> From: "Ronaldo Luiz de Carvalho" <[email protected]>
> I want to do a Exim filter where the headers need to be the same if they are > set. > > The headers are: from, sender, reply and disposition-notification-to (maybe > use others) > > I'm receiving hundreds/minute connections using some of my email accounts > and the reply are going to someone else. > > > The headers from one of these e-mails are: > > 1RHFJd-0008Ev-AK-H > mailnull 47 12 > <[email protected]> > 1319204357 0 > -helo_name 100927a > -host_address 123.11.70.14.3455 > -host_auth courier_login > -interface_address 201.36.96.221.25 > -received_protocol esmtpa > -body_linecount 7 > -max_received_linelength 72 > -auth_id [email protected] > -host_lookup_failed > XX > 1 > [email protected] > > 225P Received: from [123.11.70.14] (helo=100927a) > by ns1.cybernet.com.br with esmtpa (Exim 4.69) > (envelope-from <[email protected]>) > id 1RHFJd-0008Ev-AK > for [email protected]; Fri, 21 Oct 2011 11:39:17 -0200 > 051 disposition-notification-to: [email protected] > 017 returnreceipt: 1 > 018 mime-version: 1.0 > 049F from: atest <[email protected]> > 051S sender: atest <[email protected]> > 040T to: aaa <[email protected]> > 033 date: 21 Oct 2011 21:40:02 +0800 > 038 subject: =?utf-8?B?YnVvbmdpb3Jubyk=?= > 039 content-type: text/html; charset=utf-8 > 034 content-transfer-encoding: base64 > > How could I do that. I want to block these kind of e-mail but I don't know > what to do. At first, change the password of compromised user: > -auth_id [email protected] Then add following two fragments into your Exim config. This code catches such spammers automatically. The code is based on the fact that spam is sent to huge lists of email addresses, and very many of addresses in such lists are nonexistent. The code watches not rate of sending all messages, but only rate of attempts to send to nonexistent addresses. If rate of attempts to send to nonexistent addresses exceeds limit, the authenticated user is authomatically blocked, and an alert is emailed to you. When you get an alert, examine content of frozen messages in the queue using `exipick`. In unlikely case if it's not spam, delete the line with the user ID from the $spool_directory/blocked_authenticated_users file (or you can delete the file if it contains only one line) and unfreeze messages also using `exipick`. If it's spam then change the user's password or otherwise block the user, then fine the user according to contract and using frozen evidence. 1. In the beginning of Exim config: LIM = 100 PERIOD = 1h WARNTO = [email protected] EXIMBINARY = /usr/local/sbin/exim -f root SHELL = /bin/sh local_from_check = false 2. In acl_check_rcpt instead of usual "accept authenticated = *" : accept authenticated = * set acl_m_user = $authenticated_id condition = ${if exists{$spool_directory/blocked_authenticated_users}} condition = ${lookup{$acl_m_user}lsearch\ {$spool_directory/blocked_authenticated_users}{1}{0}} control = freeze/no_tell add_header = X-Authenticated-As: $acl_m_user accept authenticated = * !verify = recipient/defer_ok/callout=10s,defer_ok,use_sender ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user continue = ${run{SHELL -c "echo $acl_m_user \ >>$spool_directory/blocked_authenticated_users; \ \N{\N echo Subject: user $acl_m_user blocked; echo; echo because \ has sent mail to LIM invalid recipients during PERIOD.; \ \N}\N | EXIMBINARY WARNTO"}} control = freeze/no_tell add_header = X-Authenticated-As: $acl_m_user accept authenticated = * control = submission/domain= -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
