make SpamAssassin catch it trivially. This was discussed on the
SA-users mailing list (sorry, can't find a reference right now). Various
rule sets were produced to trap the content. But the winner IMHO was this
simple one
header GERMANSPAM Message-ID =~ /^<.*[a-z].*\.qmail\@.*>/
describe GERMANSPAM Contains German Spam
score GERMANSPAM 100
because qmail message id's apparently only contain numerics, eg
20040518105817.14644.qmail@???
- contrast with your example below
e91b8c76638793.bece3.qmail@???
I haven't seen a false positive yet :-)
(I'm inferring from what you say that your SA would reject at SMTP time,
which is a Good Thing)
> At the end
> all this mail get's rejected and sent back to the "non-existent" sender.
Hmmm ... that implies that you are not using verify=recipient anywhere? If
you were, you could reject it (for invalid recipients) before it even gets
as far as SA.
HTH,
Richard
> All I want to do right now is drop the mail. I'm working my way through
> the book to see if I can solve this, but if anyone has been there and
> done it I would appreciate some help
>
> I've included some log info and my transport.
>
> 2004-06-25 08:13:15 1Bdjxa-00050Y-Ib <= roswitha.reischl@??? H=mail.solution-service.de (hermes.k-town.de) [81.200.96.2]:3174 I=[10.7.18.1]:25 P=esmtp S=
> 1677 id=e91b8c76638793.bece3.qmail@??? T="So sieht die Wahrheit aus! <Key:1400>" from <roswitha.reischl@???> for www-data@??? infolex@fal
> k-ross.de austria@??? mssupport@??? mts@??? mspss@???
> 2004-06-25 08:13:15 SMTP connection from mail.solution-service.de (hermes.k-town.de) [81.200.96.2]:3174 closed by QUIT
> 2004-06-25 08:13:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Bdjxa-00050Y-Ib
> 2004-06-25 08:13:16 1Bdjxa-00050Y-Ib <www-data@???>: transport_cyrus_local transport output: www-data: Mailbox does not exist
> 2004-06-25 08:13:16 1Bdjxa-00050Y-Ib ** www-data@??? F=<roswitha.reischl@???> R=router_cyrus_local T=transport_cyrus_local: Child process of tra
> nsport_cyrus_local transport returned 65 (could mean error in input data) from command: /usr/libexec/cyrus/deliver
> 2004-06-25 08:13:16 1Bdjxa-00050Y-Ib <mspss@???>: transport_cyrus_local transport output: mspss: Mailbox does not exist
> 2004-06-25 08:13:16 1Bdjxa-00050Y-Ib ** mspss@??? F=<roswitha.reischl@???> R=router_cyrus_local T=transport_cyrus_local: Child process of transp
> ort_cyrus_local transport returned 65 (could mean error in input data) from command: /usr/libexec/cyrus/deliver
> 2004-06-25 08:13:16 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1Bdjxa-00050Y-Ib
> 2004-06-25 08:13:17 1Bdjxc-00050v-Sy <= <> R=1Bdjxa-00050Y-Ib U=exim P=local S=2963 T="Mail delivery failed: returning message to sender" from <> for roswitha.r
> eischl@???
>
[...snipped...]
> thanks,
>
> Graham
>
> --
> Graham K. Dodd
> Director of Operations
> Falk & Ross GmbH
> Tel: 06301 717 0