Re: [exim] fascistic RCPT TO validation

Pàgina inicial
Delete this message
Reply to this message
Autor: Stanislaw Halik
Data:  
A: exim-users
Assumpte: Re: [exim] fascistic RCPT TO validation
You guys, you guys. You ain't gonna believe this!

An extremely high percentage of spambots sends "MAIL FROM: <>" instead
of "MAIL FROM:<>". This appears to be a great way to distinguish between
real MTAs and sloppy imitations. To reduce false positives to
negligible, one can enable this check only to non-authenticated clients.

On my system, it looks like this:

acl_check_mail:

  drop    !condition    = ISAUTH
          !condition    = ${if match{$smtp_command}{\N^(?i)mail from:<[^ >]*>($| )\N}}
          message       = Syntax error.\nAllowed syntax: MAIL FROM:<reverse-path> [SP <mail-parameters> ] <CRLF>
          log_message   = Tried syntactically erroneous "$smtp_command"


acl_check_rcpt:

  drop    domains       = +local_domains
          !condition    = ${if match{$smtp_command}{\N^(?i)rcpt to:<[^ >]+>$\N}}
          message       = I can break rules, too. Goodbye.
          log_message   = Tried syntactically erroneous "$smtp_command"


For the RCPT ACL case, it's positioned after accepting authenticated
clients.

ISAUTH macro is declared as such:

ISAUTH=${if or { {def:authenticated_id} {match_ip{$sender_host_address}{+relay_from_hosts}} }}

After getting this right, I got no mail-not-working complaints
whatsoever.

On my small (15K monthly accepted mails) system, I already got 3300
rejects in a period of 4 days!

Try this out. Simple, yet rejects an unusual amount of otherwise
indistinguishable zombie spam.