You guys, you guys. You ain't gonna believe this!
An extremely high percentage of spambots sends "MAIL FROM: <>" instead
of "MAIL FROM:<>". This appears to be a great way to distinguish between
real MTAs and sloppy imitations. To reduce false positives to
negligible, one can enable this check only to non-authenticated clients.
On my system, it looks like this:
acl_check_mail:
drop !condition = ISAUTH
!condition = ${if match{$smtp_command}{\N^(?i)mail from:<[^ >]*>($| )\N}}
message = Syntax error.\nAllowed syntax: MAIL FROM:<reverse-path> [SP <mail-parameters> ] <CRLF>
log_message = Tried syntactically erroneous "$smtp_command"
acl_check_rcpt:
drop domains = +local_domains
!condition = ${if match{$smtp_command}{\N^(?i)rcpt to:<[^ >]+>$\N}}
message = I can break rules, too. Goodbye.
log_message = Tried syntactically erroneous "$smtp_command"
For the RCPT ACL case, it's positioned after accepting authenticated
clients.
ISAUTH macro is declared as such:
ISAUTH=${if or { {def:authenticated_id} {match_ip{$sender_host_address}{+relay_from_hosts}} }}
After getting this right, I got no mail-not-working complaints
whatsoever.
On my small (15K monthly accepted mails) system, I already got 3300
rejects in a period of 4 days!
Try this out. Simple, yet rejects an unusual amount of otherwise
indistinguishable zombie spam.
