Re: [exim] 2nd Stage DNS blocking

Top Page
Delete this message
Reply to this message
Author: Jasen Betts
Date:  
To: exim-users
Subject: Re: [exim] 2nd Stage DNS blocking
On 2016-10-07, Hardy <bulk@???> wrote:
> Hi folks,
>
> 2nd Stage DNS blocking


Let me describe:
> We receive spam via the usual MTA chain. Sometimes we receive mail from
> (free) mail providers like gmail and yahoo. Sometimes we fetchmail these
> latter ones to feed them to our MX.
> We only check the connecting server, and in some of the examples above
> it might even be trusted. But that one was tricked to take spam before.
> Random samples show me: We would not have taken most of the spam from
> the intermediate or even originating MTA or sender. I would like to run
> these "Received from" addresses against dnslists and/or blacklists in files.
> You obviously cannot do this before the acl data. I am not a regex wiz,
> and I think one needs an external script anyway to extract IPs. Hints?
> Ideas?



> Has anyone done before?


Barracuda spam firewall does this, which can be a problem for road
warriors.


see also RFC5321 section 3.7.2

"Received:" header fields of messages originating from other
environments may not conform exactly to this specification. However,
the most important use of Received: lines is for debugging mail
faults, and this debugging can be severely hampered by well-meaning
gateways that try to "fix" a Received: line. As another consequence
of trace header fields arising in non-SMTP environments, receiving
systems MUST NOT reject mail based on the format of a trace header
field and SHOULD be extremely robust in the light of unexpected
information or formats in those header fields.

Doesn't say you can't reject based on _content_