Re: [exim] Denying spam with forged from

Top Page
Delete this message
Reply to this message
Author: Dave Pooser
Date:  
To: Exim-users
Subject: Re: [exim] Denying spam with forged from
> I tried verify = helo and deny spf = fail, however both those
> checks were too strict for some popular mail servers used in
> my country, which I assume renders them useless


Not necessarily useless; you can still block on the low-hanging fruit and
then use other checks in SpamAssassin scoring and also use delays to bore
spambots into submission. A couple of snippets from my own ACLs (beware line
wrap):

No legitimate host, no matter how sloppily configured, should HELO with an
IP address:

  deny    message    = Remote host used IP address in HELO/EHLO greeting
    !hosts    = +whitelisted
    condition   = ${if isip {$sender_helo_name}{true}{false}}


Or with your own hostname:

   deny    message    = Remote host used our name in HELO/EHLO greeting.
    !hosts    = +whitelisted
    condition   = ${if match_domain{$sender_helo_name}
{$primary_hostname:+local_domains:+relay_to_domains}}


Then I start throwing delays around for other checks (this works best if you
disable pipelining):

   warn      message    = X-Warning: $sender_helo_name failed verification
        !hosts    = +whitelisted
      !verify    = helo
      delay        = 15s


Many spambots will get impatient and either disconnect or will try to
transmit data out of sequence and get rejected that way.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna