Re: [exim] Spam bypassing spamassassin et al

Top Page
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: exim-users
Subject: Re: [exim] Spam bypassing spamassassin et al
On Tue, 2015-09-01 at 15:44 +0200, John Mc Murray wrote:
> So just to make it clear, this question was not about "how to block",
> but rather "why doesn't it block for this very specific spam mail"


Look at it another way: rather than 'why did this not get blocked?',
think 'why did my Exim listener accept this message?'

You have an 'accept' clause somewhere before SA is being called (in the
DATA ACL?), and that's causing the message to get through.

Additional clue: the message has a null sender (ergo, appears to be a
bounce).

Do you happen to have a special accept clause for bounces?

You can run a debug session by doing the following (taking data from
your message). Create a new text file and paste in:

# ===START OF SCRIPT===
(
  sleep 1
  echo 'HELO 78.85.165.113'
  sleep 1
  echo 'MAIL FROM:<>'
  sleep 1
  echo 'RCPT TO:<my@???>'
  sleep 1
  echo 'DATA'
  sleep 1
  cat <<EOF
Received: from unknown (HELO localhost) 
(nitc.co.ir@???@207.80.158.108)
         by 78.85.165.113 with ESMTPA; Tue, 1 Sep 2015 14:12:34 +0400
X-Originating-IP: 207.80.158.108
From: nitc.co.ir@???
To: my@???
Date: Tue, 01 Sep 2015 12:10:04 +0200
Subject: Received annoying spam from BestMoversToronto?


Received annoying spam "from us"?
We understand how it feels, but we didn't do this.
[as much of the body as you like]
.
EOF

sleep 5
echo 'QUIT') | exim -d -bh 78.85.165.113 2>&1 | less

#=== END OF SCRIPT ===

Then run that (as root or other trusted user, in Exim terms):

sh newfile.txt

That'll show you where your accept is. I'll lay odds on it being before
the call to SpamAssassin.

Graeme