[ale] Stopping spam with Exim (was Re: Your music)

Fulton Green ale at FultonGreen.com
Thu May 20 09:40:30 EDT 2004


On Thu, May 20, 2004 at 09:12:46AM -0400, Geoffrey wrote:
> Fulton Green wrote:
> 
> > Enough for me to have a filter rule that specifically dumps anything
> > coming directly from a client host without first going through their
> > official mail relay.

Without going into detail (as I've gotta go to work real soon now), the
Exim MTA has a pretty complex filtering language (and as of 4.0 now also
supports the Sieve filtering format).  One of the workhorses I've been
using lately is a test on the Received: header line to detect if the
SMTP client talking to my domain's MTA looks like a "regular joe" client
of an ISP (as opposed to the ISP's MTA).

So the basic technique I use for most ISPs is to gather enough spams
for the ISP, then look for a common pattern I can filter out.  So, for
example, the "prodigy.net.mx" addresses all seemed to be of the pattern

  dup-X-X-X-X.prodigy.net.mx

with each X corresponding to a particular dotted-quad value.

So for the older Exim (3.x) headers where the Received: header from the
zombie client to my MTA looked like this:

  Received: from [200.3.4.5] (helo=dup-200-3-4-5.prodigy.net.mx)
  	by myhost.mydomain.net with smtp (Exim

I'd have a rule using some semi-1337 PCRE-fu:

  or $header_Received: matches "from \\\\[((([[:digit:]]{1,3})\\\\.){3})([[:digit:]]{1,3})\\\\] \\\\(helo=dup((-([[:digit:]]{1,3})){4})\\\\.prodigy\\\\.net\\\\.mx\\\\)\n\tby myhost\\\\.mydomain\\\\.net with smtp \\\\(Exim "

Exim 4.x, at least on my hosting provider's config, now attempts a
reverse-DNS lookup on each incoming host, so the filter line would look
slightly different if I ever got around to changing it (and the fact that
I haven't gotten around to it indicates that I haven't received a spam
from TelMex/Prodigy since the Exim upgrade).

Chris Ricker pointed out that there are several blacklist services out
there that already have info like this for several jillions of ISPs.
I think most of them actually do it by numeric blocks, though, and at
least several of the better ones charge for their services.  For whatever
reason, my hosting provider isn't using any of the "dynamic IP"-based
lists.  That's why I've resorted to the Receved:-based filtering.  It's
been a great learning experience, actually.

I've also found that using SpamCop's new URI RBL has reduced my spam
down to almost nothing but the occasional 419 and stock scams.



More information about the Ale mailing list