Re: [exim] Data ACL - Received: from header

[Lena]

> From: W B Hacker

> But if it is a botnet, would it not fail:
> 
> - forward/reverse lookup test?

In such cases (and in cases of dynamic-looking hostname)
I greylist instead of deny. Quite effective usually.
I'm afraid of false positives.

> - AND the HELO <=> FQDN match test?

Plenty of legitimate senders have $sender_helo_name differing from
$sender_host_name. I even don't greylist if they differ.
I greylist if $sender_helo_name doesn't contain a dot
or is a bare IP-address or literal (IP-address in square brackets).
Besides, I have long local blacklists (which deny) separately for
$sender_helo_name, $sender_host_name and $sender_host_address.

> If you don't mind onpassing a few samples, I'll be happy to see if they've 
> been 
> 'seen' here, and if so, which of our rules they escaped... or were caught 
> with.

The last two with fake Received which escaped my deny rules,
didn't escape my greylisting rules but penetrated greylisting
(I edited @ to # in my email address):

Received: from c12.dnepro.net ([212.3.120.12] helo=home)
        by lena.kiev.ua with esmtp (Exim 4.69 (FreeBSD))
        (envelope-from <anyabysdf...@yandex.ru>)
        id 1M2SKb-000641-JX
        for lena#lena.kiev.ua; Fri, 08 May 2009 18:49:50 +0300
Received: from [212.3.120.12] by mx1.yandex.ru; Fri, 8 May 2009 17:49:49 +0200
Message-ID: <01c9d005$61bd9c80$0c780...@anyabysdfxuh>
From: "КЛУБ -=ЛИЦА=-" 
        <anyabysdf...@yandex.ru>
To: <lena#lena.kiev.ua>
Subject: 04-10-05-2009 Внимательный клуб "ЛИЦА"
Date: Fri, 8 May 2009 17:49:49 +0200
MIME-Version: 1.0
Content-Type: text/plain;
        charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo

Received: from [78.97.53.179] (helo=e-net)
        by lena.kiev.ua with esmtp (Exim 4.69 (FreeBSD))
        (envelope-from <olyajdtbn...@yandex.ru>)
        id 1M4BE5-0002bW-35
        for lena#lena.kiev.ua; Wed, 13 May 2009 12:58:14 +0300
Received: from [78.97.53.179] by mx3.yandex.ru; Wed, 13 May 2009 11:58:12 +0200
Date:   Wed, 13 May 2009 11:58:12 +0200
From:   "Альтернативные сценарии жизни" 
        <olyajdtbn...@yandex.ru>
X-Mailer: The Bat! (v3.62.14) Home
Reply-To: olyajdtbn...@yandex.ru
X-Priority: 3 (Normal)
Message-ID: <270681631.26545602149...@yandex.ru>
To: lena#lena.kiev.ua
Subject: Альтернаtивные сценарии жизни
MIME-Version: 1.0
Content-Type: text/plain;
  charset=koi8-r
Content-Transfer-Encoding: 8bit
X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo

Now that same botnet I think (correction: I suspect that it's Ukrainian,
not Russian) sends like this:

Received: from [59.98.93.25] (helo=microsoft)
        by lena.kiev.ua with esmtp (Exim 4.69 (FreeBSD))
        (envelope-from <yanadsbglo...@yandex.ru>)
        id 1M8YWk-000M1Q-Tn
        for lena#lena.kiev.ua; Mon, 25 May 2009 14:39:36 +0300
Date: Mon, 25 May 2009 17:09:33 +0530
From: "Gavin Napier" <yanadsbglo...@yandex.ru>
X-Mailer: The Bat! (v4.0.20) Professional
X-Priority: 3 (Normal)
Message-ID: <2742740082.20090525170...@yandex.ru>
To: lena#lena.kiev.ua
In-Reply-To: <925f8b6e16e9258bd33ae1d3333ae92cbd3ae16e1...@lena.kiev.ua>
References: <d3333ae92c42cb6e1d33ae9016e9016758bd3ae1d...@lena.kiev.ua> 
<c4092cbd33a75f840925842cb675ffff8b67...@yandex.ru>
Subject: правовий менеджмент, правова пiдтримка пiдприeмств, надання коментарiв 
к дiючим законодавчим i нормативним актам Украiни, проблемам господарськоi 
дiяльностi
MIME-Version: 1.0
Content-Type: text/html; charset=koi8-u
Content-Transfer-Encoding: 8bit
X-OOOOOOOOOOOOOOOOOOOOOOOOOO: passed greylisting helo

Received: from customer-199.131.livas.lv ([84.245.199.131])
        by lena.kiev.ua with esmtp (Exim 4.69 (FreeBSD))
        (envelope-from <yanagoptlo...@yandex.ru>)
        id 1M9Kxo-000JrS-45; Wed, 27 May 2009 18:22:44 +0300
Date: Wed, 27 May 2009 17:22:43 +0200
From: "Яков Глушков" 
        <yanagoptlo...@yandex.ru>
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-Priority: 3 (Normal)
Message-ID: <4141273845.20090527172...@yandex.ru>
To: lena#lena.kiev.ua
In-Reply-To: <da7cb67cbdae1d3a75fff8bda758425f8b67c4090...@lena.kiev.ua>
References: <7584092c4258409092cb6758bda7cbda7cb67cbda...@lena.kiev.ua> 
<b67584258bd33ae1dae1da75fffff8b6e1dae...@yandex.ru>
Subject: Самый широкий ассортимент элекtроники  в одном месте!
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit

The set of conditions I'm testing:

  deny  message = rejected because recognized as Ukrainian spam
        condition = ${if match{$message_headers_raw}\
                              {\N\A([^\n]+\n[ \t])+[^\n]+\nDate\N}}
        condition = ${if eq{$received_protocol}{esmtp}}
        condition = ${if eq{$bheader_X-Priority:}{3 (Normal)}}
        condition = ${if match{$sender_address_local_part}{\N^[a-z]{10,}$\N}}
        condition = ${if match{$bheader_To:}{\N^[^ @,;]...@[\w\.-]+$\n}}
        set acl_m_domain = ${if match{$bheader_To:}{\N@(.+)$\N}{$1}}
        condition = ${if match{$bheader_Message-ID:}\
                              {\N^<\d{10}\.\d{...@$sender_address_domain>$\N}}
        condition = ${if match{$bheader_In-Reply-To:}\
                              {\N^<[a-f\d]{...@$acl_m_domain>$\N}}
        condition = ${if match{$bheader_References:}\
   {\N^<[a-f\d]{...@$acl_m_domain> <[A-F\d]{40,4...@$sender_address_domain>$\N}}
        condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\
                         {${if match{$bheader_References:}{\N^<(\w+)@\N}{$1}}}}
        condition = ${if match{$rheader_Content-Type:}\
                              {text/(plain|html); charset=koi8-[ru]}}
        condition = ${if eq{$bheader_Content-Transfer-Encoding:}{8bit}}


-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/