Walt Reed wrote:
> On Wed, May 24, 2006 at 06:19:37PM -0500, Jess Mooers said:
>
>
> deny condition = ${if or{{!def:sender_helo_name}{eq{$sender_helo_name}{}}}{yes}{no}}
> message = RFCs mandate HELO/EHLO before mail can be sent
>
I've tried the above myself and it just had too many FP and I had to
take it out. Amazing how many big companies have no helo or message ID.
> drop message = Forged IP detected in HELO: $sender_helo_name
> log_message = Forged IP detected in HELO: $sender_helo_name
> condition = ${if eq{$sender_helo_name}{64.222.230.220}{yes}{no}}
>
> drop message = Forged hostname detected in HELO: $sender_helo_name
> log_message = Forged hostname detected in HELO: $sender_helo_name
> condition = ${if eq{$sender_helo_name}{my.hostname.com}{yes}{no}}
>
> drop ! hosts = /etc/exim4/whitelist
> message = Rejected: $sender_host_address listed at $dnslist_domain
> log_message = Message Rejected: $sender_host_address listed at $dnslist_domain.
> dnslists = sbl-xbl.spamhaus.org : dynablock.njabl.org : relays.orbd.org
>
> #If you are using a freemail address, it's got to come from freemail servers
>
> defer ! hosts = /etc/exim4/whitelist
> message = Forged Yahoo mail.
> log_message = Forged Yahoo mail.
> senders = *@yahoo.com
> condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
>
> defer ! hosts = /etc/exim4/whitelist
> message = Forged hotmail.
> log_message = Forged hotmail.
> senders = *@hotmail.com
> condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
>
> defer ! hosts = /etc/exim4/whitelist
> message = Forged MSN mail.
> log_message = Forged MSN mail.
> senders = *@msn.com
> condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
>
> defer ! hosts = /etc/exim4/whitelist
> message = Forged AOL mail.
> log_message = Forged AOL mail.
> senders = *@aol.com
> condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}
>
This last 4 look interesting. I might have to try that.
>
> In my data acl I have:
>
> deny message = This message contains a virus ($malware_name)
> malware = */defer_ok
>
> # Don't spam check authenticated users
> accept authenticated = *
>
> warn message = X-Spam-Score: $spam_score ($spam_bar)
> condition = ${if <{$message_size}{80k}{1}{0}}
> spam = nobody:true
> warn message = X-Spam-Report: $spam_report
> condition = ${if <{$message_size}{80k}{1}{0}}
> condition = ${if >{$spam_score_int}{10}{1}{0}}
> spam = nobody:true
>
> # Let whitelisted spam through
> accept hosts = /etc/exim4/whitelist
> accept senders = /etc/exim4/whitelist.senders
> accept sender_domains = /etc/exim4/whitelist.domains
>
> deny message = This message looks like spam - see http://mydomain.com/block/
> log_message = Big spam score $spam_score - $spam_report
> spam = nobody:true
> condition = ${if >{$spam_score_int}{80}{1}{0}}
>
> accept
>
>
> Note: There tends to be a lot of controversy in spamblocking. I
> actually do a lot more than the above, but some things are probably too
> aggressive for a corporate mailserver, and somethings I deny are allowed
> in the RFC's.
>
> See section 40.2 in the manual for spamassassin and the exim wiki for
> more info that others have contributed.
> http://www.exim.org/eximwiki/
>
>
We should all do more to get various spam blocking tricks in the wiki. I
think I'm going to go to the wiki and add a lot more of my tricks. If we
can classify them in an orderly way and have comments as to how
safe/unsafe they are that would be great.