Re: [exim] iForbiddng e-mail coming from bogus address

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] iForbiddng e-mail coming from bogus address
Bill Hayles wrote:
> Hi, fellow Bill,


Greets..

;-)

*snip*

>> will eventually show up.. see below in re rDNS.
>
> OK, not strictly Exim related, but one of my hobbyhorses. If you do
> that, you block a lot of legitimate servers (including mine!).


Not so! I AM running Exim rDNS check, and did NOT block your direct OFF
tahini response.

You(r server) passed the rDNS check for the IP from whence you
connected: craybox.com .....on 80.35.22.107.

From *manual* inspection with 'host' and 'dig', one could argue that
you should NOT have passed...

;-)

.... but Exim's rDNS checking is very 'wise' w/r not rejecting unless it
has to..

> Luckily, I find all major servers only block addresses allocated
> dynamically; those allocated to fixed IP accounts are accepted.
>


Well - that IS the very point of an intelligent rDNS check.
And Exim's is by no means hard-edged.

Read the exceedingly well-documented source code in hosts.c


> Also, this approach does not catch spam mail from infected computers
> (of which I get plenty).
>


Oh, but it DOES! Near-as-dammit 100% of it.

It is fairly uncommon for a *server*, even a Windows 'server', running
as an MTA on a public-facing fixed-IP with all the correct DNS
credentials to be *allowed* to be infected for very long. These get
noticed and fixed.

Wot becomes infected AND NOT noticed or corrected for *long* periods at
a time are predominantly the ordinary residential or SME user's
'Win-desktop'.

Those are *nearly always* on dynamic IP with no PTR RR, hence no way to
reverse that IP via a PTR RR to an A or MX record match.

Those WILL fail Exim's rDNS check. As they should do.

Easy enough to check.

'Present Day' - Turn it ON with a 'warn verb' and a log_message instead
of a 'deny' in acl_smtp_connect:


warn # check only port 25, not users submitting on port 587
     condition   = ${if eq{$interface_port}{25}}
     !verify     = reverse_host_lookup
     log_message = rDNS fail for $sender_address


Check your logs after time 't' and see how many valid senders you would
have rejected. Odds are, a whitelist of as few as a dozen will cover
those few who have a problem .. all YEAR...

Not at all a hard to check historically, either -

Look at the old logs or even old message headers. Pick a few entries
rejected late in the session - or worse - POST session ....
...and do a 'host <the IP>' on the suspect ones, then 'dig any .. ' on
the returned <domain>.<tld>. IF there even IS one..

See how many .. or FEW ... resolve and match to have passed Exam's rDNS
test. And how few - if any - 'legitimate' ones would have failed.

Or use Exim's debug to check 'right now'.

'bogus senders' are the first to fall by the wayside...

QED


Bill