Hi, everyone--
I've been tearing my hair out trying to block specific spammers using a
deny senders = file list with many regular expressions in it. It just never
seems to match the spammer's envelope-from address, even though it looks
like it should match perfectly.
Eventually I decided to start exim in debug mode and watch as it actually
processes the ACLs to confirm the failure to match, and yep, it fails. I
saw it fail to match something it should have matched in real time (see
below).
I am running the exim4-daemon-heavy that comes with Ubuntu 20.04. It is
exim 4.93-13.
I started it up with:
# exim4 -bd -d+acl
The config lines for this deny are:
acl_check_rcpt:
### Deny if sender explicitly in blacklist
# $recipients is not available until DATA command
deny senders = ${if exists{CONFDIR/sender-blacklist-envelope-from}\
{CONFDIR/sender-blacklist-envelope-from}\
{}}
message = Rejected RCPT <$local_part@$domain>: Unrouteable address
log_message = Blacklisted - $sender_address
delay = 10s
And here is the excerpt from the file sender-blacklist-envelope-from that
should have blocked the spam I saw.
\N^quicken.loans.*@.*\N
*\N^mutual.of.omaha.*@.*\N*
\N^meetasianlady.*@.*\N
The goal is to block a highly-sophisticated spammer that uses a bunch of
legit email servers (they all have valid DKIM, reverse DNS, etc.) by
blocking keywords in their sender email addresses' local parts. For
instance, the Mutual of Omaha spam always start with:
mutual-of-omaha
mutual_of_omaha
mutual.of.omaha
The spam that failed to match looked like this excerpt of the debug output.
Relevant portions are bolded:
*23314 processing "deny" (/var/lib/exim4/config.autogenerated 316)*
*23314 check senders = ${if
exists{/etc/exim4/sender-blacklist-envelope-from}{/etc/exim4/sender-blacklist-envelope-from}{}}*
...
23314 address match test: subject=mutual_of_omaha_mortgage-me=
domain.com@??? pattern=\N^quickenloans.*@.*\N
23314 address match test: subject=mutual_of_omaha_mortgage-me=
domain.com@??? pattern=\N^quicken.loans.*@.*\N
*23314 address match test:
subject=mutual_of_omaha_mortgage-me=domain.com@???
<domain.com@???> pattern=\N^mutual.of.omaha.*@.*\N*
...
23314 address match test: subject=mutual_of_omaha_mortgage-me=
domain.com@??? pattern=\N^empire.today.*@.*\N
23314 mutual_of_omaha_mortgage-me=domain.com@??? in
"/etc/exim4/sender-blacklist-envelope-from"? *no (end of list)*
*23314 deny: condition test failed in ACL "acl_check_rcpt"*
I can't figure out why it fails to match. The regular expression looks
exactly like the documentation says it should look. It starts with a
circumflex, is surrounded by \N to deal with string expansion, has a local
part and a domain part with an @ in between, and is a normal Perl
Compatible Regular Expression (PCRE). Periods should match any character,
so mutual_of_omaha should have been matched. I have tried this pattern too
and it also failed to match:
\N^mutual_of_omaha.*@.*\N
Can anyone help me get this deny senders to match using regular expressions?
Thanks in advance for any help you can provide!
