Re: [exim] Spam bypassing spamassassin et al

On Tue, 2015-09-01 at 15:44 +0200, John Mc Murray wrote:

> Agreed, and that is what I'm trying to achieve with this in the RCPT ACL
> (just logging at the moment, not actually dropping or denying):


I check the HELO/EHLO not in the RCPT ACL but in acl_smtp_helo.
I use Exim 4.63 (on Centos 5.11) and Exim 4.72 (on Centos 6.7).

# Section B
acl_check_helo:

accept condition     = ${if eq{$acl_c1}{0}}
       hosts         = EXDIR/hosts.accept.b

accept condition     = ${if eq{$acl_c1}{0}}
       condition     = ${lookup{$sender_helo_name} \ 
                        lsearch{EXDIR/helo.accept} \
                        {yes}{no} }

warn   condition     = ${if eq{$sender_helo_name}{}}
       set acl_c4    = +2
       set acl_c5    = [SNB01] Rejected. HELO missing
       set acl_c6    = [SNB01] HELO missing

warn   condition     = ${if eq{$acl_c4}{0}}
       condition     = ${if
eq{$sender_helo_name}{$interface_address}{yes}{no}}
       set acl_c4    = +2
       set acl_c5    = [SNB02] Rejected. Invalid HELO name
$sender_helo_name
       set acl_c6    = [SNB02] HELO impersonated

warn   condition     = ${if eq{$acl_c4}{0}}
       condition     =
${lookup{$sender_helo_name}lsearch{EXDIR/helo.reject} \
                         {1}{0}}
       set acl_c4    = +2
       set acl_c5    = [SNB11] System error 12/002.
       set acl_c6    = [SNB11] HELO fradulent (helo.reject)

warn   condition     = ${if eq{$acl_c4}{0}}
       condition     = ${if match{$sender_helo_name}{lawyers}}
       set acl_c4    = +1
       set acl_c5    = [SNB14] System error 13/756(A)
       set acl_c6    = [SNB14] HELO = lawyers

warn   condition     = ${if eq{$acl_c4}{0}}
       condition     = ${if match{$sender_helo_name} \
                         {^.*[0-9]\\..*[0-9]\\..*[0-9]\\..*[0-9]} }
       set acl_c4    = +2
       set acl_c5    = [SNB16] Inform your technical experts, invalid
HELO/EHLO.
       set acl_c6    = [SNB16] HELO numeric

warn   condition     = ${if eq{$acl_c4}{0}}
       !verify       = helo
       set acl_c4    = +2
       set acl_c5    = [SNB21] Rejected. HELO / EHLO different from
HOST. \
                        Suspected spam. \
                        Sender's host = $sender_host_name; \
                        Sender's HELO = $sender_helo_name : \
                        http://sys.u22.net/t01/t01p07.php
       set acl_c6    = [SNB21] HELO / EHLO different from HOST. \
                        Suspected spam.

accept

acl_c4 = If this is +2 and the connection and rcpt variables are also
set to +2, then after RCPT checking the IP is blocked for 1 - 2 months.

acl_c5 = the rejection message sent to the sender

acl_c6 = the internally generated report reason


I accept not everyone configures their Exim similarly. However about 1
spam a month penetrates my defences despite a constant surge of crap
targeting my mail servers.


--
Regards,

Paul.
England, EU.      England's place is in the European Union.