Author: W B Hacker Date: To: exim users Subject: Re: [exim] help with condition match
Jim Pazarena wrote: > This wildlsearch has greatly simplified by spam filtering.
> Thank you very much.
Here's a bit of the 'gravy', then.
If you make the same call against the same file with a different search
key, (see below) just put the individual string of the rat into the file
without the leading asterisk.
That doesn't block a whole network, but filters on one specific server,
a single-sender, or an imposter trying to look familiar -- but hide his
phishhook in a 'reply'.
We call ours from several places in acl's, checking for a block on one
or more of:
$sender_host_name
$sender_host_address
$sender_helo_name
$sender_name
$reply_address
Still just one file to maintain or grep if/as/when a user sez "I didn't
get a message I was expecting from..."
Bill
>
> -------- Original Message --------
> Subject: Re: [exim] help with condition match
> Date: Thu, 07 Jun 2012 06:02:13 +0000
> From: W B Hacker <wbh@???>
> To: exim users <exim-users@???>
>
>
>
> Not a direct answer to your question, but hopefully a more
> efficient way to eliminate it.
>
> You might find this easier to maintain as it needeth not editing
> of the configure file.
>
> ====
>
> deny
> condition = \
> ${lookup {$sender_host_name}wildlsearch{/var/filters/blockfile {yes}{no}}
>
> ===
>
> The blockfile cited is a simple flat-file with entries of the form;
>
> ===
>
> *pool-ukrtel.net
>
> ===
>
> One per line. Can be appended to with scripting, and/or maintained with
> an ignorant text editor.
>
> No /configure editing needed thereafter.
>
> No exim restart needed at changes
>
> Giving each miscreant it own acl stanza will run you ragged, given that
> the flatfile here has about 3 or 4 thousand entries...
>
> And BTW...
>
> .. an exim rDNS check will toss all the dynamic-IP pool WINbots right at
> 'CONNECT' for failure to have a PTR RR that mates to an A or MX record
> for a proper FQDN.
>
> That PROBABLY would nail the one you cite. And essentially ALL OTHER
> Winbots on residential connectivity pools, with minimal Exim workload.
>
> Make sure to apply that check only to port 25. Your own user-commmuity
> arriving on port 587 will seldom have DNS credentials, nor should they.
>
> ===
> deny
> condition = ${if eq{$interface_port}{25}}
> !verify = reverse_host_lookup
> ===
>
> Look at a (usually very small) IP-whitelist FIRST, then skip this test
> for the very, very few of our trusted correspondents you NEED to give a
> hall-pass to. File-storage or bespoke-application servers who have no
> FQDN assigned but must send you cron'ed reports, to name one such.
>
> HTH,
>
> Bill
>
