Re: [exim] Filter by IP by domain ACL/filter assistance

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: W B Hacker
Dátum:  
Címzett: exim users
Tárgy: Re: [exim] Filter by IP by domain ACL/filter assistance
Jeremy Harris wrote:

> Tony Finch wrote:
>
>>I suggested using defer rather than deny because (a) they are spammers and
>>are unlikely to retry,
>
>
> I think (woolly-level feeling from watching mainlog and
> assorted graphs) that this is unfortunately becoming less
> so.
>
> Whether it's because zombies are starting to use system's
> configured smarthosts, or just spamware is being complexified,
> I can't say.
>
> - Jeremy
>


Second that observation - they do retry, for the last 8 months
or so, at least.

OTOH, these tend to come in 'waves' from a pool of dynamic /
allocated portable IP's and have other common defects , so can
be shed by assigning weighted demerit points for each of:

- failure to forward/reverse resolve IP/hostname at CONNECT.
     Demerits added


- forged / mismatched HELO.
     Demerits added


+ found in local whitelist (ex: NetSol idjuts).
     Skipped forward


- found in local black list at HELO.
     Terminated


- found in local blacklist at MAIL FROM.
     Terminated


- fail recipient at RECPT TO.
     Terminated


For surviving traffic, at RECPT TO we copy scores from acl_c(x)
to acl_m(x) variables, then pull corresponding per-user
threshold preferences from the user DB for further tests against:

- general protocol violations.
    above, plus MIME, format, syntax, attachment, RBL or AV hit


These will nail most bad-actors before need to invoke SA.

Then, in pre_data and DATA acl's:

- spam warning / X-header add score level

- spam quarantine / subject mod score level

- spam outright-discard score level

Where:

- the demerit points are weighted as to severity of the offense.

- 'terminated' may be deny/drop/discard, as appropriate

- optionally a variable delay is imposed.


Several things get 'immediately fatal' score-weights:

- HELO'ing as our own box

- forging the dozen or so largest ISP's

- local blacklist entry (IP or REGEX)

- forbidden attachment types

- trusted RBL hits

- ClamAV hits

Some tests have rather low demerits applied, simply because too
many otherwise-legit senders fail these.

As scores are cumulative, users with 'strict' preferences can
still block effectively when there are 'too many small things'
not right.

At near-zero false-positives, these tests consume a very small
fraction of the system resources SA would need if invoked
earlier / more often, and are far more effective.

Bill