Re: [exim] iForbiddng e-mail coming from bogus address

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] iForbiddng e-mail coming from bogus address
Bill Hayles wrote:
> Hi,
>
> On Sat, 26 Mar 2011 20:56:05 -0600 in message number<20110327025605.GA15306@???>, received here on 08/04/2011 19:47:03, The Doctor<doctor@???> said:
>
>> Right .
>>
>> I am seeing e-mail
>>
>> being sent from
>>
>> a couple of bogus addresses
>>
>> one is adminsuppo*@???
>>
>> And the other is of the form postmail-usa.**@***.com .
>>
>>
>> Question how can exim block and disgard e-mails coming from such addresses ?
>
> I use this sort of thing.
>
> In ACL configuration:
> # deny spamming IPs
> # By IP address; substitute hosts
>    deny      message     = Rejected IP
>       hosts        = 127.0.0.1
> # by domain; substitute domains
>    deny       message     = Rejected Domain
>       domains    = foo.bar : foo2.bar
> # by specific sender; substitute domains and local_parts
>    deny    message     = Rejected sender
>       domains     = foo.bar
>       local_parts    = somesender

>
>


Those are probably forged originations and can more easily be
blockedwith an rDNS test than by listing all possible such that will
eventually show up.. see below in re rDNS.

w/r the approach under discussion, though, there is room for improvement
IF any or all of the following apply:

- large lists

- frequent changes

- desire to NOT involve delay or resources for off-box callouts/lookups

... none of which are the best environment for 'domain = ' or 'hotlist =
' structures.


THEN

- an lsearch, wildlsearch, iplsearch, or dirsearch of an external
flat-file, CDB, or dirtree may serve better[1]

Said file(s) are easily generated or modified by externals and need
neither the privs to alter exim's configure file NOR a restart of the
exim listener/manager daemon. They are also amenable to
per-recipient-domain or even per-individual-recipient customization.

....and, BTW, in order of efectiveness:

- the FIRST line of defense against 'bogus' addresses is an rDNS check.

- then 'major' dynamic-IP and known-bad-actor RBL's

- then verify = recipient

..by which point those the OP cited would probably have been rejected as
zombot forgeries, and needeth not (the above test..).

.. which nonetheless covers about 3,000 to 6,000 total entries here,
some of them being entire ISP blocks, entire <tld>, even a few cases of
specific MTA ID.

YMMV,


Bill


[1] If one feels compelled to utilize an RDBMS to massage all these, it
is still better to export CDB or such from it for Exim's use rather than
doing direct SQL calls. 'Usually' faster and lighter. 'Always' more robust.