Re: [exim] X-originating-IP

Mon, 20 Aug 2007 01:39:42 -0700 

David Saez, Padros wrote:

>> I'm getting more and more spam from webmail sites like hotmail, and i 
>> was wondering if it was possible to write an acl to check the 
>> X-originating-IP header against blacklists. i thought it would be a 
>> simple task, but i've failed. perhaps somebody could clue me in :-)
> 
> the problem of using this is that many users have dinamically assigned
> ip addresses, so some users will get blacklisted ip's without having
> ever send a virus or spam message, so take care of avoid using this on
> mailing list mail and trusted senders (you will need a good way to
> avoid false positives),

Hence why I specified bl.spamcop.net and sbl-xbl.spamhaus.org, and not 
an RBL that lists "dynamic" ips, eg zen.spamhaus.org. The same applies 
when looking up IPs in received headers against RBLs.

> we use this:
> 
>    # Blacklisted ip in X-Originating-IP:
> 
>    warn    set acl_m2     =
> 
>    warn    condition      = ${if def:h_x-originating-ip:}
>            set acl_m2     = ${sg {$h_x-originating-ip:}{(\\[|\\])}{}}
> 
>    warn    condition      = ${if eq {$acl_m2}{}}
>            condition      = ${if def:h_x-mdremoteip:}
>            set acl_m2     = ${sg {$h_x-mdremoteip:}{(\\[|\\])}{}}
> 
>    deny    condition      = ${if isip{$acl_m2}}
>            dnslists       = bl.spamcop.net/$acl_m2 : \
>                             sbl-xbl.spamhaus.org/$acl_m2 : \
>                             virbl.dnsbl.bit.nl/$acl_m2 : \
>                             list.dsbl.org/$acl_m2
>            message        = Originating IP listed at $dnslist_domain
>            log_message    = Blacklisted originating IP \
>                             ($acl_m2 listed at $dnslist_domain)
> 

Some good tips in there. Here's a more compact untested version of what 
you did that is more likely to be able to pull an ip address out of 
those headers:

deny set acl_m2  = ${if 
eq{$h_x-originating-ip:}{}{$h_x-mdremoteip:}{$h_x-originating-ip:}}
      set acl_m2  = ${if 
match{$acl_m2}{\N(\d{1,3}(?:\.\d{1,3}){3})\N}{$1}{}}
      condition   = ${if isip{$acl_m2}}
      dnslists    = bl.spamcop.net/$acl_m2 \
                  :sbl-xbl.spamhaus.org/$acl_m2 \
                  : virbl.dnsbl.bit.nl/$acl_m2 \
                  : list.dsbl.org/$acl_m2
      message     = Originating IP listed at $dnslist_domain
      log_message = Blacklisted originating IP \
                    ($acl_m2 listed at $dnslist_domain)

MikeC2

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to