Debugged set of rules (in DATA ACL):
deny message = rejected because recognized as Ukrainian spam
condition = ${if match{$message_headers_raw}\
{\N\A([^\n]+\n[ \t])+[^\n]+\nDate\N}}
condition = ${if eq{$received_protocol}{esmtp}}
condition = ${if eq{$bheader_X-Priority:}{3 (Normal)}}
condition = ${if match{$sender_address_local_part}{\N^[a-z]{10,}$\N}}
condition = ${if match{$bheader_To:}{\N^[^ @,;]...@[\w\.-]+$\n}}
set acl_m_domain = ${if match{$bheader_To:}{\N@(.+)$\N}{$1}}
condition = ${if match{$bheader_Message-ID:}\
{\N^<\d{10}\.\d{...@\n$sender_address_domain>\$}}
condition = ${if match{$bheader_In-Reply-To:}\
{\N^<[a-f\d]{...@\n$acl_m_domain>\$}}
condition = ${if match{$bheader_References:}\
{\N^<[a-f\d]{...@\n$acl_m_domain> \
\N<[A-F\d]{30,4...@\n$sender_address_domain>\$}}
condition = ${if !eq{${if match{$rheader_In-Reply-To:}{<(.+)@}{$1}}}\
{${if match{$bheader_References:}{\N^<(\w+)@\N}{$1}}}}
The botnet endures 20s delay in RCPT ACL. I don't want to try longer delays
because of limited memory of the cheap VPS/VDS ($6/month for
64M RAM and 128M swap for Exim, webserver, POP3 server and BIND).
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
