I think the problem is that you're relating an IP/DNS issue to a SPAM
identification technology.
There is no 'law' that says your reverse DNS must work and its simply
dangerous to use the heuristic no rDNS => High probability of SPAM.
You would probably be better served using extensive checking at:
1. initial TCP connection, then
2. at HELO/EHLO greeting, then
3. at the MAIL command
Using this approach we block unwanted senders (unwanted connects)
because they are identified as such, we block spammers that use broken
protocol like attempting to send before they say HELO or EHLO. We block
spammers and systems that use bare words like "HELO COMPUTER" or dotted
quads like "HELO 1.2.3.4".
By the time an email gets as far as SpamAssassin on our systems its
already been through 30+ other pre-checks which are more efficient and
more accurate than providing a high weighting to something that can give
a false positive.
Mike
Here's some config to consider ...
begin acl
###
### acl_check_connect: This access control list checks the inbound
### connection against a number of DNS based block lists
###
acl_check_connect:
warn logwrite = CONNECT: New connection from
$sender_host_address:$sender_host_port ->
$received_ip_address:$received_port
set acl_m5 = 0
#
# accept the connection here if it is on MSA port 587
#
accept condition = ${if eq{$interface_port}{587}{1}{0}}
set acl_m5 = 1
logwrite = CONNECT: Host $sender_host_address allowed
on MSA/MUS port 587 - connect checks skipped
#
# check and accept if host is white-listed in our database
#
accept hosts = +whitelist_dnsbl_hosts
logwrite = CONNECT: Host $sender_host_address is
whitelisted in database, RBL checks skipped
#
# see if its whitelisted at junkmailfilter.com - only warn
#
warn dnslists =
hostdomain.junkemailfilter.com=127.0.0.1/$sender_host_name
logwrite = CONNECT: Host name $sender_host_name
whitelisted at $dnslist_domain : $dnslist_value
#
# check if host white-listed at DNSWL.ORG
#
accept dnslists = list.dnswl.org&0.0.0.2
logwrite = CONNECT: Host $sender_host_address
whitelisted at $dnslist_domain : $dnslist_value
#
# checks via various DNS Block Lists. These could be condensed
into a single check with a
# multi-part dnslists = ... entry but specifying them
separately gives us fine-grained
# control. We can log each by name and can enable/disable
them. Enable by setting them to
# 'drop' (connection refused) and disabled them by setting to
'warn' (log entry only)
#
# SpamHaus.org
drop dnslists = zen.spamhaus.org
logwrite = CONNECT: Reject: $sender_host_address
according to: $dnslist_domain : $dnslist_value
# Sorbs.net
warn dnslists = dnsbl.sorbs.net
logwrite = CONNECT: Reject: $sender_host_address
according to: $dnslist_domain : $dnslist_value
# SpamCop.net
warn dnslists = bl.spamcop.net
log_message = CONNECT: Warning: $sender_host_address
according to: $dnslist_domain : $dnslist_value
# AbuseAt.org
warn dnslists = cbl.abuseat.org
log_message = CONNECT: Warning: $sender_host_address
according to: $dnslist_domain : $dnslist_value
#
# accept the rest
#
accept logwrite = CONNECT: Accepting connection from:
$sender_host_address - not blocked by any RBL
###
### acl_start_tls: This access control list reports client used START TLS
###
acl_start_tls:
accept logwrite = CRYPTO: Client
$sender_host_address:$sender_host_port issued STARTTLS
###
### acl_check_helo: check the HELO/EHLO
###
acl_check_helo:
#
# accept for relay_from_hosts
#
accept condition = ${if
match_domain{$sender_helo_name}{$+relay_from_hosts}{true}{false}}
logwrite = HELO: Accepted HELO/EHLO $sender_helo_name
from remote host: $sender_host_address ${if def:sender_host_name
{($sender_host_name) }} in hostlist relay_from_hosts
#
# check for single word greeting messages like "HELO COMPUTER"
#
deny condition = ${if match {$sender_helo_name} {\\.} {no}{yes}}
message = Your HELO/EHLO greeting ($sender_helo_name)
is a single word. \
According to RFC2821 you must use your
fully-qualified domain-name. \
Please fix your configuration if you want to
talk to us
logwrite = HELO: HELO/EHLO was not a FQDN :
$sender_helo_name from $sender_fullhost
#
# check for raw IP address in greeting like "HELO 1.2.3.4"
#
deny condition = ${if isip{$sender_helo_name}}
#condition = ${if match
{$sender_helo_name}{^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$}{yes}{no}}
message = Your HELO/EHLO greeting ($sender_helo_name)
is a plain IP address. \
According to RFC2821 you must use your
fully-qualified domain-name. \
Please fix your configuration if you want to
talk to us
logwrite = HELO: HELO/EHLO with bare IP :
$sender_helo_name from $sender_fullhost
#
# check for HELO from our host name... must be fake as we don't
SMTP to ourselves!
#
deny condition = ${if match
{$sender_helo_name}{$primary_hostname}{true}{false}}
message = Your HELO/EHLO greeting ($sender_helo_name)
is using our name! \
According to RFC2821 you must use your
fully-qualified domain-name. \
Please fix your configuration if you want to
talk to us
logwrite = HELO: Rejected because remote host used our
hostname: $sender_helo_name
#
# check for HELO from domains that we handle (local domains and
relay domains)... if so this is fake
#
deny condition = ${if
match_domain{$sender_helo_name}{$+local_domains:+relay_to_domains}{true}{false}}
message = Your HELO/EHLO greeting ($sender_helo_name)
is using one of our domains! \
According to RFC2821 you must use your
fully-qualified domain-name. \
Please fix your configuration if you want to
talk to us
logwrite = HELO: Rejected because remote host used one
of our domains: $sender_helo_name
#
# check for HELO names blacklisted in our database, if we
reject don't give too much help as to why
#
deny condition = ${if
match_domain{$sender_helo_name}{+blacklist_helo}{yes}{no}}
message = Your HELO/EHLO is not acceptable here
logwrite = HELO: Rejected: $sender_helo_name (from
$sender_fullhost) - blacklisted in database
#
# attempt to verify the HELO/EHLO, if it fails just generate a
log warning - we cannot reject
# based on this. See also the check_content ACL where we add a
warning to headers for invalid HELO
#
warn !verify = helo
logwrite = HELO: Could not verify HELO/EHLO:
$sender_helo_name from remote host: $sender_host_address ${if
def:sender_host_name {($sender_host_name) }}
#
# accept everything else
#
accept message = Hello $sender_helo_name
logwrite = HELO: Accepted HELO/EHLO $sender_helo_name
from remote host: $sender_host_address ${if def:sender_host_name
{($sender_host_name) }}
###
### acl_check_mail: this access control list checks the SMTP 'MAIL' (ie.
MAIL FROM:)
### part of the transaction
###
acl_check_mail:
#
# check that they have said HELO/EHLO earlier (before MAIL)
#
deny condition = ${if !def:sender_helo_name {true}{false}}
message = Missing or blank HELO/EHLO greeting.
According to RFC2821 \
you must say HELO/EHLO before sending traffic.
logwrite = MAIL: Missing or blank HELO/EHLO from
$sender_fullhost
#
# log the SPF result
#
warn spf = !none
logwrite = MAIL: SPF Result=$spf_result
($sender_address_domain / $sender_fullhost)
#
# check blacklisted 'From:' addresses
#
deny condition = ${lookup mysql
{MYSQL_BLACKLIST_SENDER}{true}{false}}
message = Sender address blacklisted. Go away!
logwrite = MAIL: Rejected sender's from:
$sender_address - blacklisted in database
#
# accept everything else (we won't know until we call-out
verify/route it)
#
accept logwrite = MAIL: Accept from: $sender_address host:
$sender_fullhost
On 9/19/2016 1:58 PM, John McMurray wrote:
> Hi everyone,
>
> I hope its ok to ask an off topic question in this group. I ask here
> because even though it is off topic its obviously closely related and
> I'd love to hear what your thoughts are on the following:
>
> In my exim servers I assign a very high spam assassin score to
> incoming mail servers without rDNS (RDNS_NONE = 4.5).
>
> This has worked well for me blocking a fair amount of spam (or rather,
> pushing the overall score high enough to block the spam).
>
> I have a client on my servers who cannot receive mail from one of
> their contacts. It turns out that this sender's forward and reverse
> records don't match exactly, eg:
>
> mailsecurity-01.example.com. => 1.2.3.4
>
> but
>
> dig -x 1.2.3.4 => gateway.example.com.
>
>
> So my question(s) are basically:
>
> 1) am I being too over the top assigning such high spam assassin to
> incoming mail without valid rDNS?
>
> 2) Should it be considered valid if the tld matches but not the sub
> domain as in the example above (and if so any pointers on how to
> achieve that in exim)?
>
>
> Thank you,
>
> John McMurray
>
> john@???
>
>
