[exim] exim ratelimit on subject for incoming mail

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Nick Rickard
Dátum:  
Címzett: exim-users
Tárgy: [exim] exim ratelimit on subject for incoming mail
Hi,

I receive, and want to continue to receive, <everything>@mydomain.com as
I often given semi-random email addresses out so aaa111@???,
bbb222@??? are all 'valid' addresses and therefore I cannot
(easily) sort on recipient as a spam filter.

The zen.spamhaus.org blocklist does a great job of keeping most of the
nasties at bay. There are occasions where I get a truckload of spam
before the zen list has caught up. The spam comes in two flavours - I
think I've cracked one but would appreciate a hand with the other, please.

The first is if the spammer is using the same 'from' email address, eg 
customerservice@??? in which case I use
...
acl_check_rcpt:   [further up I have acl_smtp_rcpt = acl_check_rcpt]
   deny
     ratelimit = 5 / 15m / per_rcpt / strict / $sender_address
     log_message = Denied, sending rate of: $sender_rate by $sender_address
...
this therefore kicks in fairly rapidly and I don't have any other mail 
(mailing lists, twitter notifications, etc) that approaches this rate so 
I don't foresee false positives being an issue.


The second is if the spammer uses a multitude of 'from' email addresses
but a common subject such as "Invoice is due". So I'm after a similar
ratelimit stanza that will work on the subject. I *think* this can't go
in the acl_check_rcpt as the header has not been downloaded at this
time(?) so needs to be in acl_check data [ = acl_smtp_data]? Depending
when it triggers it needs to be agnostic to a SpamAssassin header
rewrite so that "(SPAM 3.5)Invoice" 'matches' "(SPAM 3.6)Invoice".

1. Have I explained the question sufficiently clearly?
2. Any guidance, please, on how to adapt ratelimit? Or a completely
different way of skinning it?

(I use a mailhop service for incoming mail so I don't think greylisting
/ teergrubing is an option as it will affect the wrong target.)

Muchos thanks,
Nick.