Ruth Ivimey-Cook wrote:
> Folks,
>
> I found the discussion on spam filtering interesting. One thing I'm wondering
> about doing is to permanently deny connections from hosts that fail various
> tests - e.g. hosts that send me my own IP on HELO, or that don't have rDNS.
>
> I can see that including an IP in a condition of the connect acl would work. In
> fact I already have this in my setup, although the list I use here is a hand
> maintained one for irritating hosts, rather than spam per-se:
>
> acl_check_connect:
> deny message = mail not permitted from your IP: $address
> hosts = lsearch;/etc/exim/blacklist_host
>
> I'm wondering if there is a way to automatically add items to, and perhaps even
> expire older items from, the list that is searched on connect. This suggests
> some kind of mysql lookup rather than the cdb or lsearch approach. Mostly it
> would involve adding/expiring as a result of some other acl failure, I think.
>
> Has anyone done this and if so is there any experience or code you can share?
>
> Thanks
>
> Ruth
>
>
>
Yes to both methods, code snippets (watch out for MUA line-wrapping):
SQL:
set acl_c19 = ${lookup pgsql{INSERT into brownlist (pg_when, pg_why, \
pg_ip, pg_host, pg_where) VALUES \
('$tod_log','MBL','$sender_host_address','$sender_host_name','$dnslist_domain')}}
# where $tod_log can be some other format of timestamp, and/or you can let the
# DB do a timestamp. $dnslist_domain can be soemthing other as well.
.csv file (pulled into a spreadsheet):
logwrite = :panic:,NVR,$sender_host_address,$tod_epoch,$sender_host_name
## where the data is .csv formatted and written to /var/log/exim/paniclog
## 'NVR' is No Valid Recipient from an acl with !verify = recipient
Both methods, incidentally can then be used immediately as well, but a different
format is better for the paniclog if you are going to do that.
For merely 'irritating' hosts, a brownlist entry delays each phase of their
conection to just short of RFC defaults. Many give up and wander off in the
first 30 seconds or just over.
For more serious offenders, a regexp list holds partial strings that are checked
against by hostname, HELO, From: header, and envelope-from.
lsearch and wildlsearchused for that, not 'hosts' which likes to use DNS
callouts/cache. No point in callouts when you already know the offender has no
records.
Likewise IP-block lists, these searched with iplsearch, as some may contain /24's
'Proper' HELO by IP (brackets) is acceptable, but not by 'raw' IP. Arrivals
that HELO as our own box are dropped without further ado.
Action on rDNS fail, dynamic-IP, HELO mismatch, etc. is held-off until
acl_smtp_rcpt where we pull per-recipient prefs. 'sales', 'info', marketing' and
such normally allow lots of bad news, accounting, executive suite, engineering
staff are ordinarily far less forgiving.
HTH,
Bill
