Re: [exim] Exim4 Spam

Markus Braun wrote:
>
>
>> From: W B Hacker <wbh@???>
>> To: exim-users@???
>> Subject: Re: [exim] Exim4 Spam
>> Date: Sat, 04 Nov 2006 05:55:49 +0800
>>
>> Marc Sherman wrote:
>>> Markus Braun wrote:
>>>>> Your exim logs "rejected RCPT". Why do you think you _get_ so much
>>>>> spam?
>>>> yes exim rejected it, but i want know if i can do anything else against
>>>> spam?
>>> What more do you want to do with it than reject it?
>>>
>>> - Marc
>>>
> okay nothing.
>
*snip*

There IS more you can do - but with CAVEATS:

- IF, log inspection reveals 'concentration' of malicious arrivals from within
identifiable IP blocks, you *may* elect to put some of them into firewall block
rules.

- The 'CAVEATS' are threefold:

First - Exim only needs to run ruleset tests when a connection arrives on one of
its ports, most often port 25.

The firewall, although more efficient and working with far simpler rules, must
check the ruleset 'tree' for *every* new connection, so you do not want to try
to duplicate an RBL list's entire zonefile - or even a small part of it.

Second - Once placed into a firewall ruleset, there is no longer any way for
*Exim* to 'whitelist' an IP, or even log an attempt. It can't see them.

Third - You need to be certain that no member of your user community is likely
to have a correspondent in, or travel/relocate to, the IP or IP block
firewalled. Easy for some, hard for others.

'80/20' rule, or even '90/10' usually applies.

20% or fewer of the chronic offenders will be responsible for 80% or more of all
such malicious arrivals. This will shift over time.

Used with care, prior inspection, and regular review - it can help a great deal.

"..with care.."

HTH,

Bill