What I actually do is setting a very short timeout of 1 sec:
rfc1413_hosts = *
rfc1413_query_timeout = 1s
This is not too much of a burden to wait as low as 1 sec and can help rejecting some squid/cacheflow based spams.
my acl looks like this:
drop
condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}}
message = Rejected - appears to be an unsecured proxy: $sender_ident
It may not be worth doing it considering the few amount spam I catch this way, but I prefer not having to scan the mail with spamassassin when I can afford detecting it earlier. Ident only wastes a network socket for one second while spamassassin does waste much more. And as some of my other antispam techniques rely on delaying mails if they meet some criterias, that's really not much of a burden to have it wait 1 more second.
On Wed, 13 Jul 2005 12:00:01 +0100
exim-users-request@??? wrote:
> From: Mark <hamster@???>
> To: "Alan J. Flavell" <a.flavell@???>
> Cc: Exim users list <exim-users@???>
> Subject: Re: [exim] MessageLabs 554 SMTP synchronisation error
> Date: Wed, 13 Jul 2005 09:15:17 +0100
>
> On Tue, 2005-07-12 at 14:20 +0100, Alan J. Flavell wrote:
> > On Tue, 12 Jul 2005, Ian FREISLICH wrote:
> >
> > > Out of interest what proportion of your logs have useful ident data?
> >
> > Depends what you mean by "useful".
> >
> > I give you these, for example:
> >
> > 2005-07-06 22:51:54 H=(corporation.net) [168.187.205.3] U=CacheFlow Server
> > F=<enquiryghstvi@???> rejected RCPT
> > Rejected - appears to be an unsecured proxy: CacheFlow Server
> >
> > 2005-07-07 18:03:25 H=(mailhub.vianetworks.nl) [194.250.136.80]
> > U=squid F=<jmazlpop@???> rejected RCPT
> > Rejected - appears to be an unsecured proxy: squid
> >
> > There's still (years after this problem was first exposed) a moderate
> > number of such rejections in our log. In due course the IPs in
> > question turn up in blacklists (and indeed both of those IPs are well
> > and truly blacklisted now), and could be rejected on that or on other
> > grounds, but these characteristic idents seem to be a sure-fire
> > rejection, on the assumption that no-one is seriously going to run
> > their MTA with a user name of "squid", let alone "CacheFlow Server".
>
> Under those conditions it would seem to be more sensible to bring the
> ident lookup into an acl (is that possible?) and only test hosts on the
> various dynamic IP lists.
>
> --
> Mark <hamster@???>
--
Nikademus
http://www.octools.com
.O.
..O
OOO
PGP key:
http://www.llorien.org/gnupg/key.pub
