Re: [exim] Data ACL - Received: from header

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Lena
Date:  
À: exim-users
Sujet: Re: [exim] Data ACL - Received: from header
> From: W B Hacker

> But if it is a botnet, would it not fail:
>
> - forward/reverse lookup test?


In such cases (and in cases of dynamic-looking hostname)
I greylist instead of deny. Quite effective usually.
I'm afraid of false positives.

> - AND the HELO <=> FQDN match test?


Plenty of legitimate senders have $sender_helo_name differing from
$sender_host_name. I even don't greylist if they differ.
I greylist if $sender_helo_name doesn't contain a dot
or is a bare IP-address or literal (IP-address in square brackets).
Besides, I have long local blacklists (which deny) separately for
$sender_helo_name, $sender_host_name and $sender_host_address.

> If you don't mind onpassing a few samples, I'll be happy to see if they've been
> 'seen' here, and if so, which of our rules they escaped... or were caught with.


The last two with fake Received which escaped my deny rules,
didn't escape my greylisting rules but penetrated greylisting
(I edited @ to # in my email address):

Received: from c12.dnepro.net ([212.3.120.12] helo=home)
    by lena.kiev.ua with esmtp (Exim 4.69 (FreeBSD))
    (envelope-from <anyabysdfxuh@???>)
    id 1M2SKb-000641-JX
    for lena#lena.kiev.ua; Fri, 08 May 2009 18:49:50 +0300
Received: from [212.3.120.12] by mx1.yandex.ru; Fri, 8 May 2009 17:49:49 +0200
Message-ID: <01c9d005$61bd9c80$0c7803d4@anyabysdfxuh>
From: "КЛУБ -=ЛИЦА=-" 
    <anyabysdfxuh@???>
To: <lena#lena.kiev.ua>
Subject: 04-10-05-2009 Внимательный клуб "ЛИЦА"
Date: Fri, 8 May 2009 17:49:49 +0200
MIME-Version: 1.0
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo


Received: from [78.97.53.179] (helo=e-net)
    by lena.kiev.ua with esmtp (Exim 4.69 (FreeBSD))
    (envelope-from <olyajdtbnszp@???>)
    id 1M4BE5-0002bW-35
    for lena#lena.kiev.ua; Wed, 13 May 2009 12:58:14 +0300
Received: from [78.97.53.179] by mx3.yandex.ru; Wed, 13 May 2009 11:58:12 +0200
Date:    Wed, 13 May 2009 11:58:12 +0200
From:    "Альтернативные сценарии жизни" 
    <olyajdtbnszp@???>
X-Mailer: The Bat! (v3.62.14) Home
Reply-To: olyajdtbnszp@???
X-Priority: 3 (Normal)
Message-ID: <270681631.26545602149474@???>
To: lena#lena.kiev.ua
Subject: Альтернаtивные сценарии жизни
MIME-Version: 1.0
Content-Type: text/plain;
  charset=koi8-r
Content-Transfer-Encoding: 8bit
X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo


Now that same botnet I think (correction: I suspect that it's Ukrainian,
not Russian) sends like this:

Received: from [59.98.93.25] (helo=microsoft)
    by lena.kiev.ua with esmtp (Exim 4.69 (FreeBSD))
    (envelope-from <yanadsbglovel@???>)
    id 1M8YWk-000M1Q-Tn
    for lena#lena.kiev.ua; Mon, 25 May 2009 14:39:36 +0300
Date: Mon, 25 May 2009 17:09:33 +0530
From: "Gavin Napier" <yanadsbglovel@???>
X-Mailer: The Bat! (v4.0.20) Professional
X-Priority: 3 (Normal)
Message-ID: <2742740082.20090525170933@???>
To: lena#lena.kiev.ua
In-Reply-To: <925F8B6E16E9258BD33AE1D3333AE92CBD3AE16E1DAE@???>
References: <D3333AE92C42CB6E1D33AE9016E9016758BD3AE1D333@???> <C4092CBD33A75F840925842CB675FFFF8B67C42@???>
Subject: правовий менеджмент, правова пiдтримка пiдприeмств, надання коментарiв к дiючим законодавчим i нормативним актам Украiни, проблемам господарськоi дiяльностi
MIME-Version: 1.0
Content-Type: text/html; charset=koi8-u
Content-Transfer-Encoding: 8bit
X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo


Received: from customer-199.131.livas.lv ([84.245.199.131])
    by lena.kiev.ua with esmtp (Exim 4.69 (FreeBSD))
    (envelope-from <yanagoptlovem@???>)
    id 1M9Kxo-000JrS-45; Wed, 27 May 2009 18:22:44 +0300
Date: Wed, 27 May 2009 17:22:43 +0200
From: "Яков Глушков" 
    <yanagoptlovem@???>
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-Priority: 3 (Normal)
Message-ID: <4141273845.20090527172243@???>
To: lena#lena.kiev.ua
In-Reply-To: <DA7CB67CBDAE1D3A75FFF8BDA758425F8B67C4090901@???>
References: <7584092C4258409092CB6758BDA7CBDA7CB67CBDAE16@???> <B67584258BD33AE1DAE1DA75FFFFF8B6E1DAE16E@???>
Subject: Самый широкий ассортимент элекtроники  в одном месте!
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit


The set of conditions I'm testing:

  deny  message = rejected because recognized as Ukrainian spam
        condition = ${if match{$message_headers_raw}\
                              {\N\A([^\n]+\n[ \t])+[^\n]+\nDate\N}}
        condition = ${if eq{$received_protocol}{esmtp}}
        condition = ${if eq{$bheader_X-Priority:}{3 (Normal)}}
        condition = ${if match{$sender_address_local_part}{\N^[a-z]{10,}$\N}}
        condition = ${if match{$bheader_To:}{\N^[^ @,;]+@[\w\.-]+$\N}}
        set acl_m_domain = ${if match{$bheader_To:}{\N@(.+)$\N}{$1}}
        condition = ${if match{$bheader_Message-ID:}\
                              {\N^<\d{10}\.\d{14}@$sender_address_domain>$\N}}
        condition = ${if match{$bheader_In-Reply-To:}\
                              {\N^<[A-F\d]{44}@$acl_m_domain>$\N}}
        condition = ${if match{$bheader_References:}\
   {\N^<[A-F\d]{44}@$acl_m_domain> <[A-F\d]{40,44}@$sender_address_domain>$\N}}
        condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\
                         {${if match{$bheader_References:}{\N^<(\w+)@\N}{$1}}}}
        condition = ${if match{$rheader_Content-Type:}\
                              {text/(plain|html); charset=koi8-[ru]}}
        condition = ${if eq{$bheader_Content-Transfer-Encoding:}{8bit}}