Re: [exim] Spam bypassing spamassassin et al

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MCyborg at <-
MAlways Learning at ->
Delete this message
Reply to this message
Author: John Mc Murray
Date:  
To: exim-users
Subject: Re: [exim] Spam bypassing spamassassin et al
Greame and Paul,

Thanks so much for your help!

Greame, you were right about accepting the mail at some earlier stage.
It turns out I was checking for the sender's white list with

= :whitelist_file

Not exactly like that I'm just too tired to get the exact syntax right
now, but the important part is the colon, which I now realise means that
it will match against a blank value, and these spammers where sending
with a blank from address, so they were white listed. Thanks a mil, your
script really helped ALOT!!!

Paul, thanks, I'm not an expert in exim by any stretch of the
imagination and I don't spend much time with it, so I didn't even
realise that there was a helo acl! I'm now using that to detect some
early problems, like using an IP rather than a domain name.

Thanks again, I now have a much better understanding of how things work.

Regards,

John


On 01/09/2015 20:15, Graeme Fowler wrote:
> On Tue, 2015-09-01 at 15:44 +0200, John Mc Murray wrote:
>> So just to make it clear, this question was not about "how to block",
>> but rather "why doesn't it block for this very specific spam mail"
> Look at it another way: rather than 'why did this not get blocked?',
> think 'why did my Exim listener accept this message?'
>
> You have an 'accept' clause somewhere before SA is being called (in the
> DATA ACL?), and that's causing the message to get through.
>
> Additional clue: the message has a null sender (ergo, appears to be a
> bounce).
>
> Do you happen to have a special accept clause for bounces?
>
> You can run a debug session by doing the following (taking data from
> your message). Create a new text file and paste in:
>
> # ===START OF SCRIPT===
> (
>    sleep 1
>    echo 'HELO 78.85.165.113'
>    sleep 1
>    echo 'MAIL FROM:<>'
>    sleep 1
>    echo 'RCPT TO:<my@???>'
>    sleep 1
>    echo 'DATA'
>    sleep 1
>    cat <<EOF
> Received: from unknown (HELO localhost)
> (nitc.co.ir@???@207.80.158.108)
>           by 78.85.165.113 with ESMTPA; Tue, 1 Sep 2015 14:12:34 +0400
> X-Originating-IP: 207.80.158.108
> From: nitc.co.ir@???
> To: my@???
> Date: Tue, 01 Sep 2015 12:10:04 +0200
> Subject: Received annoying spam from BestMoversToronto?

>
> Received annoying spam "from us"?
> We understand how it feels, but we didn't do this.
> [as much of the body as you like]
> .
> EOF
>
>    sleep 5
>    echo 'QUIT') | exim -d -bh 78.85.165.113 2>&1 | less

>
> #=== END OF SCRIPT ===
>
> Then run that (as root or other trusted user, in Exim terms):
>
> sh newfile.txt
>
> That'll show you where your accept is. I'll lay odds on it being before
> the call to SpamAssassin.
>
> Graeme
>
>


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Block mail of reverse DNS failsRe: [exim] Block mail of reverse DNS fails->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)