> From: Mike Cardwell
> the main problem is that there are legitimate reasons why a
> server might connect back to it's own IP.
I use more specific regular expression (which checks the second Received
only) and greylist such messages instead of denying them. I attached
excerpts from my config to
http://wiki.exim.org/DbLessGreyListingRun
Excerpt from excerpts: :)
accept condition = ${if !match{$message_headers_raw}\
{\N\A([^\n]+\n[ \t])+[^\n]+\nReceived: from \[?\N$sender_host_address\\]? by }}
accept condition = ${if def:acl_c_grey_checked}
defer set acl_c_grey_checked = deferred/greylisted because of \
fake Received line in the header
message = $acl_c_grey_checked
set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\
${sg{$sender_host_address}{\N\.\d+$\N}{}},\
${tr{$sender_address,${sg{$recipients}{[, ]+}{;}}}{/}{;}}}
condition = ${if exists{$acl_m_greyfile}\
{${if >{${eval:$tod_epoch-\
${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
{${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}
accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
fake Received
logwrite = passed greylisting fake Received \
${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
I greylist only suspicious messages, not every one.
For a couple months some spam penetrated greylisting (I think that only one
Russian botnet uses same $sender_address in all instances of same spam
necessary for penetrating greylisting), but if I'm not mistaken,
for last couple weeks that botnet switched to no fake Received line at all.
Lena
