Debugged set of rules (in DATA ACL):
deny message = rejected because recognized as Ukrainian spam
condition = ${if match{$message_headers_raw}\
{\N\A([^\n]+\n[ \t])+[^\n]+\nDate\N}}
condition = ${if eq{$received_protocol}{esmtp}}
condition = ${if eq{$bheader_X-Priority:}{3 (Normal)}}
condition = ${if match{$sender_address_local_part}{\N^[a-z]{10,}$\N}}
condition = ${if match{$bheader_To:}{\N^[^ @,;]+@[\w\.-]+$\N}}
set acl_m_domain = ${if match{$bheader_To:}{\N@(.+)$\N}{$1}}
condition = ${if match{$bheader_Message-ID:}\
{\N^<\d{10}\.\d{14}@\N$sender_address_domain>\$}}
condition = ${if match{$bheader_In-Reply-To:}\
{\N^<[A-F\d]{44}@\N$acl_m_domain>\$}}
condition = ${if match{$bheader_References:}\
{\N^<[A-F\d]{44}@\N$acl_m_domain> \
\N<[A-F\d]{30,44}@\N$sender_address_domain>\$}}
condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\
{${if match{$bheader_References:}{\N^<(\w+)@\N}{$1}}}}
The botnet endures 20s delay in RCPT ACL. I don't want to try longer delays
because of limited memory of the cheap VPS/VDS ($6/month for
64M RAM and 128M swap for Exim, webserver, POP3 server and BIND).
