> From: Mike Cardwell > the main problem is that there are legitimate reasons why a > server might connect back to it's own IP.
I use more specific regular expression (which checks the second Received only) and greylist such messages instead of denying them. I attached excerpts from my config to http://wiki.exim.org/DbLessGreyListingRun Excerpt from excerpts: :) accept condition = ${if !match{$message_headers_raw}\ {\N\A([^\n]+\n[ \t])+[^\n]+\nReceived: from \[?\N$sender_host_address\\]? by }} accept condition = ${if def:acl_c_grey_checked} defer set acl_c_grey_checked = deferred/greylisted because of \ fake Received line in the header message = $acl_c_grey_checked set acl_m_greyfile = /var/spool/exim/greylist/${length_255:\ ${sg{$sender_host_address}{\N\.\d+$\N}{}},\ ${tr{$sender_address,${sg{$recipients}{[, ]+}{;}}}{/}{;}}} condition = ${if exists{$acl_m_greyfile}\ {${if >{${eval:$tod_epoch-\ ${extract{mtime}{${stat:$acl_m_greyfile}}}}}{180}{0}{1}}}\ {${if eq{${run{/usr/bin/touch $acl_m_greyfile}}}{}{1}{1}}}} accept add_header = X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting \ fake Received logwrite = passed greylisting fake Received \ ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}} I greylist only suspicious messages, not every one. For a couple months some spam penetrated greylisting (I think that only one Russian botnet uses same $sender_address in all instances of same spam necessary for penetrating greylisting), but if I'm not mistaken, for last couple weeks that botnet switched to no fake Received line at all. Lena -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
