Sherwood Botsford wrote:
> In light of the system filter, I would like to do lookups. E.g.
>
> # Exim Filter
>
> if foranyaddress $recipients (${lookup{$thisaddress}lsearch{/opt/exim/spamtrap})
> then
> save /var/mail/spamtrap
> endif
>
> ... where /opt/exim/spamtrap is a set of false addresses inserted into our webpage.
>
>
> Or would this be better done in an acl.
IMNSHO, it would be better done with a reject at RECPT time and a 'warn'
or 'logwrite'.
Bounce/Error message not recommended.
Lower overhead, negligible storage needed.
A periodic grep of the ~/exim/rejectlog against a file of your chosen
'false addresses' would then harvest the 'alleged' mx and IP from whence
the offenders [pretend to be | are] arriving.
grep -f <flat file of offender addresses> /var/log/exim/rejectlog
Or *all* offenders: grep 'rejected RCPT' /var/log/exim/rejectlog
Sample of an actual log entry (two line breaks inserted manually):
=========================
2005-11-02 05:22:58 H=(cm4123.red.mundo-r.com) [213.60.4.123]
F=<convolutelymancatnip@???>
rejected RCPT <keilholz@???>
==========================
Traffic for the non-exisitent addresseee above arrived from nine
different apparent origins over a 3 day period.
Probably some donkey-orifice's pet Win-zombie farm, as no such address
has ever existed, fake or otherwise.
Bounces are not a good idea - they just trigger a flood of collateral spam.
YMMV.
Bill Hacker
