Re: [exim] ot: rDNS + spam assassin

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Mike Tubby
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] ot: rDNS + spam assassin
I think the problem is that you're relating an IP/DNS issue to a SPAM
identification technology.

There is no 'law' that says your reverse DNS must work and its simply
dangerous to use the heuristic no rDNS => High probability of SPAM.

You would probably be better served using extensive checking at:

     1. initial TCP connection, then
     2. at HELO/EHLO greeting, then
     3. at the MAIL command



Using this approach we block unwanted senders (unwanted connects)
because they are identified as such, we block spammers that use broken
protocol like attempting to send before they say HELO or EHLO. We block
spammers and systems that use bare words like "HELO COMPUTER" or dotted
quads like "HELO 1.2.3.4".

By the time an email gets as far as SpamAssassin on our systems its
already been through 30+ other pre-checks which are more efficient and
more accurate than providing a high weighting to something that can give
a false positive.


Mike



Here's some config to consider ...


begin acl

###
### acl_check_connect: This access control list checks the inbound
### connection against a number of DNS based block lists
###

acl_check_connect:
         warn    logwrite = CONNECT: New connection from 
$sender_host_address:$sender_host_port -> 
$received_ip_address:$received_port
                 set acl_m5 = 0


         #
         # accept the connection here if it is on MSA port 587
         #
         accept  condition = ${if eq{$interface_port}{587}{1}{0}}
                 set acl_m5 = 1
                 logwrite = CONNECT: Host $sender_host_address allowed 
on MSA/MUS port 587 - connect checks skipped


         #
         # check and accept if host is white-listed in our database
         #
         accept  hosts = +whitelist_dnsbl_hosts
                 logwrite = CONNECT: Host $sender_host_address is 
whitelisted in database, RBL checks skipped


         #
         # see if its whitelisted at junkmailfilter.com - only warn
         #
         warn    dnslists = 
hostdomain.junkemailfilter.com=127.0.0.1/$sender_host_name
                 logwrite = CONNECT: Host name $sender_host_name 
whitelisted at $dnslist_domain : $dnslist_value


         #
         # check if host white-listed at DNSWL.ORG
         #
         accept  dnslists = list.dnswl.org&0.0.0.2
                 logwrite = CONNECT: Host $sender_host_address 
whitelisted at $dnslist_domain : $dnslist_value


         #
         # checks via various DNS Block Lists. These could be condensed 
into a single check with a
         # multi-part dnslists = ... entry but specifying them 
separately gives us fine-grained
         # control.  We can log each by name and can enable/disable 
them.  Enable by setting them to
         # 'drop' (connection refused) and disabled them by setting to 
'warn' (log entry only)
         #


         # SpamHaus.org
         drop    dnslists = zen.spamhaus.org
                 logwrite = CONNECT: Reject: $sender_host_address 
according to: $dnslist_domain : $dnslist_value



         # Sorbs.net
         warn    dnslists = dnsbl.sorbs.net
                 logwrite = CONNECT: Reject: $sender_host_address 
according to: $dnslist_domain : $dnslist_value



         # SpamCop.net
         warn    dnslists = bl.spamcop.net
                 log_message = CONNECT: Warning: $sender_host_address 
according to: $dnslist_domain : $dnslist_value



         # AbuseAt.org
         warn    dnslists = cbl.abuseat.org
                 log_message = CONNECT: Warning: $sender_host_address 
according to: $dnslist_domain : $dnslist_value


         #
         # accept the rest
         #
         accept  logwrite = CONNECT: Accepting connection from: 
$sender_host_address - not blocked by any RBL



###
### acl_start_tls: This access control list reports client used START TLS
###

acl_start_tls:

         accept  logwrite = CRYPTO: Client 
$sender_host_address:$sender_host_port issued STARTTLS





###
### acl_check_helo: check the HELO/EHLO
###

acl_check_helo:

         #
         # accept for relay_from_hosts
         #
         accept  condition = ${if 
match_domain{$sender_helo_name}{$+relay_from_hosts}{true}{false}}
                 logwrite = HELO: Accepted HELO/EHLO $sender_helo_name 
from remote host: $sender_host_address ${if def:sender_host_name 
{($sender_host_name) }} in hostlist relay_from_hosts



         #
         # check for single word greeting messages like "HELO COMPUTER"
         #
         deny    condition = ${if match {$sender_helo_name} {\\.} {no}{yes}}
                 message = Your HELO/EHLO greeting ($sender_helo_name) 
is a single word. \
                         According to RFC2821 you must use your 
fully-qualified domain-name. \
                         Please fix your configuration if you want to 
talk to us
                 logwrite = HELO: HELO/EHLO was not a FQDN : 
$sender_helo_name from $sender_fullhost


         #
         # check for raw IP address in greeting like "HELO 1.2.3.4"
         #
         deny    condition = ${if isip{$sender_helo_name}}
                 #condition = ${if match 
{$sender_helo_name}{^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$}{yes}{no}}
                 message = Your HELO/EHLO greeting ($sender_helo_name) 
is a plain IP address. \
                         According to RFC2821 you must use your 
fully-qualified domain-name. \
                         Please fix your configuration if you want to 
talk to us
                 logwrite = HELO: HELO/EHLO with bare IP : 
$sender_helo_name from $sender_fullhost


         #
         # check for HELO from our host name... must be fake as we don't 
SMTP to ourselves!
         #
         deny    condition = ${if match 
{$sender_helo_name}{$primary_hostname}{true}{false}}
                 message = Your HELO/EHLO greeting ($sender_helo_name) 
is using our name! \
                         According to RFC2821 you must use your 
fully-qualified domain-name. \
                         Please fix your configuration if you want to 
talk to us
                 logwrite = HELO: Rejected because remote host used our 
hostname: $sender_helo_name


         #
         # check for HELO from domains that we handle (local domains and 
relay domains)... if so this is fake
         #
         deny    condition = ${if 
match_domain{$sender_helo_name}{$+local_domains:+relay_to_domains}{true}{false}}
                 message = Your HELO/EHLO greeting ($sender_helo_name) 
is using one of our domains! \
                         According to RFC2821 you must use your 
fully-qualified domain-name. \
                         Please fix your configuration if you want to 
talk to us
                 logwrite = HELO: Rejected because remote host used one 
of our domains: $sender_helo_name


         #
         # check for HELO names blacklisted in our database, if we 
reject don't give too much help as to why
         #
         deny    condition = ${if 
match_domain{$sender_helo_name}{+blacklist_helo}{yes}{no}}
                 message = Your HELO/EHLO is not acceptable here
                 logwrite = HELO: Rejected: $sender_helo_name (from 
$sender_fullhost) - blacklisted in database


         #
         # attempt to verify the HELO/EHLO, if it fails just generate a 
log warning - we cannot reject
         # based on this. See also the check_content ACL where we add a 
warning to headers for invalid HELO
         #
         warn    !verify = helo
                 logwrite = HELO: Could not verify HELO/EHLO: 
$sender_helo_name from remote host: $sender_host_address ${if 
def:sender_host_name {($sender_host_name) }}


         #
         # accept everything else
         #
         accept  message = Hello $sender_helo_name
                 logwrite = HELO: Accepted HELO/EHLO $sender_helo_name 
from remote host: $sender_host_address ${if def:sender_host_name 
{($sender_host_name) }}




###
### acl_check_mail: this access control list checks the SMTP 'MAIL' (ie.
MAIL FROM:)
### part of the transaction
###

acl_check_mail:

         #
         # check that they have said HELO/EHLO earlier (before MAIL)
         #
         deny    condition = ${if !def:sender_helo_name {true}{false}}
                 message = Missing or blank HELO/EHLO greeting. 
According to RFC2821 \
                         you must say HELO/EHLO before sending traffic.
                 logwrite = MAIL: Missing or blank HELO/EHLO from 
$sender_fullhost


         #
         # log the SPF result
         #
         warn    spf = !none
                 logwrite = MAIL: SPF Result=$spf_result 
($sender_address_domain / $sender_fullhost)


         #
         # check blacklisted 'From:' addresses
         #
         deny    condition = ${lookup mysql 
{MYSQL_BLACKLIST_SENDER}{true}{false}}
                 message = Sender address blacklisted. Go away!
                 logwrite = MAIL: Rejected sender's from: 
$sender_address - blacklisted in database


         #
         # accept everything else (we won't know until we call-out 
verify/route it)
         #
         accept  logwrite = MAIL: Accept from: $sender_address host: 
$sender_fullhost









On 9/19/2016 1:58 PM, John McMurray wrote:
> Hi everyone,
>
> I hope its ok to ask an off topic question in this group. I ask here
> because even though it is off topic its obviously closely related and
> I'd love to hear what your thoughts are on the following:
>
> In my exim servers I assign a very high spam assassin score to
> incoming mail servers without rDNS (RDNS_NONE = 4.5).
>
> This has worked well for me blocking a fair amount of spam (or rather,
> pushing the overall score high enough to block the spam).
>
> I have a client on my servers who cannot receive mail from one of
> their contacts. It turns out that this sender's forward and reverse
> records don't match exactly, eg:
>
> mailsecurity-01.example.com. => 1.2.3.4
>
> but
>
> dig -x 1.2.3.4 => gateway.example.com.
>
>
> So my question(s) are basically:
>
> 1) am I being too over the top assigning such high spam assassin to
> incoming mail without valid rDNS?
>
> 2) Should it be considered valid if the tld matches but not the sub
> domain as in the example above (and if so any pointers on how to
> achieve that in exim)?
>
>
> Thank you,
>
> John McMurray
>
> john@???
>
>