Re: [exim] X-originating-IP

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMMagnus Holmgren at <-
MMM 
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: Exim Users List
Subject: Re: [exim] X-originating-IP
David Saez, Padros wrote:

>> I'm getting more and more spam from webmail sites like hotmail, and i
>> was wondering if it was possible to write an acl to check the
>> X-originating-IP header against blacklists. i thought it would be a
>> simple task, but i've failed. perhaps somebody could clue me in :-)
>
> the problem of using this is that many users have dinamically assigned
> ip addresses, so some users will get blacklisted ip's without having
> ever send a virus or spam message, so take care of avoid using this on
> mailing list mail and trusted senders (you will need a good way to
> avoid false positives),

Hence why I specified bl.spamcop.net and sbl-xbl.spamhaus.org, and not
an RBL that lists "dynamic" ips, eg zen.spamhaus.org. The same applies
when looking up IPs in received headers against RBLs.

> we use this:
> 
>    # Blacklisted ip in X-Originating-IP:

> 
>    warn    set acl_m2     =

> 
>    warn    condition      = ${if def:h_x-originating-ip:}
>            set acl_m2     = ${sg {$h_x-originating-ip:}{(\\[|\\])}{}}

> 
>    warn    condition      = ${if eq {$acl_m2}{}}
>            condition      = ${if def:h_x-mdremoteip:}
>            set acl_m2     = ${sg {$h_x-mdremoteip:}{(\\[|\\])}{}}

> 
>    deny    condition      = ${if isip{$acl_m2}}
>            dnslists       = bl.spamcop.net/$acl_m2 : \
>                             sbl-xbl.spamhaus.org/$acl_m2 : \
>                             virbl.dnsbl.bit.nl/$acl_m2 : \
>                             list.dsbl.org/$acl_m2
>            message        = Originating IP listed at $dnslist_domain
>            log_message    = Blacklisted originating IP \
>                             ($acl_m2 listed at $dnslist_domain)

>

Some good tips in there. Here's a more compact untested version of what
you did that is more likely to be able to pull an ip address out of
those headers: 

deny set acl_m2  = ${if 
eq{$h_x-originating-ip:}{}{$h_x-mdremoteip:}{$h_x-originating-ip:}}
      set acl_m2  = ${if 
match{$acl_m2}{\N(\d{1,3}(?:\.\d{1,3}){3})\N}{$1}{}}
      condition   = ${if isip{$acl_m2}}
      dnslists    = bl.spamcop.net/$acl_m2 \
                  :sbl-xbl.spamhaus.org/$acl_m2 \
                  : virbl.dnsbl.bit.nl/$acl_m2 \
                  : list.dsbl.org/$acl_m2
      message     = Originating IP listed at $dnslist_domain
      log_message = Blacklisted originating IP \
                    ($acl_m2 listed at $dnslist_domain)


MikeC2

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] X-originating-IPRe: [exim] Confusion about which is the right DKIM for Exim Server->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)