Re: [exim] Excessive amount of SPAM

Top Page
Delete this message
Reply to this message
Author: Marc Perkel
Date:  
CC: exim users
Subject: Re: [exim] Excessive amount of SPAM


Walt Reed wrote:
> On Wed, May 24, 2006 at 06:19:37PM -0500, Jess Mooers said:
>
>
>   deny condition = ${if or{{!def:sender_helo_name}{eq{$sender_helo_name}{}}}{yes}{no}}
>           message = RFCs mandate HELO/EHLO before mail can be sent

>

I've tried the above myself and it just had too many FP and I had to
take it out. Amazing how many big companies have no helo or message ID.
>   drop message = Forged IP detected in HELO: $sender_helo_name
>        log_message = Forged IP detected in HELO: $sender_helo_name
>        condition = ${if eq{$sender_helo_name}{64.222.230.220}{yes}{no}}

>
>   drop message = Forged hostname detected in HELO: $sender_helo_name
>        log_message = Forged hostname detected in HELO: $sender_helo_name
>        condition = ${if eq{$sender_helo_name}{my.hostname.com}{yes}{no}}

>
>   drop    ! hosts = /etc/exim4/whitelist
>           message =  Rejected: $sender_host_address listed at $dnslist_domain
>           log_message =  Message Rejected: $sender_host_address listed at $dnslist_domain.
>           dnslists = sbl-xbl.spamhaus.org : dynablock.njabl.org : relays.orbd.org

>
> #If you are using a freemail address, it's got to come from freemail servers
>
>   defer    ! hosts  = /etc/exim4/whitelist
>           message = Forged Yahoo mail.
>           log_message = Forged Yahoo mail.
>           senders = *@yahoo.com
>           condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

>
>   defer    ! hosts  = /etc/exim4/whitelist
>           message = Forged hotmail.
>           log_message = Forged hotmail.
>           senders = *@hotmail.com
>           condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

>
>   defer    ! hosts  = /etc/exim4/whitelist
>           message = Forged MSN mail.
>           log_message = Forged MSN mail.
>           senders = *@msn.com
>           condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

>
>   defer    ! hosts  = /etc/exim4/whitelist
>           message = Forged AOL mail.
>           log_message = Forged AOL mail.
>           senders = *@aol.com
>           condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}

>

This last 4 look interesting. I might have to try that.

>
> In my data acl I have:
>
>   deny message = This message contains a virus ($malware_name)
>      malware = */defer_ok

>
> # Don't spam check authenticated users
> accept authenticated = *
>
>   warn message = X-Spam-Score: $spam_score ($spam_bar)
>      condition = ${if <{$message_size}{80k}{1}{0}}
>      spam = nobody:true
>   warn message = X-Spam-Report: $spam_report
>      condition = ${if <{$message_size}{80k}{1}{0}}
>      condition = ${if >{$spam_score_int}{10}{1}{0}}
>      spam = nobody:true

>
> # Let whitelisted spam through
> accept hosts = /etc/exim4/whitelist
> accept senders = /etc/exim4/whitelist.senders
> accept sender_domains = /etc/exim4/whitelist.domains
>
>   deny   message = This message looks like spam - see http://mydomain.com/block/
>        log_message = Big spam score $spam_score - $spam_report
>        spam = nobody:true
>        condition = ${if >{$spam_score_int}{80}{1}{0}}

>
> accept
>
>
> Note: There tends to be a lot of controversy in spamblocking. I
> actually do a lot more than the above, but some things are probably too
> aggressive for a corporate mailserver, and somethings I deny are allowed
> in the RFC's.
>
> See section 40.2 in the manual for spamassassin and the exim wiki for
> more info that others have contributed.
> http://www.exim.org/eximwiki/
>
>


We should all do more to get various spam blocking tricks in the wiki. I
think I'm going to go to the wiki and add a lot more of my tricks. If we
can classify them in an orderly way and have comments as to how
safe/unsafe they are that would be great.