I've come to the conclusion that identifying likely sources of spam is
not hard. What's hard is identifying legitimate traffic from likely
spam-sources. Based on this conclusion I've started working on tests to
help identify such traffic.
Two of tests I'd like to try are:
1) Is the sending host an MX for the sender address domain?
2) Is the sending host in the same /24 as an MX for the sender address
domain?
To test this with Exim I've come up with the following two constructs:
1) ${if match_ip{$sender_host_address}{${lookup dnsdb{>: a=${lookup
dnsdb{>: mxh=$sender_address_domain}}}}}}
2) ${if match_ip{$sender_host_address}{${sg{${lookup dnsdb{>: a=${lookup
dnsdb{>:
mxh=$sender_address_domain}}}}}{(([0-9]+\.\){3\})[0-9]+}{\$\{1\}0/24}}}}
I find the above tests (particularly the second one) rather complex, so
I'd like to pose the following two questions to the list:
- Will the above two tests work as intended?
- Is there a less complex way to perform the tests?
I also welcome opinions on the usefulness of these tests, and to keep
such discussions relevant let me say a few words on how (and why)
they're intended to be used:
I find that a regex matching so-called generic rDNS is a very good
indication of a likely spam-source. The same goes for missing rDNS and
listing in "dial-up list" type DNS blacklist. Unfortunately it has
become quite common for people to run mail servers (especially Exchange)
on standard ADSL/Cabel links with a fixed IP[1]. Such IPs frequently
triggers one of more the generic-rdns/no-rdns/dul tests
My plan is to use the sending-host/mx checks only when I get a match on
one of the generic-rdns/no-rdns/dul tests. The simplified logic would be:
(- When all other indicators are neutral; and)
- When the sending host tests positive for generic-rdns/no-rdns/dul
- Unless sending host is MX for senders domain; or
- Unless sending host is in the same /24 as an MX for senders domain
- Reject
This is as I said a simplification. The real system uses scores each
test and rejects when the score is above the address owners selected
threshold. This is also the reason I want the two tests. The idea is
that the first test gives a larger negative score then the second.
Bob
[1] This is true in Norway at least, I don't know about the rest of the
world.
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
