Re: [exim] spam filtering - google/hotmail/etc

> From: Jim Pazarena
>
> I am trying to strengthen my spam filtering.
>
> As such, I make sure that I don't get too heavy handed with google
> or hotmail.
>
> But I see a heck of a lot of junk from *.yahoo.com
>
> Has yahoo become or has it always been a giant spam pit?

yahoo consists of different parts. If a spam came via a yahooGroup
(mailing list), complain to the moderator or unsub. If you are a moderator,
you'll be forwarded spam sent to the -owner@ address, nothing to do here
except content-filtering fraught with false positives.
Spam via mail.yahoo.com (free mailboxes) and domains outsourced to yahoo
(btinternet.com, btopenworld.com, att.net, sbcglobal.net, rogers.com
and possibly some others) is entirely another matter. After blacklisting
$sender_address_domain yahoo.cn, yahoo.com.cn, yahoo.com.hk
and $sender_host_name ^smtp\d+\.biz\.mail\.(re\d+|mud)\.yahoo\.com$ ,
I'm sent mostly Nigerian spam via mail.yahoo.com. I block it with a local
injection IP blacklist http://lena.kiev.ua/blacklist_webmail.txt
used in acl_check_data:

  warn  condition = ${if match{$sender_host_name}\
                              {\N\.(blu|col|bay|snt)\d+\.hotmail\.com$\N}}
        set acl_m_web = ${if match{$rheader_Received:}{\Nfrom [^\(]+\
          \(\[(\d+\.\d+\.\d+\.\d+)\]\) by \
          [^\w-]+\.((blu|col|bay|snt)\d+\.hotmail\.com|phx\.gbl) \
          (over TLS secured channel )?with Microsoft SMTPSVC\N}{$1}}
  warn  condition = ${if match{$sender_host_name}\
                              {\N\.mail\....?\.yahoo\.com$\N}}
        condition = ${if or{\
                            {match{$rheader_X-Yahoo-Newman-Property:}{ymail}}\
                            {def:header_X-RocketYMMF:}\
                            {match{$bheader_X-Mailer:}{^YahooMail}}\
                           }}
        set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \
                \[(\d+\.\d+\.\d+\.\d+)\] by \
                web\d+(\.biz)?\.mail\....?\.yahoo\.com via HTTP; \N}{$1}}
        condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_Received:}{\Nfrom [^(\n]+ \
             \([^)\n]+@(\d+\.\d+\.\d+\.\d+) with login\)[\r\n]+\s+by \
             smtp\d+(\.plus|\.sbc)?\.mail\....?\.yahoo\.com with SMTP; \N}{$1}}
  warn  condition = ${if match{$sender_host_name}\
                              {\N^[oi]mr-\w+\.mx\.aol\.com$\N}}
        set acl_m_web = ${if match{$rheader_Received:}{\Nfrom \
          (\d+\.\d+\.\d+\.\d+) by webmail-\w+\.sysops\.aol\.com \
          \(\d+\.\d+\.\d+\.\d+\) with HTTP \(WebMailUI\); \N}{$1}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+ \(\S+ \[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by \
                mtaout-\w+\.\w+\.mx\.aol\.com \(MUA/Third Party Client \
                Interface\) with ESMTPA id \w+;\N}{$1}{$acl_m_web}}
  warn  condition = ${if match{$sender_host_name}\
                              {\N^outbound\d+\.messaging\.lotuslive\.com$\N}}
        set acl_m_web = ${if match{$rheader_Received:}\
                                  {\N^@[\w.-]+@(\d+\.\d+\.\d+\.\d+)\)\N}{$1}}
  warn  set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                [\d.]+ (?:\(\[[\d.]+\]\) )?\(proxying[\s\n]+for[\s\n]+\
                (\d+\.\d+\.\d+\.\d+)(, [\w.-]+)?\)\n\
                \s+\(SquirrelMail authenticated user [^)\n\r]+\)\n\
                \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                (?:\S+ \(\[)?(\d+\.\d+\.\d+\.\d+)(?:\]\))?\n?\
                \s+\(SquirrelMail authenticated user [^)\n\r]+\)\n\
                \s+by [^\s\n]+ with HTTP;\n\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                (\d+\.\d+\.\d+\.\d+)(?: \(proxying for [^)]+\))?[\n\s]+\
                \(RisuMail authenticated user \N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+ \(\](\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+[\s\n]+\
                with[\s\n]+HTTP(?s).+\nUser-Agent: Roundcube Webmail\N}\
                {$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+[\n\s]+\((?:\S+[\n\s]+)?\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s]+by\
               [\n\s]+\S+[\n\s]+\(Horde[\n\s]+(Framework|MIME[\n\s]+library)\)\
                [\n\s]+with[\n\s]+HTTP\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \[(\d+\.\d+\.\d+\.\d+)\] by \S+[\s\n\r]+ \(mshttpd\);\N}\
                {$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                client (\d+\.\d+\.\d+\.\d+) for UebiMiau\d+\.\d+ \(webmail \
                client\);\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\s+]by \S+ \
                with HTTP \(UebiMiau\);\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \[(\d+\.\d+\.\d+\.\d+)\] \(account \S+\)[\s\n\r]+by[\s\n\r]+\
                \S+[\s\n\r]+\(CommuniGate Pro WEBUSER \S+\)[\s\n\r]+\
                with[\s\n\r]+HTTP\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from\s+\
                (?:\S+[\s\n]+)?\(\[(\d+\.\d+\.\d+\.\d+)\]\)[\s\n]+by[\s\n]+\S+\
                [\s\n]+with[\s\n]+http[\s\n]\N}{$1}{$acl_m_web}}
        set acl_m_web = ${if match{$message_headers_raw}{\N\nReceived: from \
                \S+ \(\[(\d+\.\d+\.\d+\.\d+)\]\)[\n\r]+\s+\
                by mx.google.com with ESMTPS id \N}{$1}{$acl_m_web}}
        condition = ${if match{$bheader_X-Mailer:}{^OpenWebMail }}
        set acl_m_web = ${if match{$bheader_X-OriginatingIP:}\
                                  {\N^\[?(\d+\.\d+\.\d+\.\d+)\]?( |$)\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-Originating-IP:}\
                            {\N^\[?(?:::ffff:)?(\d+\.\d+\.\d+\.\d+)\]?$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-Client-IP:}\
                                  {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-Origin:}\
                                  {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-Originator:}\
                                  {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-SenderIP:}\
                                  {\N^(\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  warn  condition = ${if !def:acl_m_web}
        set acl_m_web = ${if match{$bheader_X-PHP-Script:}\
                                  {\N^\S+ for (\d+\.\d+\.\d+\.\d+)$\N}{$1}}
  deny  message = webmail from $acl_m_web locally blacklisted
        condition = ${if def:acl_m_web}
        condition = ${if !eq{$sender_address_domain}{returns.groups.yahoo.com}}
        condition = ${lookup{$acl_m_web}iplsearch\
                            {/usr/local/etc/exim/blacklist_webmail}{1}{0}}

Also in acl_check_data:

  deny  message = "mail to friend" on news.yahoo.com abused by spammers
        condition = ${if match{$sender_host_name}\
                              {\N\.bullet\.(mail\.)?...?\.yahoo\.com$\N}}
        condition = ${if eq{$bheader_X-Yahoo-Newman-Property:}{mail-to-friend}}

  deny  message = I consider a Chinese mailbox in Reply-To as a sign of spam.
        condition = ${if match_domain{${domain:$header_reply-to:}}\
                    {yahoo.cn:yahoo.com.cn:yahoo.com.hk:w.cn}}