Re: [exim] Spam Blocking idea

Fri, 23 May 2008 12:43:24 -0700 

Marc Perkel wrote:
> Just a thought ....
> 
> You extract the registrar barrier part of the host name and the same for 
> the helo. Many hosts that send good email this would match. For example 
> yahoo.com would have yahoo.com in both the host and the helo.
> 
> Then after tracking these and developing a list of hosts that do this 
> then we see a host that the helo claims to be yahoo.com but the rdns 
> says otherwise. The idea is that if they are on the list of having 
> matched then when they don't match it might be a spam indicator?
> 
> 

'lists' need maintenance, ELSE get stale and work against you, AND/OR 
eat your lunch money to store and play with.

Modified from snippets found in archives here so long ago I don't 
clearly remember who's contribution it was (Tor Slettnes?)

(line-wrap munged below, I'm sure)

====
   warn
         log_message     = MF5 Forged Yahoo
         senders         = [EMAIL PROTECTED]
         condition       = ${if match 
{$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
         set acl_c2      = $acl_c2 Forged Yahoo Address=100
         set acl_c8      = ${eval:$acl_c8 + 100}

   warn
         log_message     = MF5 Forged  hotmail or MSN
         senders         = [EMAIL PROTECTED]
         condition       = ${if match 
{$sender_host_name}{\N(msn|hotmail).com$\N}{no}{yes}}
         set acl_c2      = $acl_c2  Forged MSN Address=100
         set acl_c8      = ${eval:$acl_c8 + 100}


=====

I use over a dozen of these covering the most-often-forged major operators.

HELO check is a different process, as  *much* mail comes from MTA that 
serve multiple domain.tld, BUT should still HELO with a valid FQDN that 
can be checked, whether it matches each hosted sender's mail records or not.

The variables on WARN verbs should tell you a point scoring process is 
at work here, and that not all faux pas are treated as generously or 
harshly as others.

HELO to me as *my own* server gets a certain-death 1000 points, for 
example. And a local blacklist hit ignores all scores in favor of a BFBI 
deny....

HTH,

Bill

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to