Re: [exim] exim_surbl

Page principale
Supprimer ce message
Répondre à ce message
Auteur: W B Hacker
Date:  
À: exim users
Sujet: Re: [exim] exim_surbl
John Schmerold wrote:
> I've been running exim_surbl (from
> http://www.teuton.org/~ejm/exim_surbl ) for approximately 12 hours.
> Memory utilization is way down, message delivery time is way up, life
> seems good.
>
> So far it works really well, point of this message is 1) to let
> everyone know about this and 2) find out if there are issues that I
> should be aware of relative to use of this tool. Installation was
> simple, I did following:
> cd /usr/src ; wget http://www.teuton.org/~ejm/exim_surbl/exim_surbl-2.0.tar.gz
> tar zxf exim_surbl-2.0.tar.gz
> cp -p exim_surbl-2.0/exim_surbl.pl /etc/exim
> cp -p exim_surbl-2.0/surbl_whitelist.txt /etc/exim
> cp -p exim_surbl-2.0/ccTLD.txt /etc/exim
>
> Then edited /etc/exim/exim_surbl.pl to reflect the fact that our exim
> configuration files are in /etc/exim
>
> Then put following in exim.conf main section:
> perl_startup = do '/etc/exim/exim_surbl.pl'
>
> Then put following in exim.conf acl_smtp_mime section:
>    deny condition = ${if <{$message_size}{100000}{yes}{no}}
>         set acl_m0 = ${perl{surblspamcheck}}
>         condition = ${if eq{$acl_m0}{false}{no}{yes}}
>         message = $acl_m0

>
> Finally put following in acl_smtp_data section and restarted exim:
>    deny condition = ${if <{$message_size}{100000}{yes}{no}}
>         condition = ${if eq{$acl_m0}{}{yes}{no}}
>         set acl_m1 = ${perl{surblspamcheck}}
>         condition = ${if eq{$acl_m1}{false}{no}{yes}}
>         message = $acl_m1

>
> Within seconds - every second actually, tail -f /var/log/exim/main.log
> happily reported:
>    2007-12-04 11:40:45 1IzblE-000860-Q9
> H=host158-101-dynamic.27-79-r.retail.telecomitalia.it [79.27.101.158]
> F=<Archuna492@???> rejected during MIME
> ACL checks: Blacklisted URL in message. (oran____.com) in [jp] [ob]
> [ws] [sc]. See http://www.surbl.org/lists.html.

>
> John
>


Why wait until acl_smtp_data and invoke a perl script to do what Exim can do
with much less workload in the acl_smtp_connect phase?

   # CONNECT_7: Check Local NAME Blacklist for host_name. IF bad THEN deny
   #
   deny
     message     = \n Sender $sender_host_name blacklisted for abuse
     log_message = C7 $sender_host_name Locally blacklisted.
     condition   =
       ${lookup $sender_host_name}wildlsearch{/var/mail/REGEXP-block}{yes}{no}}


(beware MUA wrap - the condition is on one line)

/var/mail/REGEXP-block includes, among several hundred chronic-offenders who are
zombot-friendly:

*retail.telecomitalia.it

Result:

2007-12-04 18:21:56 H=host105-160-dynamic.22-79-r.retail.telecomitalia.it
[79.22.160.105]:4678 I=[203.194.153.81]:25 temporarily rejected connection in
"connect" ACL: C7 host105-160-dynamic.22-79-r.retail.telecomitalia.it Locally
blacklisted.

Should that fall-through, C8 will catch it:

  # CONNECT_8: Check Dynamic/Portable Remote Blacklist. IF RBL hit THEN deny
  #
  deny
    message  = \n $sender_host_address improper use of dynamic IP for mail server
    dnslists = dul.dnsbl.sorbs.net
    log_message = C8 $sender_host_address blacklisted in $dnslist_domain



An SQL call (redacted) accumulates stats on those that repeatedly hit from
dynamic IP, and is used for periodic updating of the local blacklist file.
This reduces off-box callouts to sorbs.

In production for quite a while now....

HTH,

Bill Hacker