There may be more elegant solutions but I've added ".website" and ".date"
to my local_sender_blacklist recently. I find using that with spfquery
works quite well.
Regards,
Dermot
On Tue, 28 Aug 2018 at 11:59, Cyborg via Exim-users <exim-users@???>
wrote:
> Am 25.08.2018 um 21:27 schrieb scout--- via Exim-users:
> > Hi, newbi questions please..
> >
> > I can't figure out how to drop certain hostname connects. I get
> > thousands of these types of connects per day:
> >
> > 2018-08-25 14:16:39.473 [25870] H=69.130.32.95.dsl-dynamic.vsi.ru
> > (sex.com) [95.32.130.69]:7481 I=[1.2.3.4]:25 sender verify fail for
> > <email-account1@???>: No Such User Here"
> > 2018-08-25 14:16:39.473 [25870] H=69.130.32.95.dsl-dynamic.vsi.ru
> > (sex.com) [95.32.130.69]:7481 I=[1.2.3.4]:25
> > F=<email-account1@???> rejected RCPT
> > <email-account1@???>: Sender verify failed
> >
> > Hostname IP's are always hacked international user computers so
> > there's no sense trying throw the IPs in a firewall. The only
> > constants is that every single
>
> Take the real IP, put it in a firewall rule, note the time, remove the
> block after 24h . Works good.
> The actual spammer can't send mails anymore, the original Serverowner
> can send mails again later, when he removed his hack.
>
> > connection is for the same non-existing account:
> > email-account1@???, and they all have 'sex.com' or
> > my-domain-name in the hostname H=. Yes, they currently all fail with
> > just two lines of code in the logs, but the volume of connections is
> > increasing daily.
> >
> > I'm looking for something along the lines of:
> >
> > If hostname equals 'sex.com' or hostname equals 'my-domain-name.net'
> > drop connection (don't process or write to the logs)
> >
>
> nothing is easier spoofed and changed than that. So, your rule would
> only be temporarily effective. SPAMASSASSIN rules should cover it
> and they get updated from time to time. I suggest to use spamassassin on
> your server.
>
> You can also use SPAMHAUS or NIXSPAM DNS-BLs , both are very effective
> against spammers. The false positives are next to zer0.
>
> best regards,
> Marius
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
