Re: [exim] Malware bounce filtering

Top Page
Delete this message
Reply to this message
Author: Bill Hacker
Date:  
To: exim-users
Subject: Re: [exim] Malware bounce filtering
Marc Sherman wrote:

> Dave Lugo wrote:
>
>>BATV would be my preferred solution. I've seen at least one
>>example for exim mentioned in this list's archives. It's not
>>perfect, but it pretty much kills bogus bounces.
>
>
> The OP already rejected a signature-based solution, because he doesn't
> control all valid originators of mail claiming to come from his domain.
> This is a Hard Problem, I think.
>
> - Marc
>
>
>


Needn't be so. Sometimes we forget the value of BFBI.

Modern servers have pretty broad shoulders.

Why not simply 'accept' them as early and as rapidly as possible,

- then divert them directly to sequestered storage, skipping any test
but the minimum needed to ID them.

In 'batch mode', unrelated to Exim, run a grep'ish filter to see if any
are worth looking at.

Reviewed or not, save them all for, say one week.
One might need to peruse them in response to a customer complaint.
Then logrotate them to /dev/nul.

BFBI method of accepting fast, handling later may take fewer machine
resources, tie up a connection for less time, than more complex
incoming tests. Storage is cheap, and eminently reusable. Nothing
important breaks if you don't look at them for several weeks.

Or ever.

Bill Hacker