[exim] Anti Phishing ACL

Thu, 30 Oct 2008 05:09:00 -0700 

Hi;
  I've been trying to stop these bank phishing mails. Rather than trying 
to get the banks to implement DK, DKIM or SPF so I can check against 
that, I have the snippet below.

I was wondering if this is of any use to anyone else or if it could be 
made better. I've checked the list and cant see anything similar.


## set up a list of banks
domainlist banks            = partial-lsearch;/usr/exim/banks

acl_check_rcpt:

## if they send from bank domain but not from a bank IP then drop them
## override with our local white list for companies that do mail shots 
for banks

drop log_message         = DENIED BANK PHISHING from:  $sender_address @ 
$sender_host_address
         message                = DENIED $sender_address @ 
$sender_host_address You appear to be Phishing. \n\
                                           $tod_full on host 
$interface_address
        sender_domains     = +banks
        !dnslists                  = list.dnswl.org=127.0.2.0, 
127.0.2.1, 127.0.2.2, 127.0.2.3
        !dnslists                  = my-local-whitelist.example.com


Note: Not all UK banks are in DNSWL. When I can be certain of the 
sending IPs of the commented out banks then I will add them to our white 
list.

cat /usr/exim/banks

#abbey.co.uk
#abbeynational.co.uk
#abbey.com
alliance-leicester.co.uk
americanexpress.com
#barclays.com
barclays.co.uk
egg.com
halifax.co.uk
#hsbc.co.uk
hsbc.com
#lloydstsb.co.uk
lloydstsb.com
#natwest.com
#natwest.co.uk
#nwolb.com
paypal.com
rbs.com
#rbs.co.uk
#rbsdigital.com
#rbsdigital.co.uk
#sainsburysonline.com
#ybonline.co.uk

I have log entries like:

2008-10-30 11:53:39 H=dns01.labmoreira.com.mx (mail.labmoreira.com) 
[201.134.16.230] F=<[EMAIL PROTECTED]> rejected 
RCPT <[EMAIL PROTECTED]>: DENIED BANK PHISHING from:  
[EMAIL PROTECTED] @ 201.134.16.230

2008-10-30 11:53:40 H=(221-128-205-92.static.exatt.net) 
[221.128.206.156] F=<[EMAIL PROTECTED]> rejected 
RCPT <[EMAIL PROTECTED]>: DENIED BANK PHISHING from:  
[EMAIL PROTECTED] @ 221.128.206.156
2
008-10-30 11:53:40 H=bb121-6-53-48.singnet.com.sg (lloydstsb.com) 
[121.6.53.48] F=<[EMAIL PROTECTED]> rejected RCPT 
<[EMAIL PROTECTED]>: DENIED BANK PHISHING from:  
[EMAIL PROTECTED] @ 121.6.53.48

(I have replaced recipients USER name and DOMAIN for privacy.)



-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to