Re: [exim] listed at Backscatterer.org

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] listed at Backscatterer.org
> From: Kebba Foon

> recently i found out that some of
> the ip's i allow relay for are infect and send a lot of mails with fake
> sender addresses


The bounces/backscatter is because a lot of these mails is to
nonexistent recipient addresses (spammers' lists contain a lot of
nonexistent addresses). So, infected IPs can be automatically blocked:

LIM = 100
PERIOD = 1h
WARNTO = abuse@???
EXIMBINARY = /usr/local/sbin/exim
SHELL = /bin/sh
...
acl_check_rcpt:
...
  accept hosts = +relay_from_hosts
        set acl_m_user = $sender_host_address
# or userid from RADIUS if IPs are assigned dynamically
        condition = ${if exists{$spool_directory/blocked_users}}
        condition = ${if eq{${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_users}{1}{0}}}{1}}
        control = freeze/no_tell
        add_header = X-User: $acl_m_user


  accept hosts = +relay_from_hosts
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_users; \
           \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
           has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        add_header = X-User: $acl_m_user


  accept  hosts = +relay_from_hosts
          control = submission/domain=


After you get the notification, you look up the frozen messages
in the queue (using exipick). If that's spam, you make the user
to disinfect the machine, exact the fine (according to contract),
after that you delete the line with the userid from the blocked_users file
and delete frozen spam using exipick.

If you relay from authenticated users then the approach is similar:

  accept authenticated = *
        set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
        condition = ${if exists{$spool_directory/blocked_users}}
        condition = ${if eq{${lookup{$acl_m_user}lsearch\
                    {$spool_directory/blocked_users}{1}{0}}}{1}}
        control = freeze/no_tell
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
        ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_users; \
           \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
           has sent mail to LIM invalid recipients during PERIOD.; \
           \N}\N | EXIMBINARY WARNTO"}}
        control = freeze/no_tell
        add_header = X-Authenticated-As: $acl_m_user


  accept authenticated = *
        control = submission/domain=