Re: [exim] Ocassional spam forwarding

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: Jeff Lasman
CC: exim-users
Subject: Re: [exim] Ocassional spam forwarding
On Thu, Feb 3, 2011 at 11:33 AM, Jeff Lasman <blists@???> wrote:
> (nothing you don't already know about).  While we use Spam Assassin, I'm not
> sure we use it on email that's being forwarded off the server.  I'd have to
> check.  We don't run email which already has SpamAssassin headers through our
> SpamAssassin, though we're considering doing that.


If your ACL's just check for the presence of the header and don't also
make sure that one of your hosts put that header there, then you have
a hole which crafty spammers can abuse.

> We publish SPF, MX and rDNS, but we don't implement DKIM.


It turns out to be not that difficult to do per user domain DKIM. We
do it for smtp auth'd users and for webmail users sending using their
domain. *IF* they have one. If they are using a domain that we don't
host, then we don't DKIM sign. All the data lives in a mysql backend,
but if you wanted to put it in flat files, it would be just a
different lookup type (and central storage such as an nfs server).

> I'd appreciate it if you can share your exim.conf configuration for sending
> incoming mail through SpamAssassin before forwarding it, so I can compare it
> with ours, as I don't think we do that.


I think we'd have to see your data acl to be sure, but if your hunch
above about when SA is run, you probably have 1 of 2 scenarios:
1. you're limiting your SA scan to local mailboxes only. (remove the
local mailbox only restrictions)
...or...
2. you're accepting email forwarders before the SA scan. (move the
accept to _after_ your SA calls)

Here's what my data acl contains WRT SA:

  # Always add X-Spam-Score and X-Spam-Report
  # headers using SA system-wide settings
  # (user "nobody") no matter if over threshold or not.
  warn    spam          = nobody:true
          message       = X-Spam-Score: $spam_score\n\
                          X-Spam-Report: $spam_report


  # Add X-Spam-Flag if spam is over system-wide threshold
  warn    message       = X-Spam-Flag: Yes
          spam          = nobody


  # Reject spams with score over 6 using an extra condition.
  deny    message       = This message scored $spam_score points.  Rejected.
          !authenticated= *
          spam          = nobody:true
          condition     = ${if >{$spam_score_int}{60}{1}{0}}




Jeff, I'm going to be attending SCALE this year. If you make it out
there, we can sit and compare exim configurations. We might be able
to learn from each other :-)

And if we can coordinate and make it out to a local LUG meeting again
(I've been negligent in making them), we could do more of the same.

--
Regards...      Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm.  -- Marcus Aurealius