Re: [exim] Help with dropping spam e-mail.

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Help with dropping spam e-mail.
Mark Elkins via Exim-users <exim-users@???> (Mo 14 Mai 2018 10:23:52 CEST):
>
> I need help. (pun included)
>
> Someone is using "please@???" as the source of spam e-mail. The
> address does not exist...
> delivering 1fI8dS-0008Pd-DC (queue run pid 700)
> LOG: MAIN
>   ** please@???: Unknown user


So, you're receiving the bounces, because somebody uses
please@??? as a sender address to spam the world?
(That is, sending messages to mostly non-existent accounts, which in
turn accept the message and bounce later to the faked sender
please@???)?.


> ...but I do manage the domain "help.co.za"


> stops local delivery. What would be the most appropriate means to
> /dev/null this crap. I'm running my users from a MySQL database and
> serve a few hundred domains - each with multiple email users. I'm
> running a pretty new version of exim and do this on a Gentoo machine.
>
> Either - create a user by the appropriate name and forward it to what???
> or - somehow tell exim when it gets an unknown user to /dev/null it ???


In case you never ever use please@??? as a sender, you can block
all messages destined to this address. (Ideally this is done
automatically doing inbound recipient verification.)

A fast (but ugly) solution until you got the right way, could be:


    deny    message = This address didn't send mails ever.
            senders = :
            local_parts = please
            domains = help.co.cz



As one of the very first ACL in your acl_check_rcpt (or approbiate)
block.

If your load settles down a bit, we can discuss better ways :)

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -