[exim] Anti Phishing ACL

Top Pagina
Delete this message
Reply to this message
Auteur: neil
Datum:  
Aan: exim-users
Onderwerp: [exim] Anti Phishing ACL
Hi;
I've been trying to stop these bank phishing mails. Rather than trying
to get the banks to implement DK, DKIM or SPF so I can check against
that, I have the snippet below.

I was wondering if this is of any use to anyone else or if it could be
made better. I've checked the list and cant see anything similar.


## set up a list of banks
domainlist banks            = partial-lsearch;/usr/exim/banks


acl_check_rcpt:

## if they send from bank domain but not from a bank IP then drop them
## override with our local white list for companies that do mail shots
for banks

drop log_message         = DENIED BANK PHISHING from:  $sender_address @ 
$sender_host_address
         message                = DENIED $sender_address @ 
$sender_host_address You appear to be Phishing. \n\
                                           $tod_full on host 
$interface_address
        sender_domains     = +banks
        !dnslists                  = list.dnswl.org=127.0.2.0, 
127.0.2.1, 127.0.2.2, 127.0.2.3
        !dnslists                  = my-local-whitelist.example.com



Note: Not all UK banks are in DNSWL. When I can be certain of the
sending IPs of the commented out banks then I will add them to our white
list.

cat /usr/exim/banks

#abbey.co.uk
#abbeynational.co.uk
#abbey.com
alliance-leicester.co.uk
americanexpress.com
#barclays.com
barclays.co.uk
egg.com
halifax.co.uk
#hsbc.co.uk
hsbc.com
#lloydstsb.co.uk
lloydstsb.com
#natwest.com
#natwest.co.uk
#nwolb.com
paypal.com
rbs.com
#rbs.co.uk
#rbsdigital.com
#rbsdigital.co.uk
#sainsburysonline.com
#ybonline.co.uk

I have log entries like:

2008-10-30 11:53:39 H=dns01.labmoreira.com.mx (mail.labmoreira.com)
[201.134.16.230] F=<onlineservices@???> rejected
RCPT <USER1@???>: DENIED BANK PHISHING from:
onlineservices@??? @ 201.134.16.230

2008-10-30 11:53:40 H=(221-128-205-92.static.exatt.net)
[221.128.206.156] F=<customer_support-num-095pc@???> rejected
RCPT <USER2@???>: DENIED BANK PHISHING from:
customer_support-num-095pc@??? @ 221.128.206.156
2
008-10-30 11:53:40 H=bb121-6-53-48.singnet.com.sg (lloydstsb.com)
[121.6.53.48] F=<onlinesupport_ref_832ppn@???> rejected RCPT
<USER3@???>: DENIED BANK PHISHING from:
onlinesupport_ref_832ppn@??? @ 121.6.53.48

(I have replaced recipients USER name and DOMAIN for privacy.)