Re: [exim] How to Reject Remote Mail Server Imposters (to se…

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\MSuresh Ramasubramanian at <-
MMMHerb Martin at ->
Delete this message
Reply to this message
Author: Ilan Aisic
Date:  
To: Herb Martin
CC: exim-users
Subject: Re: [exim] How to Reject Remote Mail Server Imposters (to self)
This is great. Tx!
I've already started to incorporate some of the rules provided by
Suresh and Mark who wrote on this before, but this seems much more
comprehensive.

--ilan

On 8/3/05, Herb Martin <HerbM@???> wrote:
> > As we know, spammers often fake their identity and their mail
> > server /ratware fakes their identity as well.
> > I've noticed that occasionaly I get spam that is supposedly
> > sent from my own server (tivon1.pointer.co.il) but clearly
> > arrives from an outside IP address.
>
> I filtered these recently and was SHOCKED how much spam was
> hit by simply blocking on my "own server name" and "my
> own server address" given the HELO.
>
> > I written a rule in SpamAssassin that rejects this kind of
> > spam but I think it really should be stopped inside Exim.
>
> It should be stopped at the SMTP transaction, before even
> accepting the email.
>
> acl_check_helo:
> accept hosts = : +KNOWN_HOSTS
> 
> deny    message = HELO/EHLO with my ip address60. You are not me.
>     log_message = -- HELO/EHLO my ip
>       condition = ${if match {$sender_helo_name}{68.178.144.60} {yes}{no}}

> 
> deny    message = HELO/EHLO with my domain name. You are not LearnQuick.
>     log_message = -- HELO/EHLO learnquick.com
>       condition = ${if match {$sender_helo_name}{learnquick.com} {yes}{no}}

> 
> deny    message = Fine, then the mail I accept is also none
>     log_message = -- HELO/EHLO none
>       condition = ${if match {$sender_helo_name}{none} {yes}{no}}

> 
> deny    message = You're not localhost--your admin misconfigured your email
> server.
>     log_message = -- HELO/EHLO localhost
>       condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}

>
> accept
> ######################################
> acl_check_mail:
>
> accept authenticated = *
> accept hosts = : +KNOWN_HOSTS
> 
> .ifdef RBL
> accept  message = X-whitelisted-at: $dnslist_domain
>              dnslists = ALL_DNS_WHITELISTS
> .endif  RBL

> 
> #Stopping Spam in the ACL <http://vamos-wentworth.org/exim-tricks.html
> deny    message = Invalid HELO. Your SMTP server is misconfigured.
>       condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

>
> ### The following three checks were too agressive for DENY, so
> ### I set to warn, and use them to drive Greylist checks...
> 
> warn    message = -- not listed as reverse record. \

> 
>           log_message = -- WARN: not listed as reverse record.

> 
>         !verify = reverse_host_lookup

> 
> warn    message = -- listed invalid HELO. \

> 
>           log_message = -- WARN: listed invalid HELO.

> 
>         !verify = helo

> 
> .ifdef RBL
> warn    message = X-blacklisted-at: $dnslist_domain
>        dnslists = ALL_DNS_BLACKLISTS

>
> .endif RBL
> accept
>
> The combinations of simple sanity checks, other SMTP checks,
> and then blacklists to drive greylisting is FAR better than
> I expected -- and all before we get to SpamAssassin and custom
> filters....
>
> Herb Martin, MCT, MCSD, MCSE, MVP
> HerbM@??? http://LearnQuick.Com
> 512 388 7339 -or- 1 800 MCSE PRO
> Accelerated MCSE in a Week Seminars
>
> > -----Original Message-----
> > From: exim-users-bounces@???
> > [mailto:exim-users-bounces@exim.org] On Behalf Of Ilan Aisic
> > Sent: Wednesday, August 03, 2005 9:15 AM
> > To: exim-users@???
> > Subject: [exim] How to Reject Remote Mail Server Imposters (to self)
> >
> > Hi,
> > As we know, spammers often fake their identity and their mail
> > server /ratware fakes their identity as well.
> > I've noticed that occasionaly I get spam that is supposedly
> > sent from my own server (tivon1.pointer.co.il) but clearly
> > arrives from an outside IP address.
> > I written a rule in SpamAssassin that rejects this kind of
> > spam but I think it really should be stopped inside Exim.
> > See the short log snippet below where you can see that the
> > mail was sent from a dynamic comcast.net address but the
> > server had the audacity in the "helo" command to identify
> > itself as "tivon1.pointer.co.il".
> > My Exim is configured to require sender verify but apparently
> > it does not include "server" verify. Is there's a
> > command/parameter for this?
> >
> > -------------  exim log snippet starts ------------
> > 2005-08-01 00:59:03 1DzLpi-0006TB-7u
> > H=c-24-131-41-83.hsd1.ga.comcast.net (tivon1.pointer.co.il)
> > [24.131.41.83] F=<atqnscjukax@???> rejected after DATA:
> > - Classified as spam (scored 28.8 points). Congratulations!
> > Envelope-from: <atqnscjukax@???>
> > Envelope-to: <alex@???>
> > P Received: from c-24-131-41-83.hsd1.ga.comcast.net ([24.131.41.83]
> > helo=tivon1.pointer.co.il)
> >       by tivon1.pointer.co.il with smtp (Exim 4.50)
> >       id 1DzLpi-0006TB-7u
> >       for alex@???; Mon, 01 Aug 2005 00:58:58 +0300
> > F From: atqnscjukax@???
> > ------------- exim log snippet ends ------------

> >
> > --
> > Ilan Aisic
> > Registered Linux User 8124 http://counter.li.org
> >
> > --
> > ## List details at http://www.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
> >
>
>


--
Ilan Aisic
Registered Linux User 8124 http://counter.li.org


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] RE: spamd and exim[exim] GnuTLS: what could exim prevent from sending its certificate?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)