I've touched on this in earlier discussions. There's a class of
spammer who creates thousands, or tens of thousands, of domain names,
it seems on a conveyor-belt basis, all of which look-up to IP
addresses which are registered to the spammer and already blacklisted,
for example at Spews or SBL. However, the RHSbl registers simply
cannot keep up with their conveyor belt of new domains, so the chance
of recognising these domains by looking in an RHSbl is rather small.
Let's leave aside for the moment the policy question of whether it
would be wise to reject on the basis of a Spews or SBL listing (as it
happens, we create local blacklists, using Spews and SBL for guidance,
rather than for outright rejection). What I'd like to discuss here is
how to actually implement such a block in exim4.
What we've done so far (and I think I've mentioned this in earlier
discussions) is to add our local IP-based blacklist (ignore_spammers)
to the "bogons" list that is consulted like so:
lookuphost:
driver = dnslookup
qualify_single = false
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8 : CONFIG_DIR/bogon-bn-agg.txt \
: CONFIG_DIR/ignore_spammers
transport = remote_smtp
If this router declines, we fall into a driver=redirect router which,
for non-local hosts, reports that we could find no way to route to
that domain.
The effect of this is that when we do verify=sender (no callout
needed), these spammer domains will fail sender verification.
Unfortunately, we can't then tell the difference between domains that
are unreachable on the basis of the bogons list itself, and those that
we're "pretending" are unreachable because their MX resolves to a
spammer IP. They all get logged and reported as unreachable domains.
Which confuses us, on occasion; and even more so it confuses the
victims of a false positive hit.
I'm no great wiz when it comes to routers. Does this look to be an
appropriate technique (it seems otherwise to do what we were aiming[1]
to do) and if so, can the recipe be improved so that it reports the
difference between bogons and spammers, at least in its own log,
preferably also in the report to the caller?
thanks
[1] Including preventing us from sending mail to such addresses ;-)