Re: [exim] Help with dropping spam e-mail.

Top Page

Reply to this message
Author: Mike Brudenell
Date:  
To: Exim Users
Subject: Re: [exim] Help with dropping spam e-mail.
Hi, Mark -

It's a little unclear from your message whether:

- you've got an influx of messages arriving *from* please@???
that you want to block, or
- you've got an influx of messages *to* please@??? that you want
to block.

As you mentioned one possibility might be to create a local user of the
appropriate name I'll assume it's mail *to* that address you wish to
block/get rid of.

If you have some sort of aliasing/user mapping that you use in a redirect
router one way might be to 'alias' your please@??? address to one of
the special recipients ":blackhole:" or "/dev/null". See the chapter *The
Redirect Router* in the *Special items in redirection lists*
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_redirect_router.html#SECTspecitredli>
section.

Alternatively you could add an ACL to your Exim configuration that either
rejects the recipient address please@??? when an incoming message
says it wants to go to that recipient, or you could instead accept the
recipient but then silently discard the message instead of delivering it.
For example, something like this (CAUTION: UNTESTED!) in your
acl_check_rcpt ACL:

deny recipients = please@???


Put this before any "accept" ACL statements. Then, when an incoming SMTP
connection sends a :RCPT TO: please@???", your system will reject
that recipient address with a 5xx SMTP response code so the message doesn't
get into your system but stays on the remote server (which hopefully then
won't try and deliver it again as it got a 5xx code rather than a 4xx code).

Alternatively use "discard" instead of "deny" and your server will accept
the message, send a 2xx code back to the sending server, but then discard
that recipient address. If the message was destined for several of your
users then the others will still get a copy; you can avoid this by moving
the discard into the acl_check_data ACL, as explained in the *Specification*
.

See the *Access Control Lists* chapter in the *ACL verbs*
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#SECID200>
section for more about the deny and drop verbs and their effect when in the
rcpt or data ACLs.

Those are just quick thoughts to hlep you combat the immediate problem;
others might be able to offer more insightful responses. Good luck and let
us know how you get on!

Cheers,
Mike B-)

On Mon, 14 May 2018 at 09:28, Mark Elkins via Exim-users <
exim-users@???> wrote:

>
> I need help. (pun included)
>
> Someone is using "please@???" as the source of spam e-mail. The
> address does not exist...
>
> delivering 1fI8dS-0008Pd-DC (queue run pid 700)
> LOG: MAIN
> ** please@???: Unknown user
>
> ...but I do manage the domain "help.co.za"
>
> I also allow wildcards in addresses - so "*@help.co.za" could be
> forwarded to a single "catchall" account and some customers use this to
> "fetch" all their e-mails....
>
> I'm getting a few 100 per minute which upsets the Load Average - which
> stops local delivery. What would be the most appropriate means to
> /dev/null this crap. I'm running my users from a MySQL database and
> serve a few hundred domains - each with multiple email users. I'm
> running a pretty new version of exim and do this on a Gentoo machine.
>
> Either - create a user by the appropriate name and forward it to what???
>
> or - somehow tell exim when it gets an unknown user to /dev/null it ???
>
> Second would be better - as long as its logged - How do I do this?
>
> --
> Mark James ELKINS  -  Posix Systems - (South) Africa
> mje@???       Tel: +27.128070590  Cell: +27.826010496
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm