Re: [GB] [exim] Spam Block Idea Implementation.

Página Inicial
Delete this message
Reply to this message
Autor: Mar Matthias Darin
Data:  
Para: exim-users
Assunto: Re: [GB] [exim] Spam Block Idea Implementation.
Hello,

I had the same issue. Below is what I did. Works like a charm.

begin acl

acl_check_rcpt:
 deny    local_parts   = ^.*[@%!/|] : ^\\.
         message       = Unknown user 


 accept  local_parts   = postmaster
         domains       = +local_domains 


 accept  local_parts   = abuse
         domains       = +local_domains 


 warn    condition     = ${lookup 
{${lc:$sender_helo_name}}lsearch{/usr/exim/MyIP}{yes}{no}}
         condition     = ${lookup 
{${lc:$sender_host_address}}lsearch{/usr/exim/MyIP}{no}{yes}}
         message       = X-Helo: Forgery - Helo Name |$sender_host_address| 
|$sender_helo_name| |$sender_ident| 


 warn    condition     = ${lookup 
{${lc:$sender_address_domain}}lsearch{/usr/exim/MyIP}{yes}{no}}
         condition     = ${lookup 
{${lc:$sender_host_address}}lsearch{/usr/exim/MyIP}{no}{yes}}
         message       = X-Helo: Forgery - Domain Address 
|$sender_host_address| |$sender_helo_name| |$sender_ident| 


 warn    condition     = ${if eq 
{${lc:$sender_helo_name}}{${lc:$domain}}{no}{yes}}
         message       = X-Sender-Domain-Verify: Failed 


 warn    condition     = ${if eq 
{${lc:$sender_helo_name}}{${lc:$sender_address_domain}}{no}{yes}}
         message       = X-Sender-Domain-Verify: Failed 


 warn    condition     = ${if match 
{${lc:$sender_ident}}{\Nsquid|cacheflow\N}{yes}{no}}
         message       = X-OpenRelay: $sender_ident 


 warn    !verify       = sender/callout
         message       = X-Sender-Verify: Failed 


 warn    !verify       = reverse_host_lookup
         message       = X-Reverse-DNS: Failed 


 warn    message       = X-MXRate: Recomendation: $dnslist_text
         dnslists      = pub.mxrate.net 


 warn    message       = X-OpenRelayDB: Listed in 
$dnslist_domain/$dnslist_text
         dnslists      = relays.ordb.org/reject 


 warn    message       = X-BlackList: Listed in 
$dnslist_domain/$dnslist_text
         dnslists      = opm.blitzed.org: cbl.abuseat.org: list.dsbl.org: 
multihop.dsbl.org: sbl-xbl.spamhaus.org: virbl.dnsbl.bit.nl: 
bulk.rhs.mailpolice.com: porn.rhs.mailpolice.com: block.rhs.mailpolice.com: 
dynamic.rhs.mailpolice.com: dsn.rfc-ignorant.org: 
postmaster.rfc-ignorant.org: abuse.rfc-ignorant.org: 
bogusmx.rfc-ignorant.org: bl.spamcop.net: dnsbl.njabl.org: dnsbl.sorbs.net: 
multi.surbl.org: multi.uribl.com: combined-hib.dnsiplists.completewhois.com 


 accept  domains       = +relay_to_domains
         recipients    = * 


 accept  hosts         = +relay_from_hosts
         endpass
 deny    message       = Unknown user 


 deny    message       = Unknown user 



and as the LAST router (oblivion is my spamtrap user account):

spamtrap:
driver = redirect
caseful_local_part = TRUE
headers_add ="X-Status: Unknown user, possible dictionary attack"
file = /home/oblivion/.forward
user = oblivion
no_verify
no_expn
check_ancestor
allow_filter
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply


Thats it... no additional transports. Its simple and effective. I use the
additional headers for filtering.

Hope that helps.



Sherwood Botsford writes:

> As you may remember in the last episode, I was looking for a way to
> create a spamtrap by salting false addresses for web harvesters,
> then rejecting out of hand any message that contained the false recipient.
>
> This is what I did:
>
> In acl_check_rcpt: (acl_smtp_rcpt)
>
>  accept domains = +local_domains
>           recipients = /opt/exim/spamtrap
>           set acl_m0 = "SpamTrap" 

>
> ... rest of content
>
> in acl_check_content: (acl_smtp_data)
> acl_check_content:
>
>   deny message = "Addressed to non-existent recipient"
>        condition = ${if  match \
>                         {$acl_m0} \
>                         {"SpamTrap"} \
>                         {1}{0}} 

>
> ... rest of content.
>
>
> This works.
>
> However I would like to do something less severe than denying it.
> Say, perhaps save a copy of it to a file, so that I can check through it and see if it
> is doing what I think it is.
>
> I haven't been able to configure a router to deal with a message. Routers, by their nature
> seem to deal with addresses.
>
> So, for example, this router does not do what I want:
> spamtrap_router:
>    driver = accept
>    domains = +local_domains
>    condition = { match {$acl_m0}{"SpamTrap"}}
>    transport = spamtrap_transport