Re: [exim] Excessive amount of SPAM

Pàgina inicial
Delete this message
Reply to this message
Autor: Marc Sherman
Data:  
A: exim-users
Assumpte: Re: [exim] Excessive amount of SPAM
Walt Reed wrote:
>   deny condition = ${if or{{!def:sender_helo_name}{eq{$sender_helo_name}{}}}{yes}{no}}
>           message = RFCs mandate HELO/EHLO before mail can be sent


How would you ever see this in Exim? Wouldn't exim drop the connection
with a synch error before ever hitting this ACL?

>   drop message = Forged IP detected in HELO: $sender_helo_name
>        log_message = Forged IP detected in HELO: $sender_helo_name
>        condition = ${if eq{$sender_helo_name}{64.222.230.220}{yes}{no}}

>
>   drop message = Forged hostname detected in HELO: $sender_helo_name
>        log_message = Forged hostname detected in HELO: $sender_helo_name
>        condition = ${if eq{$sender_helo_name}{my.hostname.com}{yes}{no}}

>
>   drop    ! hosts = /etc/exim4/whitelist
>           message =  Rejected: $sender_host_address listed at $dnslist_domain
>           log_message =  Message Rejected: $sender_host_address listed at $dnslist_domain.
>           dnslists = sbl-xbl.spamhaus.org : dynablock.njabl.org : relays.orbd.org


Be careful with drops here; in general, you should only drop connections
that you are fairly certain are from broken zombies, not real SMTP
servers. A real SMTP server will just reconnect if it has any more mail
to send you (or any more recipients for the mail you've already
rejected, for that matter), and the drops will end up costing you more
system resources in the long run.

> #If you are using a freemail address, it's got to come from freemail servers
>
>   defer    ! hosts  = /etc/exim4/whitelist
>           message = Forged Yahoo mail.
>           log_message = Forged Yahoo mail.
>           senders = *@yahoo.com
>           condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}


Defer seems dangerous for that, to me. It seems to be a test with a high
false-positive rate -- I know a lot of people who use free email
addresses for personal mail, but have MUAs set up to send mail from that
address through their work or isp SMTP servers. By defering those
messages, the sender won't find out about the problem for (usually) 5
days, and your server will keep getting hit by retries.

>   deny   message = This message looks like spam - see http://mydomain.com/block/
>        log_message = Big spam score $spam_score - $spam_report
>        spam = nobody:true
>        condition = ${if >{$spam_score_int}{80}{1}{0}}


8.0 is pretty aggressive for blocking, especially if you're using SARE
rules (which I've found tends to inflate scores). I'm denying at 12.0,
and quarantining between 4.0 and 12.0.

- Marc