Re: [exim] exim_surbl

Top Page
Delete this message
Reply to this message
Author: Dave Lugo
Date:  
To: exim-users
Subject: Re: [exim] exim_surbl

(yeah, it's top-posted)

How do you propose to look at the body, in the connect ACL?


On Tue, 4 Dec 2007, W B Hacker wrote:

> Date: Tue, 04 Dec 2007 18:53:42 +0000
> From: W B Hacker <wbh@???>
> To: exim users <exim-users@???>
> Subject: Re: [exim] exim_surbl
>
> John Schmerold wrote:
> > I've been running exim_surbl (from
> > http://www.teuton.org/~ejm/exim_surbl ) for approximately 12 hours.
> > Memory utilization is way down, message delivery time is way up, life
> > seems good.
> >
> > So far it works really well, point of this message is 1) to let
> > everyone know about this and 2) find out if there are issues that I
> > should be aware of relative to use of this tool. Installation was
> > simple, I did following:
> > cd /usr/src ; wget http://www.teuton.org/~ejm/exim_surbl/exim_surbl-2.0.tar.gz
> > tar zxf exim_surbl-2.0.tar.gz
> > cp -p exim_surbl-2.0/exim_surbl.pl /etc/exim
> > cp -p exim_surbl-2.0/surbl_whitelist.txt /etc/exim
> > cp -p exim_surbl-2.0/ccTLD.txt /etc/exim
> >
> > Then edited /etc/exim/exim_surbl.pl to reflect the fact that our exim
> > configuration files are in /etc/exim
> >
> > Then put following in exim.conf main section:
> > perl_startup = do '/etc/exim/exim_surbl.pl'
> >
> > Then put following in exim.conf acl_smtp_mime section:
> >    deny condition = ${if <{$message_size}{100000}{yes}{no}}
> >         set acl_m0 = ${perl{surblspamcheck}}
> >         condition = ${if eq{$acl_m0}{false}{no}{yes}}
> >         message = $acl_m0

> >
> > Finally put following in acl_smtp_data section and restarted exim:
> >    deny condition = ${if <{$message_size}{100000}{yes}{no}}
> >         condition = ${if eq{$acl_m0}{}{yes}{no}}
> >         set acl_m1 = ${perl{surblspamcheck}}
> >         condition = ${if eq{$acl_m1}{false}{no}{yes}}
> >         message = $acl_m1

> >
> > Within seconds - every second actually, tail -f /var/log/exim/main.log
> > happily reported:
> >    2007-12-04 11:40:45 1IzblE-000860-Q9
> > H=host158-101-dynamic.27-79-r.retail.telecomitalia.it [79.27.101.158]
> > F=<Archuna492@???> rejected during MIME
> > ACL checks: Blacklisted URL in message. (oran____.com) in [jp] [ob]
> > [ws] [sc]. See http://www.surbl.org/lists.html.

> >
> > John
> >
>
> Why wait until acl_smtp_data and invoke a perl script to do what Exim can do
> with much less workload in the acl_smtp_connect phase?
>
>    # CONNECT_7: Check Local NAME Blacklist for host_name. IF bad THEN deny
>    #
>    deny
>      message     = \n Sender $sender_host_name blacklisted for abuse
>      log_message = C7 $sender_host_name Locally blacklisted.
>      condition   =
>        ${lookup $sender_host_name}wildlsearch{/var/mail/REGEXP-block}{yes}{no}}

>
> (beware MUA wrap - the condition is on one line)
>
> /var/mail/REGEXP-block includes, among several hundred chronic-offenders who are
> zombot-friendly:
>
> *retail.telecomitalia.it
>
> Result:
>
> 2007-12-04 18:21:56 H=host105-160-dynamic.22-79-r.retail.telecomitalia.it
> [79.22.160.105]:4678 I=[203.194.153.81]:25 temporarily rejected connection in
> "connect" ACL: C7 host105-160-dynamic.22-79-r.retail.telecomitalia.it Locally
> blacklisted.
>
> Should that fall-through, C8 will catch it:
>
>   # CONNECT_8: Check Dynamic/Portable Remote Blacklist. IF RBL hit THEN deny
>   #
>   deny
>     message  = \n $sender_host_address improper use of dynamic IP for mail server
>     dnslists = dul.dnsbl.sorbs.net
>     log_message = C8 $sender_host_address blacklisted in $dnslist_domain

>
>
> An SQL call (redacted) accumulates stats on those that repeatedly hit from
> dynamic IP, and is used for periodic updating of the local blacklist file.
> This reduces off-box callouts to sorbs.
>
> In production for quite a while now....
>
> HTH,
>
> Bill Hacker
>
>
>
>
>


-- 
--------------------------------------------------------
Dave Lugo   dlugo@???    LC Unit #260   TINLC
Have you hugged your firewall today?   No spam, thanks.
--------------------------------------------------------
Are you the police?  . . . .  No ma'am, we're sysadmins.