Re: [exim] Spam Blocking idea

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Spam Blocking idea
Marc Perkel wrote:
> Just a thought ....
>
> You extract the registrar barrier part of the host name and the same for
> the helo. Many hosts that send good email this would match. For example
> yahoo.com would have yahoo.com in both the host and the helo.
>
> Then after tracking these and developing a list of hosts that do this
> then we see a host that the helo claims to be yahoo.com but the rdns
> says otherwise. The idea is that if they are on the list of having
> matched then when they don't match it might be a spam indicator?
>
>


'lists' need maintenance, ELSE get stale and work against you, AND/OR
eat your lunch money to store and play with.

Modified from snippets found in archives here so long ago I don't
clearly remember who's contribution it was (Tor Slettnes?)

(line-wrap munged below, I'm sure)

====
   warn
         log_message     = MF5 Forged Yahoo
         senders         = *@yahoo.com
         condition       = ${if match 
{$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
         set acl_c2      = $acl_c2 Forged Yahoo Address=100
         set acl_c8      = ${eval:$acl_c8 + 100}


   warn
         log_message     = MF5 Forged  hotmail or MSN
         senders         = *@msn.com
         condition       = ${if match 
{$sender_host_name}{\N(msn|hotmail).com$\N}{no}{yes}}
         set acl_c2      = $acl_c2  Forged MSN Address=100
         set acl_c8      = ${eval:$acl_c8 + 100}



=====

I use over a dozen of these covering the most-often-forged major operators.

HELO check is a different process, as *much* mail comes from MTA that
serve multiple domain.tld, BUT should still HELO with a valid FQDN that
can be checked, whether it matches each hosted sender's mail records or not.

The variables on WARN verbs should tell you a point scoring process is
at work here, and that not all faux pas are treated as generously or
harshly as others.

HELO to me as *my own* server gets a certain-death 1000 points, for
example. And a local blacklist hit ignores all scores in favor of a BFBI
deny....

HTH,

Bill