[Exim] Spam mail bomb - advice and tricks

Top Page
Delete this message
Reply to this message
Author: Paul
Date:  
To: exim-users
Subject: [Exim] Spam mail bomb - advice and tricks
Hi all,

We recently had a large flood of email bomb our server and it all appears to
be big spam floods from random sources.
The majority of if that I can see anyway seems to be faking its source as
our server's IP address, See below

2004-08-18 14:24:48 1BxI0B-000748-00 <= JUBCBEXT@???
H=(our.ip.address.here) [random.spammer.IP.here] P=smtp S=1668
id=bonyalqj@???

It looks like they fake the HELO as our own IP address and do a big bunch of
RCPT to's for lots of our users.
Can we block this type of email on a global scale in our exim configuration?
Is this something considered safe and a good approach?
I can't see our server legitimately emailing itself and using it's own IP as
the HELO and not as the source IP in the email.
In the above cases the HELO or H= IP is always our IP and the source is
their random IP

It just leaves dead in the water as our server happily accepts a couple of
hundred RCPT to's a second to our local users from bad spammers.

Any comments/ideas/tricks would be great.

Thanks