Re: [exim] Data ACL - Received: from header

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Lena
Date:  
À: exim-users
Sujet: Re: [exim] Data ACL - Received: from header
> From: Mike Cardwell

> the main problem is that there are legitimate reasons why a
> server might connect back to it's own IP.


I use more specific regular expression (which checks the second Received
only) and greylist such messages instead of denying them. I attached
excerpts from my config to http://wiki.exim.org/DbLessGreyListingRun
Excerpt from excerpts: :)

accept condition = ${if !match{$message_headers_raw}\
{\N\A([^\n]+\n[ \t])+[^\n]+\nReceived: from \[?\N$sender_host_address\\]? by }}

accept condition = ${if def:acl_c_grey_checked}

  defer set acl_c_grey_checked = deferred/greylisted because of \
                                 fake Received line in the header
        message = $acl_c_grey_checked
        set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\
                ${sg{$sender_host_address}{\N\.\d+$\N}{}},\
                ${tr{$sender_address,${sg{$recipients}{[, ]+}{;}}}{/}{;}}}
        condition = ${if exists{$acl_m_greyfile}\
           {${if >{${eval:$tod_epoch-\
           ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\
           {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}}


  accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \
                      fake Received
         logwrite = passed greylisting fake Received \
                    ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}


I greylist only suspicious messages, not every one.
For a couple months some spam penetrated greylisting (I think that only one
Russian botnet uses same $sender_address in all instances of same spam
necessary for penetrating greylisting), but if I'm not mistaken,
for last couple weeks that botnet switched to no fake Received line at all.

Lena