Author: Bill Hacker Date: To: exim-users Subject: Re: [exim] Malware bounce filtering
Marc Sherman wrote:
> Dave Lugo wrote:
>
>>BATV would be my preferred solution. I've seen at least one
>>example for exim mentioned in this list's archives. It's not
>>perfect, but it pretty much kills bogus bounces.
>
>
> The OP already rejected a signature-based solution, because he doesn't
> control all valid originators of mail claiming to come from his domain.
> This is a Hard Problem, I think.
>
> - Marc
>
>
>
Needn't be so. Sometimes we forget the value of BFBI.
Modern servers have pretty broad shoulders.
Why not simply 'accept' them as early and as rapidly as possible,
- then divert them directly to sequestered storage, skipping any test
but the minimum needed to ID them.
In 'batch mode', unrelated to Exim, run a grep'ish filter to see if any
are worth looking at.
Reviewed or not, save them all for, say one week.
One might need to peruse them in response to a customer complaint.
Then logrotate them to /dev/nul.
BFBI method of accepting fast, handling later may take fewer machine
resources, tie up a connection for less time, than more complex
incoming tests. Storage is cheap, and eminently reusable. Nothing
important breaks if you don't look at them for several weeks.