Re: [Exim] ACL Spam Rejection Tricks

On Sun, 11 Jul 2004, jonathan vanasco wrote:

> I haven't done this yet -- but looking at my logs, if i could
> blacklist an IP for sending to 3+ dead addresses in a row, i'd cut down
> on 98% of my spam

I -have- tried it, and it's a mixed blessing. I was motivated to do
so after a spate of what appeared to be "dictionary scanning" via open
relays/proxies. They would open an SMTP call and grind their way down
typically two or three dozen addresses in alphabetical order, close
the call, and then open another one, typically via a different open
relay, and grind down another two or three dozen addresses.

Funnily enough, this kind of activity seems to have gone out of
fashion, or else they're doing it with sufficient stealth that we're
no longer spotting it (perhaps just trying one address per call).

But I managed to automatically blacklist at least one bona fide
mailing list site which was of significant importance to many of our
users, because it had some obsolete addresses in one of its mailing
lists. Woops.

So take care. Perhaps best to initially try a defer: scan the logs to
see what's getting deferred, and then either blacklist it or whitelist
it accordingly. As you gain experience then you could go over to an
automatic "deny" setting, but to tell the truth, I've actually
disabled that part of our configuration now, because - as I say - the
abuses that it was trying to guard against seemed to have ceased, and
it was a potental pitfall to some bona fide mailing lists - which were
arguably too loosely managed, but still of importance to our users.