Re: [exim] Exim is forwarding spam.

Top Page
Delete this message
Reply to this message
Author: Michael J. Tubby B.Sc G8TIC
Date:  
To: Chris.Knadle
CC: exim-users
Subject: Re: [exim] Exim is forwarding spam.
Chris,

While your idea is interesting its not necessarily scalable, I have 800+
domains each with 1-1000 addresses...

I use recipient verify, i.e. I call out to the next hop host and verify
the recipient. The host is usually present, however if it is not
contactable then I default to accepting the mail and queuing it. This
means there's a slightly higher chance of them getting spam (backscatter
spam) while their host is offline.

I think this compromise is acceptable and avoids me having to know my
clients' email addresses.


Mike



On 30/06/2012 19:28, Chris Knadle wrote:
> On Saturday, June 30, 2012 13:17:05, Todd Lyons wrote:
>> On Sat, Jun 30, 2012 at 9:57 AM, Chris Knadle <Chris.Knadle@???> wrote:
>>> BTW are you doing any mail relaying? If you're relaying mail for any
>>> domains, you can end up in Exim sending "backscatter spam" due to not
>>> being able to validate the recipient of the email. I've come up with an
>>> interesting solution for this situation which you might like if this is
>>> the case.
>> What are the details? "Interesting solution" implies something new or
>> novel and I for one would like to see what you did.
> Okay, then I'll explain it.
>
> I don't necessarily think it's a new or novel solution, but I haven't yet seen
> it elsewhere. [I expect someone else must be doing something similar.]
>
> At first I considered doing a recipient callout, but this defeats the purpose
> of being a mail relay because it requires the main mail server to be present
> and online. The bottom line is that the backup mail server has to have some
> way of authenticating recipient email addresses even when the main mail
> server is offline.
>
> To do this, I asked the administrator for the relay domain for the list of
> valid email addresses. At first he didn't like this idea because it exposes
> that information to me, but once I explained the reason I was asking for it
> he understood and did so, along with a list of "blacklisted" email addresses.
> He's using wildcard email addressing with '-' as the delimiter, and that's the
> reason why the additional "blacklisted" addresses are necessary. Thankfully I
> found it was not necessary to use wildcard addressing myself to be able to
> deal with all of this. ;-)
>
> The simple solution: email addresses from a particular domain are checked
> against a regex of valid email addresses in a file that is named after the
> domain name, and likewise with a blacklist file.
>
>
> Exim4 configuration
> ----------------------------------
> # (The domain names below are ficticious)
> domainlist blacklist_filecheck_domains = example1.com
> domainlist rcpt_checked_relay_domains = example1.com
>
> acl_check_rcpt:
>
>    #   deny relay_to_domains blacklisted recipients
>    #   CONFDIR/local_recipient_blacklist holds a list of email addresses that should
>    #   no longer have email accepted for them, but which need to be blocked explicitly
>    #   due to wildcard email addresses being used that would normally accept the
>    #   addresses.  Incoming messages with these recipients are blocked at RCPT time.
>    deny
>      domains     = +blacklist_filecheck_domains
>      message     = unknown user
>      condition   = ${lookup{$local_part@$domain}\
>          nwildlsearch{CONFDIR/recipient_blacklists/$domain}\
>          {yes}{no}}
>      log_message = Address $local_part@$domain blocked
>      delay       = 15s

>
>    #   Relay only recipients found in recipient_relay_lists for relay_to_domains
>    #   that are set to use it
>    deny
>      domains     = +rcpt_checked_relay_domains
>      message     = unknown user
>      !condition  = ${lookup{$local_part@$domain}\
>          nwildlsearch{CONFDIR/recipient_relay_lists/$domain}\
>          {yes}{no}}
>      log_message = Address $local_part$domain unknown
>      delay       = 15s
> ----------------------------------

>
>
>
> /recipient_blacklists/example1.com
> ----------------------------------
> virgil_earp@???
> doc_holliday@???
> ----------------------------------
>
>
> /recipient_relay_lists/example1.com
> ----------------------------------
> abuse@???
> root@???
> notspam@???
> postmaster@???
> MAILER-DAEMON@???
> billy_claiborne@???
> ^bclaiborne-.*@???
> billy_clanton@???
> ^bclanton-.*@???
> frank_mclaury@???
> ^fmclaury-.*@???
> ----------------------------------
>
>
>
> Thusfar updates to email addresses have simply been sent over email because
> they've been infrequent, but I've occasionally considered something more
> easily updated by the relay domain administrator such as files copied via
> rsync over ssh.
>
> Also I originally implemented this idea in LDAP as a way of keeping the remote
> domain addresses in sync, but the relay domain admin wasn't interested in
> running LDAP so I opted for this simpler file-based solution, which has been
> doing it's job very well IMHO.
>
>    -- Chris

>
> --
> Chris Knadle
> Chris.Knadle@???
>