Re: [exim] Image spam stopping...

Top Page
Delete this message
Reply to this message
Author: Joseph
Date:  
To: exim users
Subject: Re: [exim] Image spam stopping...
W B Hacker wrote:
> Joseph wrote:
>> W B Hacker wrote:
>>> James Price wrote:
>>>> I've noticed and read up to confirm, most image spam comes in with the
>>>> following in the header. I have an ACL rule already in acl_smtp_mime as
>>>> follows:
>>>>
>>>> deny    message = Image SPAM detected: message denied
>>>>       condition = ${if eq{$mime_content_type}{multipart/related}{1}{0}}

>>>>
>>>>
>>>> I'm looking for this:
>>>> Content-Type: multipart/related;
>>>>     type="multipart/alternative";

>>>>
>>>> If I wanted to expand my rule above to also require matching of the
>>>> multipart/alternative, how would I do that since they're in the same string?
>>>>
>>>> If anyone has other more effective ideas to stop image spam, I'm open to
>>>> suggestions. The rule above has caused some issues with false positives for
>>>> me.
>>>>
>>>> Thanks,
>>>> James
>>>>
>>>
>>> But if you have a 'corporate' environment or other small user pools, as we do:
>>>
>>> In acl_smtp_recpt phase, deny some or all graphical (or other) attachments with
>>> a message such as:
>>>
>>>     message     = \n Addressee accepts attachments, \
>>>                   \n ONLY by prior arrangement! \
>>>                   \n Send plaintext message first to arrange.

>>>
>>> - To make admin less painful, our 'to arrange' process is a simple directory
>>> search of our policy-mandated archive tree for prior outbound FROM our local
>>> addressee (the recipient) TO the now-arriving sender (envelope and/or From:).
>> Could we see an example of how this can be done?
>
> The above should be coupled with your choice of 'detection' parameters and
> allowable/banned choices.
>
>> The 'to arrange' part, how does the archive you refer to get created?
>>
>
> With 'unseen' routers, & appropriate transports, e.g:
>
> (router)
>
> # ROUTE_2D REMOTE: archiving of outbound traffic.
> #
> sentarchiver:
>    driver = dnslookup
>    domains = !+local_domains
>    transport = sent_archive_delivery
>    ignore_target_hosts = <whatever>
>    unseen


We do have this transport to see but it appears to just archive a copy, ok.

>
> awl_archiver:
>    driver = dnslookup
>    domains = !+local_domains
>    transport = awl_archive_delivery
>    ignore_target_hosts = <whatever>

>
>
> (transport)
>
> # TRANSPORT_3C REMOTE delivery AWL builder
> #
> awl_archive_delivery:
>    driver = appendfile
>    user = exim
>    group = mail
>    delivery_date_add
>    envelope_to_add
>    return_path_add
>    maildir_format = true
>    mode = 0770
>    directory = /<someplace>/${domain}
>    create_directory = true
>    directory_mode = 0770
>    no_mode_fail_narrower

>
> Note that this one only has per-domain granularity, not per-distant user (doable
> if need be).


It seems here, there will be a copy of every email sent or received,
archived, right?

I am assuming you have an acl that looks for directories which are names
of domains that would be white listed? What about purging them after awhile?
What if you wanted to do it on a user basis?

User john@??? should be white listed for a week, ie since a local
user send an email to john@???, once the expiration date is up, he
is no longer white listed...

Also, it seems like wasteful of space to store the whole email just so
we can get the user or domain that we want to list.

You suggestions are very useful Bill, Thanks.

regards, Joseph