This is great. Tx!
I've already started to incorporate some of the rules provided by
Suresh and Mark who wrote on this before, but this seems much more
comprehensive.
--ilan
On 8/3/05, Herb Martin <[EMAIL PROTECTED]> wrote:
> > As we know, spammers often fake their identity and their mail
> > server /ratware fakes their identity as well.
> > I've noticed that occasionaly I get spam that is supposedly
> > sent from my own server (tivon1.pointer.co.il) but clearly
> > arrives from an outside IP address.
>
> I filtered these recently and was SHOCKED how much spam was
> hit by simply blocking on my "own server name" and "my
> own server address" given the HELO.
>
> > I written a rule in SpamAssassin that rejects this kind of
> > spam but I think it really should be stopped inside Exim.
>
> It should be stopped at the SMTP transaction, before even
> accepting the email.
>
> acl_check_helo:
> accept hosts = : +KNOWN_HOSTS
>
> deny message = HELO/EHLO with my ip address60. You are not me.
> log_message = -- HELO/EHLO my ip
> condition = ${if match {$sender_helo_name}{68.178.144.60} {yes}{no}}
>
> deny message = HELO/EHLO with my domain name. You are not LearnQuick.
> log_message = -- HELO/EHLO learnquick.com
> condition = ${if match {$sender_helo_name}{learnquick.com} {yes}{no}}
>
> deny message = Fine, then the mail I accept is also none
> log_message = -- HELO/EHLO none
> condition = ${if match {$sender_helo_name}{none} {yes}{no}}
>
> deny message = You're not localhost--your admin misconfigured your email
> server.
> log_message = -- HELO/EHLO localhost
> condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}
>
> accept
> ######################################
> acl_check_mail:
>
> accept authenticated = *
> accept hosts = : +KNOWN_HOSTS
>
> .ifdef RBL
> accept message = X-whitelisted-at: $dnslist_domain
> dnslists = ALL_DNS_WHITELISTS
> .endif RBL
>
> #Stopping Spam in the ACL <http://vamos-wentworth.org/exim-tricks.html
> deny message = Invalid HELO. Your SMTP server is misconfigured.
> condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}
>
> ### The following three checks were too agressive for DENY, so
> ### I set to warn, and use them to drive Greylist checks...
>
> warn message = -- not listed as reverse record. \
>
> log_message = -- WARN: not listed as reverse record.
>
> !verify = reverse_host_lookup
>
> warn message = -- listed invalid HELO. \
>
> log_message = -- WARN: listed invalid HELO.
>
> !verify = helo
>
> .ifdef RBL
> warn message = X-blacklisted-at: $dnslist_domain
> dnslists = ALL_DNS_BLACKLISTS
>
> .endif RBL
> accept
>
> The combinations of simple sanity checks, other SMTP checks,
> and then blacklists to drive greylisting is FAR better than
> I expected -- and all before we get to SpamAssassin and custom
> filters....
>
> Herb Martin, MCT, MCSD, MCSE, MVP
> [EMAIL PROTECTED] http://LearnQuick.Com
> 512 388 7339 -or- 1 800 MCSE PRO
> Accelerated MCSE in a Week Seminars
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Ilan Aisic
> > Sent: Wednesday, August 03, 2005 9:15 AM
> > To: [email protected]
> > Subject: [exim] How to Reject Remote Mail Server Imposters (to self)
> >
> > Hi,
> > As we know, spammers often fake their identity and their mail
> > server /ratware fakes their identity as well.
> > I've noticed that occasionaly I get spam that is supposedly
> > sent from my own server (tivon1.pointer.co.il) but clearly
> > arrives from an outside IP address.
> > I written a rule in SpamAssassin that rejects this kind of
> > spam but I think it really should be stopped inside Exim.
> > See the short log snippet below where you can see that the
> > mail was sent from a dynamic comcast.net address but the
> > server had the audacity in the "helo" command to identify
> > itself as "tivon1.pointer.co.il".
> > My Exim is configured to require sender verify but apparently
> > it does not include "server" verify. Is there's a
> > command/parameter for this?
> >
> > ------------- exim log snippet starts ------------
> > 2005-08-01 00:59:03 1DzLpi-0006TB-7u
> > H=c-24-131-41-83.hsd1.ga.comcast.net (tivon1.pointer.co.il)
> > [24.131.41.83] F=<[EMAIL PROTECTED]> rejected after DATA:
> > - Classified as spam (scored 28.8 points). Congratulations!
> > Envelope-from: <[EMAIL PROTECTED]>
> > Envelope-to: <[EMAIL PROTECTED]>
> > P Received: from c-24-131-41-83.hsd1.ga.comcast.net ([24.131.41.83]
> > helo=tivon1.pointer.co.il)
> > by tivon1.pointer.co.il with smtp (Exim 4.50)
> > id 1DzLpi-0006TB-7u
> > for [EMAIL PROTECTED]; Mon, 01 Aug 2005 00:58:58 +0300
> > F From: [EMAIL PROTECTED]
> > ------------- exim log snippet ends ------------
> >
> > --
> > Ilan Aisic
> > Registered Linux User 8124 http://counter.li.org
> >
> > --
> > ## List details at http://www.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
> >
>
>
--
Ilan Aisic
Registered Linux User 8124 http://counter.li.org
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
