Hi,
I receive, and want to continue to receive, <everything>@mydomain.com as
I often given semi-random email addresses out so aaa111@???,
bbb222@??? are all 'valid' addresses and therefore I cannot
(easily) sort on recipient as a spam filter.
The zen.spamhaus.org blocklist does a great job of keeping most of the
nasties at bay. There are occasions where I get a truckload of spam
before the zen list has caught up. The spam comes in two flavours - I
think I've cracked one but would appreciate a hand with the other, please.
The first is if the spammer is using the same 'from' email address, eg
customerservice@??? in which case I use
...
acl_check_rcpt: [further up I have acl_smtp_rcpt = acl_check_rcpt]
deny
ratelimit = 5 / 15m / per_rcpt / strict / $sender_address
log_message = Denied, sending rate of: $sender_rate by $sender_address
...
this therefore kicks in fairly rapidly and I don't have any other mail
(mailing lists, twitter notifications, etc) that approaches this rate so
I don't foresee false positives being an issue.
The second is if the spammer uses a multitude of 'from' email addresses
but a common subject such as "Invoice is due". So I'm after a similar
ratelimit stanza that will work on the subject. I *think* this can't go
in the acl_check_rcpt as the header has not been downloaded at this
time(?) so needs to be in acl_check data [ = acl_smtp_data]? Depending
when it triggers it needs to be agnostic to a SpamAssassin header
rewrite so that "(SPAM 3.5)Invoice" 'matches' "(SPAM 3.6)Invoice".
1. Have I explained the question sufficiently clearly?
2. Any guidance, please, on how to adapt ratelimit? Or a completely
different way of skinning it?
(I use a mailhop service for incoming mail so I don't think greylisting
/ teergrubing is an option as it will affect the wrong target.)
Muchos thanks,
Nick.
