Re: [exim] Am I an open relay or aren't I?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Marc Perkel
Date:  
À: Daniel
CC: exim-users
Sujet: Re: [exim] Am I an open relay or aren't I?


Daniel wrote:
> I have two mail servers. The primary is here in our office, the
> secondary in our NOC just in case our primary pipe goes down. The
> thing is, even if the primary is up and working, the secondary server
> gets an awful lot of mail -- nearly all of it spam as best I can tell.
> Most of it, if it's to an existing user, is accepted because we don't
> have any anti-spam stuff installed yet, but it's the following log
> entries that have me concerned.
>
> Below you'll find what appears to be an attempt by someone in russia
> pretending to be from someone else in russia sending stuff to users
> that don't exist in our system. The secondary server appears to be
> bouncing these mails back to the fake sender -- obviously something
> Bad, but I'm not sure how to stop it as it all looks legit.
> Suggestions?
>
>
>


You need spam filtering on the backup server as well. There are a number
of tricks you can do to reduce spam on the backups. A lot of spammers go
for the highest MX first because the backup servers often don't have
spam filtering.

I have 3 layers of MX records. My highest one always returns DEFER just
to keep me from having to process the spam. That in itself will cut your
spam quite a bit, Also use the various block lists like spamhaus.

Anyhow - one of my tricks. Create a third MX that is higher than the
other two. Then add this ACL

defer    log_message = Spammer Connected to FAKE highest MX record
        condition = ${if 
match{$interface_address}{69.50.231.7}{true}{false}}



then add this:

# --- Look up in a few choice primary blacklists. Must be after
authenticated tests.

drop    message = REJECTED - ${sender_host_address} is blacklisted at 
$dnslist_domain ($dnslist_value); \
                  See ${dnslist_text}
    dnslists = 
sbl-xbl.spamhaus.org/<;$sender_host_address;$sender_address_domain