[exim] Matching $sender_host_address to MX for $sender_addre…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MStephen Gran at ->
Delete this message
Reply to this message
Author: B. Johannessen
Date:  
To: exim-users
Subject: [exim] Matching $sender_host_address to MX for $sender_address_domain
I've come to the conclusion that identifying likely sources of spam is
not hard. What's hard is identifying legitimate traffic from likely
spam-sources. Based on this conclusion I've started working on tests to
help identify such traffic.

Two of tests I'd like to try are:

1) Is the sending host an MX for the sender address domain?

2) Is the sending host in the same /24 as an MX for the sender address
domain?

To test this with Exim I've come up with the following two constructs:

1) ${if match_ip{$sender_host_address}{${lookup dnsdb{>: a=${lookup
dnsdb{>: mxh=$sender_address_domain}}}}}}

2) ${if match_ip{$sender_host_address}{${sg{${lookup dnsdb{>: a=${lookup
dnsdb{>:
mxh=$sender_address_domain}}}}}{(([0-9]+\.\){3\})[0-9]+}{\$\{1\}0/24}}}}

I find the above tests (particularly the second one) rather complex, so
I'd like to pose the following two questions to the list:

- Will the above two tests work as intended?

- Is there a less complex way to perform the tests?

I also welcome opinions on the usefulness of these tests, and to keep
such discussions relevant let me say a few words on how (and why)
they're intended to be used:

I find that a regex matching so-called generic rDNS is a very good
indication of a likely spam-source. The same goes for missing rDNS and
listing in "dial-up list" type DNS blacklist. Unfortunately it has
become quite common for people to run mail servers (especially Exchange)
on standard ADSL/Cabel links with a fixed IP[1]. Such IPs frequently
triggers one of more the generic-rdns/no-rdns/dul tests

My plan is to use the sending-host/mx checks only when I get a match on
one of the generic-rdns/no-rdns/dul tests. The simplified logic would be: 

(- When all other indicators are neutral; and)
- When the sending host tests positive for generic-rdns/no-rdns/dul
    - Unless sending host is MX for senders domain; or
    - Unless sending host is in the same /24 as an MX for senders domain
        - Reject


This is as I said a simplification. The real system uses scores each
test and rejects when the score is above the address owners selected
threshold. This is also the reason I want the two tests. The idea is
that the first test gives a larger negative score then the second. 


    Bob


[1] This is true in Norway at least, I don't know about the rest of the
world.


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] SPAM Filtering - Losing the war!Re: [exim] Matching $sender_host_address to MX for $sender_address_domain->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)