David Saez, Padros wrote:
>> I'm getting more and more spam from webmail sites like hotmail, and i
>> was wondering if it was possible to write an acl to check the
>> X-originating-IP header against blacklists. i thought it would be a
>> simple task, but i've failed. perhaps somebody could clue me in :-)
>
> the problem of using this is that many users have dinamically assigned
> ip addresses, so some users will get blacklisted ip's without having
> ever send a virus or spam message, so take care of avoid using this on
> mailing list mail and trusted senders (you will need a good way to
> avoid false positives),
Hence why I specified bl.spamcop.net and sbl-xbl.spamhaus.org, and not
an RBL that lists "dynamic" ips, eg zen.spamhaus.org. The same applies
when looking up IPs in received headers against RBLs.
> we use this:
>
> # Blacklisted ip in X-Originating-IP:
>
> warn set acl_m2 =
>
> warn condition = ${if def:h_x-originating-ip:}
> set acl_m2 = ${sg {$h_x-originating-ip:}{(\\[|\\])}{}}
>
> warn condition = ${if eq {$acl_m2}{}}
> condition = ${if def:h_x-mdremoteip:}
> set acl_m2 = ${sg {$h_x-mdremoteip:}{(\\[|\\])}{}}
>
> deny condition = ${if isip{$acl_m2}}
> dnslists = bl.spamcop.net/$acl_m2 : \
> sbl-xbl.spamhaus.org/$acl_m2 : \
> virbl.dnsbl.bit.nl/$acl_m2 : \
> list.dsbl.org/$acl_m2
> message = Originating IP listed at $dnslist_domain
> log_message = Blacklisted originating IP \
> ($acl_m2 listed at $dnslist_domain)
>
Some good tips in there. Here's a more compact untested version of what
you did that is more likely to be able to pull an ip address out of
those headers:
deny set acl_m2 = ${if
eq{$h_x-originating-ip:}{}{$h_x-mdremoteip:}{$h_x-originating-ip:}}
set acl_m2 = ${if
match{$acl_m2}{\N(\d{1,3}(?:\.\d{1,3}){3})\N}{$1}{}}
condition = ${if isip{$acl_m2}}
dnslists = bl.spamcop.net/$acl_m2 \
:sbl-xbl.spamhaus.org/$acl_m2 \
: virbl.dnsbl.bit.nl/$acl_m2 \
: list.dsbl.org/$acl_m2
message = Originating IP listed at $dnslist_domain
log_message = Blacklisted originating IP \
($acl_m2 listed at $dnslist_domain)
MikeC2