[exim] IPs which spam for many, many, domains

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Alan J. Flavell
Datum:  
To: Exim users list
Betreff: [exim] IPs which spam for many, many, domains

We have quite a number of mechanisms for resisting spam: this note is
only about one of them, and in fact one which we don't use a lot,
although when it's needed, it seems to be rather effective. It's this:


There are certain IPs which are registered via MX records for
hundreds, or thousands, of domains under the control of a spammer.
Some of these indeed seem to be operated by spammers who create new
domains on a production-line basis.

We couldn't keep up with blacklisting the domain names; but one way
that kept them out was to treat their IP address(s) in the same way as
bogons are treated, i.e like the ignore_spammers entry in this router:


lookuphost:
  driver = dnslookup
  qualify_single = false
  domains = ! +local_domains
  ignore_target_hosts = 127.0.0.0/8 : CONFIG_DIR/bogon-bn-agg.txt \
                         : CONFIG_DIR/ignore_spammers
  transport = remote_smtp



This not only prevents incoming mail from being accepted from them
(because "verify sender" is caused to fail as a consequence) - it also
causes any attempt by our users to communicate with these domains to
be treated as bogons and failed.


But that's a bit crude - it means that any attempt to communicate will
fall through that router, and be handled by the unknown_domain router,
which produces the report:


    I could not deliver your mail to $local_part@$domain because
    I can't find any way to route email to "$domain". Sorry! 



- regardless of whether that's really a bogon (in which case the
report is fair enough), or it has been listed by us as an inveterate
spammer under the arrangements noted above (in which case the message
is quite misleading).


So I'm looking for a some way to disambiguate these reports. If we
stay with the same mechanism, I suppose we can insert an extra router
before the unknown_domains, which is only activated for IP entries in
the ignore_spammers list, and produces a more-appropriate error
report.

But maybe someone has a better approach than this to dealing with the
original problem, namely the conveyer belt of thousands of spamming
domains which all resolve to IP address(es) which are under control of
the spammer...?

thanks