I think the problem is that you're relating an IP/DNS issue to a SPAM identification technology.

There is no 'law' that says your reverse DNS must work and its simply dangerous to use the heuristic no rDNS => High probability of SPAM.


You would probably be better served using extensive checking at:

    1. initial TCP connection, then
    2. at HELO/EHLO greeting, then
    3. at the MAIL command


Using this approach we block unwanted senders (unwanted connects) because they are identified as such, we block spammers that use broken protocol like attempting to send before they say HELO or EHLO. We block spammers and systems that use bare words like "HELO COMPUTER" or dotted quads like "HELO 1.2.3.4".

By the time an email gets as far as SpamAssassin on our systems its already been through 30+ other pre-checks which are more efficient and more accurate than providing a high weighting to something that can give a false positive.


Mike



Here's some config to consider ...


begin acl

###
### acl_check_connect: This access control list checks the inbound
### connection against a number of DNS based block lists
###

acl_check_connect:
warn logwrite = CONNECT: New connection from $sender_host_address:$sender_host_port -> $received_ip_address:$received_port
                set acl_m5 = 0

        #
        # accept the connection here if it is on MSA port 587
        #
        accept  condition = ${if eq{$interface_port}{587}{1}{0}}
                set acl_m5 = 1
logwrite = CONNECT: Host $sender_host_address allowed on MSA/MUS port 587 - connect checks skipped

        #
        # check and accept if host is white-listed in our database
        #
        accept  hosts = +whitelist_dnsbl_hosts
logwrite = CONNECT: Host $sender_host_address is whitelisted in database, RBL checks skipped

        #
        # see if its whitelisted at junkmailfilter.com - only warn
        #
warn dnslists = hostdomain.junkemailfilter.com=127.0.0.1/$sender_host_name logwrite = CONNECT: Host name $sender_host_name whitelisted at $dnslist_domain : $dnslist_value

        #
        # check if host white-listed at DNSWL.ORG
        #
        accept  dnslists = list.dnswl.org&0.0.0.2
logwrite = CONNECT: Host $sender_host_address whitelisted at $dnslist_domain : $dnslist_value

        #
# checks via various DNS Block Lists. These could be condensed into a single check with a # multi-part dnslists = ... entry but specifying them separately gives us fine-grained # control. We can log each by name and can enable/disable them. Enable by setting them to # 'drop' (connection refused) and disabled them by setting to 'warn' (log entry only)
        #

        # SpamHaus.org
        drop    dnslists = zen.spamhaus.org
logwrite = CONNECT: Reject: $sender_host_address according to: $dnslist_domain : $dnslist_value


        # Sorbs.net
        warn    dnslists = dnsbl.sorbs.net
logwrite = CONNECT: Reject: $sender_host_address according to: $dnslist_domain : $dnslist_value


        # SpamCop.net
        warn    dnslists = bl.spamcop.net
log_message = CONNECT: Warning: $sender_host_address according to: $dnslist_domain : $dnslist_value


        # AbuseAt.org
        warn    dnslists = cbl.abuseat.org
log_message = CONNECT: Warning: $sender_host_address according to: $dnslist_domain : $dnslist_value

        #
        # accept the rest
        #
accept logwrite = CONNECT: Accepting connection from: $sender_host_address - not blocked by any RBL


###
### acl_start_tls: This access control list reports client used START TLS
###

acl_start_tls:

accept logwrite = CRYPTO: Client $sender_host_address:$sender_host_port issued STARTTLS




###
### acl_check_helo: check the HELO/EHLO
###

acl_check_helo:

        #
        # accept for relay_from_hosts
        #
accept condition = ${if match_domain{$sender_helo_name}{$+relay_from_hosts}{true}{false}} logwrite = HELO: Accepted HELO/EHLO $sender_helo_name from remote host: $sender_host_address ${if def:sender_host_name {($sender_host_name) }} in hostlist relay_from_hosts


        #
        # check for single word greeting messages like "HELO COMPUTER"
        #
        deny    condition = ${if match {$sender_helo_name} {\\.} {no}{yes}}
message = Your HELO/EHLO greeting ($sender_helo_name) is a single word. \ According to RFC2821 you must use your fully-qualified domain-name. \ Please fix your configuration if you want to talk to us logwrite = HELO: HELO/EHLO was not a FQDN : $sender_helo_name from $sender_fullhost

        #
        # check for raw IP address in greeting like "HELO 1.2.3.4"
        #
        deny    condition = ${if isip{$sender_helo_name}}
#condition = ${if match {$sender_helo_name}{^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$}{yes}{no}} message = Your HELO/EHLO greeting ($sender_helo_name) is a plain IP address. \ According to RFC2821 you must use your fully-qualified domain-name. \ Please fix your configuration if you want to talk to us logwrite = HELO: HELO/EHLO with bare IP : $sender_helo_name from $sender_fullhost

        #
# check for HELO from our host name... must be fake as we don't SMTP to ourselves!
        #
deny condition = ${if match {$sender_helo_name}{$primary_hostname}{true}{false}} message = Your HELO/EHLO greeting ($sender_helo_name) is using our name! \ According to RFC2821 you must use your fully-qualified domain-name. \ Please fix your configuration if you want to talk to us logwrite = HELO: Rejected because remote host used our hostname: $sender_helo_name

        #
# check for HELO from domains that we handle (local domains and relay domains)... if so this is fake
        #
deny condition = ${if match_domain{$sender_helo_name}{$+local_domains:+relay_to_domains}{true}{false}} message = Your HELO/EHLO greeting ($sender_helo_name) is using one of our domains! \ According to RFC2821 you must use your fully-qualified domain-name. \ Please fix your configuration if you want to talk to us logwrite = HELO: Rejected because remote host used one of our domains: $sender_helo_name

        #
# check for HELO names blacklisted in our database, if we reject don't give too much help as to why
        #
deny condition = ${if match_domain{$sender_helo_name}{+blacklist_helo}{yes}{no}}
                message = Your HELO/EHLO is not acceptable here
logwrite = HELO: Rejected: $sender_helo_name (from $sender_fullhost) - blacklisted in database

        #
# attempt to verify the HELO/EHLO, if it fails just generate a log warning - we cannot reject # based on this. See also the check_content ACL where we add a warning to headers for invalid HELO
        #
        warn    !verify = helo
logwrite = HELO: Could not verify HELO/EHLO: $sender_helo_name from remote host: $sender_host_address ${if def:sender_host_name {($sender_host_name) }}

        #
        # accept everything else
        #
        accept  message = Hello $sender_helo_name
logwrite = HELO: Accepted HELO/EHLO $sender_helo_name from remote host: $sender_host_address ${if def:sender_host_name {($sender_host_name) }}



###
### acl_check_mail: this access control list checks the SMTP 'MAIL' (ie. MAIL FROM:)
### part of the transaction
###

acl_check_mail:

        #
        # check that they have said HELO/EHLO earlier (before MAIL)
        #
        deny    condition = ${if !def:sender_helo_name {true}{false}}
message = Missing or blank HELO/EHLO greeting. According to RFC2821 \
                        you must say HELO/EHLO before sending traffic.
logwrite = MAIL: Missing or blank HELO/EHLO from $sender_fullhost

        #
        # log the SPF result
        #
        warn    spf = !none
logwrite = MAIL: SPF Result=$spf_result ($sender_address_domain / $sender_fullhost)

        #
        # check blacklisted 'From:' addresses
        #
deny condition = ${lookup mysql {MYSQL_BLACKLIST_SENDER}{true}{false}}
                message = Sender address blacklisted. Go away!
logwrite = MAIL: Rejected sender's from: $sender_address - blacklisted in database

        #
# accept everything else (we won't know until we call-out verify/route it)
        #
accept logwrite = MAIL: Accept from: $sender_address host: $sender_fullhost








On 9/19/2016 1:58 PM, John McMurray wrote:
Hi everyone,

I hope its ok to ask an off topic question in this group. I ask here because even though it is off topic its obviously closely related and I'd love to hear what your thoughts are on the following:

In my exim servers I assign a very high spam assassin score to incoming mail servers without rDNS (RDNS_NONE = 4.5).

This has worked well for me blocking a fair amount of spam (or rather, pushing the overall score high enough to block the spam).

I have a client on my servers who cannot receive mail from one of their contacts. It turns out that this sender's forward and reverse records don't match exactly, eg:

mailsecurity-01.example.com. => 1.2.3.4

but

dig -x 1.2.3.4 => gateway.example.com.


So my question(s) are basically:

1) am I being too over the top assigning such high spam assassin to incoming mail without valid rDNS?

2) Should it be considered valid if the tld matches but not the sub domain as in the example above (and if so any pointers on how to achieve that in exim)?


Thank you,

John McMurray

j...@softsmart.co.za




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to