Re: [exim] omit sender verification to certain IPs - possibl…

Góra strony
Delete this message
Reply to this message
Autor: Mike Cardwell
Data:  
Dla: exim-users
Temat: Re: [exim] omit sender verification to certain IPs - possible?
Torsten Luettgert wrote:

> we've been using sender verification callouts for a while now,
> and it still kills a lot of spam.
>
> But alas, in these modern times, there are honeypot addresses
> which sometimes appear as sender addresses in spam and cause our
> box to be blacklisted because it tries to verify the address.
> This is mainly uceprotect. I won't comment on them here.
>
> Ok, now here's the question after all this build-up: can I skip
> sender verification for certain IP addresses? I can of course
> filter by the IP of the sending host, but that's not what I want -
> I want to skip the verify if the target is one of those honeypot
> addresses.


I'm stunned that you haven't been flamed to death by the anti sender
callout verification people.

You can get a list of the IP addresses of the MX servers for a domain by
using the dnsdb lookup type:

${lookup dnsdb{>:a=<:${lookup dnsdb{>:mxh=$domain}}}}

Eg, for google.com:

root@haven:~# exim4 -be '${lookup dnsdb{>:a=<:${lookup
dnsdb{>:mxh=google.com}}}}'
209.85.237.25:64.233.165.25:209.85.137.25:72.14.221.25
root@haven:~#

You could then use match_ip as described on
http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html

For example, a successful and unsuccessful lookup of for an ip against
the domain google.com:

root@haven:~# exim4 -be '${if match_ip{209.85.237.25}{${lookup
dnsdb{>:a=<:${lookup dnsdb{>:mxh=google.com}}}}}{true}{false}}'
true
root@haven:~# exim4 -be '${if match_ip{192.168.0.1}{${lookup
dnsdb{>:a=<:${lookup dnsdb{>:mxh=google.com}}}}}{true}{false}}'
false
root@haven:~#

So if you wanted to make sure that a callout never happens against
192.168.0.1, you would stick this condition before the callout in the acls:

condition = ${if match_ip{192.168.0.1}{${lookup dnsdb{>:a=<:${lookup
dnsdb{>:mxh=$domain}}}}}}

Of course, you're going to continue to trip up these honeypots as you
wont be able to get a list of them all.

Actually... You know what would be better? ...

iptables -A OUTPUT -p tcp -d 192.168.0.1 --dport 25 -j REJECT

--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)