Re: [exim] Excessive amount of SPAM

Top Page
Delete this message
Reply to this message
Author: Walt Reed
Date:  
To: Jess Mooers
CC: exim users
Subject: Re: [exim] Excessive amount of SPAM
On Wed, May 24, 2006 at 06:19:37PM -0500, Jess Mooers said:
> Peter Bowyer <peter@???> wrote on Wednesday, May 24, 2006:
>
> >On 24/05/06, Walt Reed <exim@???> wrote:
> >> On Wed, May 24, 2006 at 03:36:40PM -0500, Jess Mooers said:
> >> > Installed according to these specs
> >> >       http://maxo.captainnet.net/ecm2/index.html
> >> > I have followed the above url instructions with the exception of putting ASSP in front of 
> >Exim.  I have ASSP trained to detect [SPAM] and prepend the subject as such.

> >> >
> >> > I have the following DNSBLs setup in Exim
> >> >  deny     message        = DNSBL listed at $dnslist_domain\n$dnslist_text
> >> >           dnslists       = sbl-xbl.spamhaus.org : \
> >> >                            relays.ordb.org : \
> >> >                            dnsbl.njabl.org : \
> >> >                            list.dsbl.org : \
> >> >                            bl.spamcop.net : \
> >> >                            dnsbl.ahbl.org : \
> >> >                            cn-kr.blackholes.us : \
> >> >                            dynablock.njabl.org

> >> >
> >> > I am still getting a ton of [SPAM] through. ASSP is detecting most of it as spam, so I
> >know that is working. With my old mailserver you could specify server wide spam rules, like
> >if the subject contains a certain word, then deny the message. Does anyone know how to do
> >this with Exim so that they are not delivered or if it is even possible at all?
> >>
> >> In the exim manual:
> >>
> >> See section 11.9, Expansion variables, and look at $header_
> >> See also section 39.5, the DATA ACL's, and 39.20, "condition".
> >>
> >> Be aware: Once ASSP has accepted the message and forwarded it to exim,
> >> you should NOT NOT NOT bounce the spam as it results in collateral
> >> damage. It is MUCH better to reject the spam outright - this means that
> >> it should be rejected by ASSP.
> >>
> >> Frankly, everything that assp does, exim can do, so it seems silly to
> >> put it out front and then have exim do all the same stuff AGAIN.
> >
> >Assuming I've understood ASSP correctly, the DNSBL tests you've got in
> >Exim are redundant - every connection Exim sees is from the ASSP
> >proxy, so it's too late to do any connection-time blocking in Exim
> >(something Exim is very good at).
>
> So it sounds like you guys are suggesting that I just use Exim without ASSP, but many of these messages are going to get past the dnsbls.
>
> So what do you do with all of those messages? How do you detect what is spam beyond the dnsbl and how do you handle them so that they are not delivered?
>
> Thanks for the help. I do appreciate it. It looks like this is a very active community, which is great.


I would suggest that you setup clamav and spamassassin in Exim itself. Plain
spamassassin by itself (the default configuration) is fairly weak - you
will find that you need to bump up the score values and whatnot. You
will probably get better help on tuning spamassassin on the spamassassin
mailing lists than here.

Some people like to use the DNSBL's in spamassassin and assign a score,
others outright deny.


Here are a few things I put in my rcpt ACL that help (this is not a
complete ACL section - just a few select parts.) I use a few
whitelists on some domains that behave badly. I only deny outright from a few
DNSBL's that have proven to me to be resonable and reliable. The rest
are scored inside spamassassin.

  deny condition = ${if or{{!def:sender_helo_name}{eq{$sender_helo_name}{}}}{yes}{no}}
          message = RFCs mandate HELO/EHLO before mail can be sent


  drop message = Forged IP detected in HELO: $sender_helo_name
       log_message = Forged IP detected in HELO: $sender_helo_name
       condition = ${if eq{$sender_helo_name}{64.222.230.220}{yes}{no}}


  drop message = Forged hostname detected in HELO: $sender_helo_name
       log_message = Forged hostname detected in HELO: $sender_helo_name
       condition = ${if eq{$sender_helo_name}{my.hostname.com}{yes}{no}}


  drop    ! hosts = /etc/exim4/whitelist
          message =  Rejected: $sender_host_address listed at $dnslist_domain
          log_message =  Message Rejected: $sender_host_address listed at $dnslist_domain.
          dnslists = sbl-xbl.spamhaus.org : dynablock.njabl.org : relays.orbd.org


#If you are using a freemail address, it's got to come from freemail servers

  defer    ! hosts  = /etc/exim4/whitelist
          message = Forged Yahoo mail.
          log_message = Forged Yahoo mail.
          senders = *@yahoo.com
          condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}


  defer    ! hosts  = /etc/exim4/whitelist
          message = Forged hotmail.
          log_message = Forged hotmail.
          senders = *@hotmail.com
          condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}


  defer    ! hosts  = /etc/exim4/whitelist
          message = Forged MSN mail.
          log_message = Forged MSN mail.
          senders = *@msn.com
          condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}


  defer    ! hosts  = /etc/exim4/whitelist
          message = Forged AOL mail.
          log_message = Forged AOL mail.
          senders = *@aol.com
          condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}



In my data acl I have:

  deny message = This message contains a virus ($malware_name)
     malware = */defer_ok


# Don't spam check authenticated users
accept authenticated = *

  warn message = X-Spam-Score: $spam_score ($spam_bar)
     condition = ${if <{$message_size}{80k}{1}{0}}
     spam = nobody:true
  warn message = X-Spam-Report: $spam_report
     condition = ${if <{$message_size}{80k}{1}{0}}
     condition = ${if >{$spam_score_int}{10}{1}{0}}
     spam = nobody:true


# Let whitelisted spam through
accept hosts = /etc/exim4/whitelist
accept senders = /etc/exim4/whitelist.senders
accept sender_domains = /etc/exim4/whitelist.domains

  deny   message = This message looks like spam - see http://mydomain.com/block/
       log_message = Big spam score $spam_score - $spam_report
       spam = nobody:true
       condition = ${if >{$spam_score_int}{80}{1}{0}}


accept


Note: There tends to be a lot of controversy in spamblocking. I
actually do a lot more than the above, but some things are probably too
aggressive for a corporate mailserver, and somethings I deny are allowed
in the RFC's.

See section 40.2 in the manual for spamassassin and the exim wiki for
more info that others have contributed.
http://www.exim.org/eximwiki/