I've downloaded the Exim snapshot using a new feature in rate limiting
called noupdate. (Thanks to Graeme - you rock dude!) I hope to have
something working by the end of today.
The noupdate feature allows you to read a count without updating the
count. So one ACL can increment the counter and a different ACL can test it.
One of the side effects of greylisting is that it generally delays email
from people who are new. A lot of people consider this unacceptable.
What I'm going to develop will not have that problem and will be as
accurate at rejecting spam bots as other greylisting systems.
I'm using a similar method right now and I get no spambot spam at all. I
didn't even know what the new PDF spam was until I started forwarding
automated abuse complaints and saw it then. But what I'm about to do
will be all ACL based and in theory do an even better job.
The solution will involve having 3 IP addresses (or more) your
server(s). Generally normal servers will start at the lowest MX and
quickly move up the list withing a second if it fails (QMail being an
exception). The idea here is that if you touch the lowest MX IP first
then it opens up the next higher MX IP address to accept the message.
Touching the lowest MX will leave it open for an hour on the lowest MX
so qmail senders can get back in.
If someone hist the highest numbered MX then they are penalized for a
period of time so that all mail froim them is deferred until the penalty
period wears off. Generally real server will never hit the highest MX so
only the spam bots will be up there.
The idea behind this is that it requires the server be touched twice in
the proper order to get in. Spam bots try once and not in the proper
order. That's how the filter works.
So - will the spammers adapt? Maybe. But that will have to do 2
connection attempts and spammers do like to have to work for it. The
bottom line is - this works for me now. The Exim version will be even
better. And I'm open to ideas about how to improve it.