Greame and Paul,
Thanks so much for your help!
Greame, you were right about accepting the mail at some earlier stage.
It turns out I was checking for the sender's white list with
= :whitelist_file
Not exactly like that I'm just too tired to get the exact syntax right
now, but the important part is the colon, which I now realise means that
it will match against a blank value, and these spammers where sending
with a blank from address, so they were white listed. Thanks a mil, your
script really helped ALOT!!!
Paul, thanks, I'm not an expert in exim by any stretch of the
imagination and I don't spend much time with it, so I didn't even
realise that there was a helo acl! I'm now using that to detect some
early problems, like using an IP rather than a domain name.
Thanks again, I now have a much better understanding of how things work.
Regards,
John
On 01/09/2015 20:15, Graeme Fowler wrote:
On Tue, 2015-09-01 at 15:44 +0200, John Mc Murray wrote:
So just to make it clear, this question was not about "how to block",
but rather "why doesn't it block for this very specific spam mail"
Look at it another way: rather than 'why did this not get blocked?',
think 'why did my Exim listener accept this message?'
You have an 'accept' clause somewhere before SA is being called (in the
DATA ACL?), and that's causing the message to get through.
Additional clue: the message has a null sender (ergo, appears to be a
bounce).
Do you happen to have a special accept clause for bounces?
You can run a debug session by doing the following (taking data from
your message). Create a new text file and paste in:
# ===START OF SCRIPT===
(
sleep 1
echo 'HELO 78.85.165.113'
sleep 1
echo 'MAIL FROM:<>'
sleep 1
echo 'RCPT TO:<[email protected]>'
sleep 1
echo 'DATA'
sleep 1
cat <<EOF
Received: from unknown (HELO localhost)
([email protected]@207.80.158.108)
by 78.85.165.113 with ESMTPA; Tue, 1 Sep 2015 14:12:34 +0400
X-Originating-IP: 207.80.158.108
From: [email protected]
To: [email protected]
Date: Tue, 01 Sep 2015 12:10:04 +0200
Subject: Received annoying spam from BestMoversToronto?
Received annoying spam "from us"?
We understand how it feels, but we didn't do this.
[as much of the body as you like]
.
EOF
sleep 5
echo 'QUIT') | exim -d -bh 78.85.165.113 2>&1 | less
#=== END OF SCRIPT ===
Then run that (as root or other trusted user, in Exim terms):
sh newfile.txt
That'll show you where your accept is. I'll lay odds on it being before
the call to SpamAssassin.
Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
