Mailing List Archive: exim: users

Exim is forwarding spam.

Index | Next | Previous | View Threaded

nezinomi.asmenys at gmail

Jun 29, 2012, 5:58 AM

Post #1 of 13 (543 views)
Permalink

Exim is forwarding spam.

Hi,

How can I make Exim stop forwarding spam? I am using 'exim4u' config file.

http://www.1232px.lt/exim.conf

Domas
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

cyborg2 at benderirc

Jun 29, 2012, 7:53 AM

Post #2 of 13 (531 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

Am 29.06.2012 14:58, schrieb nezinomi asmenys:
> Hi,
>
> How can I make Exim stop forwarding spam? I am using 'exim4u' config file.
>
> http://www.1232px.lt/exim.conf
>
> Domas
yes of course, enable the spamassasin config part and set it to filter
mails. i.e. like this.

spamd_address = 127.0.0.1 783

# Run SpamAssassin, but allow for it to fail or time out. Add a
warning message
# and accept the mail if that happens. Add an X-Spam-Flag: header if
the SA
# score exceeds the SA system threshold.

warn condition = ${if eq{$authenticated_id}{} {1}{0}}
spam = nobody/defer_ok
add_header = X-Spam-Flag: YES

# And reject if the SpamAssassin score is greater than ten
#
deny condition = ${if >{$spam_score_int}{10}} {1}}
message = Your message scored $spam_score SpamAssassin
point. Report follows:\n\
$spam_report

You may want to add some more rules for it, i.e. a whitelist based on
domainnames etc. etc.

You can find more examples in the spamassassin and exim docs.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

adam at adam-barratt

Jun 29, 2012, 12:44 PM

Post #3 of 13 (527 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

On Fri, 2012-06-29 at 16:53 +0200, Cyborg wrote:
> # And reject if the SpamAssassin score is greater than ten
> #
> deny condition = ${if >{$spam_score_int}{10}} {1}}
> message = Your message scored $spam_score SpamAssassin
> point. Report follows:\n\
> $spam_report

The comment and implementation there are somewhat out of agreement... an
order of magnitude out, in fact. (To be slightly more helpful, see the
description of $spam_score_int in
<URL:http://www.exim.org/exim-html-current/doc/html/spec_html/ch43.html#SECID206>.)

Regards,

Adam

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Chris.Knadle at coredump

Jun 29, 2012, 9:15 PM

Post #4 of 13 (530 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

On Friday, June 29, 2012 10:53:45, Cyborg wrote:
> Am 29.06.2012 14:58, schrieb nezinomi asmenys:
> > Hi,
> >
> > How can I make Exim stop forwarding spam? I am using 'exim4u' config
> > file.
> >
> > http://www.1232px.lt/exim.conf
> >
> > Domas
>
> yes of course, enable the spamassasin config part and set it to filter
> mails. i.e. like this.
>
> spamd_address = 127.0.0.1 783
>
> # Run SpamAssassin, but allow for it to fail or time out. Add a
> warning message
> # and accept the mail if that happens. Add an X-Spam-Flag: header if
> the SA
> # score exceeds the SA system threshold.
>
> warn condition = ${if eq{$authenticated_id}{} {1}{0}}
> spam = nobody/defer_ok
> add_header = X-Spam-Flag: YES
>
> # And reject if the SpamAssassin score is greater than ten
> #
> deny condition = ${if >{$spam_score_int}{10}} {1}}
> message = Your message scored $spam_score SpamAssassin
> point. Report follows:\n\
> $spam_report
>
>
> You may want to add some more rules for it, i.e. a whitelist based on
> domainnames etc. etc.
>
> You can find more examples in the spamassassin and exim docs.

Rather than 'deny' I prefer to use 'drop' to forcably close the SMTP
connection when a spam message has been detected, and I delay that response
for 15 to try to slow down the sender slightly. I'm doing some mail relaying
for some domains in which the admin on the other side wants the spam to be
accepted and then discarded rather than rejected, so the combination is the
following:

acl_check_recpt:

warn
domains = !+spamdiscard_domains
set acl_m_denyspam = yes

warn
domains = +spamdiscard_domains
set acl_m_denyspam = no

acl_check_data:

drop
hosts = !+relay_from_hosts
condition = ${if eq{$acl_m_denyspam}{yes} {yes}{no}}
!senders = postmaster@*
message = Spam message detected; message rejected.\n\
If you think this is wrong, get in touch with postmaster.
condition = ${if match{$recipients}{postmaster}{no}{yes}}
condition = ${if >{$spam_score_int}{50}{1}{0}}
log_message = msg rejected due to spam score of $spam_score
delay = 15s

discard
hosts = !+relay_from_hosts
condition = ${if eq{$acl_m_denyspam}{no} {yes}{no}}
!senders = postmaster@*
message = Spam message detected; message discarded.\n\
If you think this is wrong, get in touch with postmaster.
condition = ${if match{$recipients}{postmaster}{no}{yes}}
condition = ${if >{$spam_score_int}{50}{1}{0}}
log_message = msg discarded due to spam score of $spam_score

-- Chris

--
Chris Knadle
Chris.Knadle [at] coredump

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Chris.Knadle at coredump

Jun 30, 2012, 9:57 AM

Post #5 of 13 (526 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

On Friday, June 29, 2012 08:58:14, nezinomi asmenys wrote:
> Hi,
>
> How can I make Exim stop forwarding spam? I am using 'exim4u' config file.
>
> http://www.1232px.lt/exim.conf
>
> Domas

BTW are you doing any mail relaying? If you're relaying mail for any domains,
you can end up in Exim sending "backscatter spam" due to not being able to
validate the recipient of the email. I've come up with an interesting
solution for this situation which you might like if this is the case.

-- Chris

--
Chris Knadle
Chris.Knadle [at] coredump

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

tlyons at ivenue

Jun 30, 2012, 10:17 AM

Post #6 of 13 (527 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

On Sat, Jun 30, 2012 at 9:57 AM, Chris Knadle <Chris.Knadle [at] coredump> wrote:
>
> BTW are you doing any mail relaying? If you're relaying mail for any domains,
> you can end up in Exim sending "backscatter spam" due to not being able to
> validate the recipient of the email. I've come up with an interesting
> solution for this situation which you might like if this is the case.

What are the details? "Interesting solution" implies something new or
novel and I for one would like to see what you did.

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Chris.Knadle at coredump

Jun 30, 2012, 11:28 AM

Post #7 of 13 (525 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

On Saturday, June 30, 2012 13:17:05, Todd Lyons wrote:
> On Sat, Jun 30, 2012 at 9:57 AM, Chris Knadle <Chris.Knadle [at] coredump> wrote:
> > BTW are you doing any mail relaying? If you're relaying mail for any
> > domains, you can end up in Exim sending "backscatter spam" due to not
> > being able to validate the recipient of the email. I've come up with an
> > interesting solution for this situation which you might like if this is
> > the case.
>
> What are the details? "Interesting solution" implies something new or
> novel and I for one would like to see what you did.

Okay, then I'll explain it.

I don't necessarily think it's a new or novel solution, but I haven't yet seen
it elsewhere. [I expect someone else must be doing something similar.]

At first I considered doing a recipient callout, but this defeats the purpose
of being a mail relay because it requires the main mail server to be present
and online. The bottom line is that the backup mail server has to have some
way of authenticating recipient email addresses even when the main mail
server is offline.

To do this, I asked the administrator for the relay domain for the list of
valid email addresses. At first he didn't like this idea because it exposes
that information to me, but once I explained the reason I was asking for it
he understood and did so, along with a list of "blacklisted" email addresses.
He's using wildcard email addressing with '-' as the delimiter, and that's the
reason why the additional "blacklisted" addresses are necessary. Thankfully I
found it was not necessary to use wildcard addressing myself to be able to
deal with all of this. ;-)

The simple solution: email addresses from a particular domain are checked
against a regex of valid email addresses in a file that is named after the
domain name, and likewise with a blacklist file.

Exim4 configuration
----------------------------------
# (The domain names below are ficticious)
domainlist blacklist_filecheck_domains = example1.com
domainlist rcpt_checked_relay_domains = example1.com

acl_check_rcpt:

# deny relay_to_domains blacklisted recipients
# CONFDIR/local_recipient_blacklist holds a list of email addresses that should
# no longer have email accepted for them, but which need to be blocked explicitly
# due to wildcard email addresses being used that would normally accept the
# addresses. Incoming messages with these recipients are blocked at RCPT time.
deny
domains = +blacklist_filecheck_domains
message = unknown user
condition = ${lookup{$local_part@$domain}\
nwildlsearch{CONFDIR/recipient_blacklists/$domain}\
{yes}{no}}
log_message = Address $local_part@$domain blocked
delay = 15s

# Relay only recipients found in recipient_relay_lists for relay_to_domains
# that are set to use it
deny
domains = +rcpt_checked_relay_domains
message = unknown user
!condition = ${lookup{$local_part@$domain}\
nwildlsearch{CONFDIR/recipient_relay_lists/$domain}\
{yes}{no}}
log_message = Address $local_part$domain unknown
delay = 15s
----------------------------------

/recipient_blacklists/example1.com
----------------------------------
virgil_earp [at] example1
doc_holliday [at] example1
----------------------------------

/recipient_relay_lists/example1.com
----------------------------------
abuse [at] example1
root [at] example1
notspam [at] example1
postmaster [at] example1
MAILER-DAEMON [at] example1
billy_claiborne [at] example1
^bclaiborne-.*@example1.com
billy_clanton [at] example1
^bclanton-.*@example1.com
frank_mclaury [at] example1
^fmclaury-.*@example1.com
----------------------------------

Thusfar updates to email addresses have simply been sent over email because
they've been infrequent, but I've occasionally considered something more
easily updated by the relay domain administrator such as files copied via
rsync over ssh.

Also I originally implemented this idea in LDAP as a way of keeping the remote
domain addresses in sync, but the relay domain admin wasn't interested in
running LDAP so I opted for this simpler file-based solution, which has been
doing it's job very well IMHO.

-- Chris

--
Chris Knadle
Chris.Knadle [at] coredump

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

nezinomi.asmenys at gmail

Jun 30, 2012, 12:24 PM

Post #8 of 13 (528 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

Thanks for your replies! Here are more details about my question.

Spamd works and adds X-spam header fine. But the problem is when I enable
automatic mail forwarding on mailboxes EXIM also forwards spam.

'forward' row in mysql is email address WHERE to forward mail.

How to destroy SPAM before it is forwarded?

virtual_forward:
driver = redirect
check_ancestor
unseen = ${if eq {${lookup mysql{select unseen from users,domains \
where localpart = '${quote_mysql:$local_part}' \
and domain = '${quote_mysql:$domain}' \
and users.on_forward = '1' \
and users.domain_id=domains.domain_id}}}{1} {yes}{no}}
data = ${lookup mysql{select forward from users,domains \
where localpart='${quote_mysql:$local_part}' \
and domain='${quote_mysql:$domain}' \
and users.domain_id=domains.domain_id \
and on_forward = '1'}}
# We explicitly make this condition NOT forward mailing list mail!
condition = ${if and { {!match {$h_precedence:}{(?i)junk}} \
{eq {${lookup mysql{select users.on_forward from
users,domains \
where localpart =
'${quote_mysql:$local_part}' \
and domain = '${quote_mysql:$domain}' \
and users.on_forward = '1' \
and users.domain_id=domains.domain_id}}}{1}
}} {yes}{no} }

Full config file: http://www.1232px.lt/exim.conf

Domas
On 29 June 2012 15:58, nezinomi asmenys <nezinomi.asmenys [at] gmail> wrote:

> Hi,
>
> How can I make Exim stop forwarding spam? I am using 'exim4u' config file.
>
> http://www.1232px.lt/exim.conf
>
> Domas
>
>

--
--
Nezinomi asmenys @ 1999
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mike.tubby at thorcom

Jun 30, 2012, 1:12 PM

Post #9 of 13 (533 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

Chris,

While your idea is interesting its not necessarily scalable, I have 800+
domains each with 1-1000 addresses...

I use recipient verify, i.e. I call out to the next hop host and verify
the recipient. The host is usually present, however if it is not
contactable then I default to accepting the mail and queuing it. This
means there's a slightly higher chance of them getting spam (backscatter
spam) while their host is offline.

I think this compromise is acceptable and avoids me having to know my
clients' email addresses.

Mike

On 30/06/2012 19:28, Chris Knadle wrote:
> On Saturday, June 30, 2012 13:17:05, Todd Lyons wrote:
>> On Sat, Jun 30, 2012 at 9:57 AM, Chris Knadle <Chris.Knadle [at] coredump> wrote:
>>> BTW are you doing any mail relaying? If you're relaying mail for any
>>> domains, you can end up in Exim sending "backscatter spam" due to not
>>> being able to validate the recipient of the email. I've come up with an
>>> interesting solution for this situation which you might like if this is
>>> the case.
>> What are the details? "Interesting solution" implies something new or
>> novel and I for one would like to see what you did.
> Okay, then I'll explain it.
>
> I don't necessarily think it's a new or novel solution, but I haven't yet seen
> it elsewhere. [I expect someone else must be doing something similar.]
>
> At first I considered doing a recipient callout, but this defeats the purpose
> of being a mail relay because it requires the main mail server to be present
> and online. The bottom line is that the backup mail server has to have some
> way of authenticating recipient email addresses even when the main mail
> server is offline.
>
> To do this, I asked the administrator for the relay domain for the list of
> valid email addresses. At first he didn't like this idea because it exposes
> that information to me, but once I explained the reason I was asking for it
> he understood and did so, along with a list of "blacklisted" email addresses.
> He's using wildcard email addressing with '-' as the delimiter, and that's the
> reason why the additional "blacklisted" addresses are necessary. Thankfully I
> found it was not necessary to use wildcard addressing myself to be able to
> deal with all of this. ;-)
>
> The simple solution: email addresses from a particular domain are checked
> against a regex of valid email addresses in a file that is named after the
> domain name, and likewise with a blacklist file.
>
>
> Exim4 configuration
> ----------------------------------
> # (The domain names below are ficticious)
> domainlist blacklist_filecheck_domains = example1.com
> domainlist rcpt_checked_relay_domains = example1.com
>
> acl_check_rcpt:
>
> # deny relay_to_domains blacklisted recipients
> # CONFDIR/local_recipient_blacklist holds a list of email addresses that should
> # no longer have email accepted for them, but which need to be blocked explicitly
> # due to wildcard email addresses being used that would normally accept the
> # addresses. Incoming messages with these recipients are blocked at RCPT time.
> deny
> domains = +blacklist_filecheck_domains
> message = unknown user
> condition = ${lookup{$local_part@$domain}\
> nwildlsearch{CONFDIR/recipient_blacklists/$domain}\
> {yes}{no}}
> log_message = Address $local_part@$domain blocked
> delay = 15s
>
> # Relay only recipients found in recipient_relay_lists for relay_to_domains
> # that are set to use it
> deny
> domains = +rcpt_checked_relay_domains
> message = unknown user
> !condition = ${lookup{$local_part@$domain}\
> nwildlsearch{CONFDIR/recipient_relay_lists/$domain}\
> {yes}{no}}
> log_message = Address $local_part$domain unknown
> delay = 15s
> ----------------------------------
>
>
>
> /recipient_blacklists/example1.com
> ----------------------------------
> virgil_earp [at] example1
> doc_holliday [at] example1
> ----------------------------------
>
>
> /recipient_relay_lists/example1.com
> ----------------------------------
> abuse [at] example1
> root [at] example1
> notspam [at] example1
> postmaster [at] example1
> MAILER-DAEMON [at] example1
> billy_claiborne [at] example1
> ^bclaiborne-.*@example1.com
> billy_clanton [at] example1
> ^bclanton-.*@example1.com
> frank_mclaury [at] example1
> ^fmclaury-.*@example1.com
> ----------------------------------
>
>
>
> Thusfar updates to email addresses have simply been sent over email because
> they've been infrequent, but I've occasionally considered something more
> easily updated by the relay domain administrator such as files copied via
> rsync over ssh.
>
> Also I originally implemented this idea in LDAP as a way of keeping the remote
> domain addresses in sync, but the relay domain admin wasn't interested in
> running LDAP so I opted for this simpler file-based solution, which has been
> doing it's job very well IMHO.
>
> -- Chris
>
> --
> Chris Knadle
> Chris.Knadle [at] coredump
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Chris.Knadle at coredump

Jun 30, 2012, 2:20 PM

Post #10 of 13 (524 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

On Saturday, June 30, 2012 09:12:59 PM Michael J. Tubby B.Sc G8TIC wrote:
> Chris,
>
> While your idea is interesting its not necessarily scalable, I have 800+
> domains each with 1-1000 addresses...

Absolutely. This solution is definitely not meant for that kind of scale.

For the kind of scale you're dealing with, one of the things I've done in the
past is email routing via LDAP lookups and then using several multi-master
LDAP servers that keep each other in sync, and where the respective local
email administrators update their local LDAP server for the domains they
control. This solution makes the general assumption that you can trust the
other admins though, so it might be a solution relegated to a single
organization and it's subsidiaries.

It think it's interesting to consider whether this kind of thing could
possibly be used cooperatively between organizations, though. It's not
unheard of even in large multi-organizations for there to be a combined email
solution. [.I remember reading about a large Exchange solution used by Ford
Motor Company combined with others, which really sounded like trouble to me.]

> I use recipient verify, i.e. I call out to the next hop host and verify
> the recipient. The host is usually present, however if it is not
> contactable then I default to accepting the mail and queuing it. This
> means there's a slightly higher chance of them getting spam (backscatter
> spam) while their host is offline.

Yes, although your mail server(s) will be serving the backscatter spam when
that inevitably happens. That's what happened to me when I tried using this
solution, and that's why I didn't like it. :-/ Unfortunately there were
several service interruptions on the mail servers for relay domains which
forced me to come up with some kind of solution.

> I think this compromise is acceptable and avoids me having to know my
> clients' email addresses.

Having to know and/or deal with your clients' email addresses isn't a fun
thing, but backscatter spam is worth trying to avoid if possible.

-- Chris

Chris Knadle
Chris.Knadle [at] coredump

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mike.tubby at thorcom

Jun 30, 2012, 3:04 PM

Post #11 of 13 (525 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

On 01/07/2012 01:06, Chris Knadle wrote:
> On Saturday, June 30, 2012 09:12:59 PM Michael J. Tubby B.Sc G8TIC wrote:
>> Chris,
>>
>> While your idea is interesting its not necessarily scalable, I have 800+
>> domains each with 1-1000 addresses...
> Absolutely. This solution is definitely not meant for that kind of scale.
>
> For the kind of scale you're dealing with, one of the things I've done in the
> past is email routing via LDAP lookups and then using several multi-master
> LDAP servers that keep each other in sync, and where the respective local
> email administrators update their local LDAP server for the domains they
> control. This solution makes the general assumption that you can trust the
> other admins though, so it might be a solution relegated to a single
> organization and it's subsidiaries.
>
> It think it's interesting to consider whether this kind of thing could
> possibly be used cooperatively between organizations, though. It's not
> unheard of even in large multi-organizations for there to be a combined email
> solution. [.I remember reading about a large Exchange solution used by Ford
> Motor Company combined with others, which really sounded like trouble to me.]
>
>> I use recipient verify, i.e. I call out to the next hop host and verify
>> the recipient. The host is usually present, however if it is not
>> contactable then I default to accepting the mail and queuing it. This
>> means there's a slightly higher chance of them getting spam (backscatter
>> spam) while their host is offline.
> Yes, although your mail server(s) will be serving the backscatter spam when
> that inevitably happens. That's what happened to me when I tried using this
> solution, and that's why I didn't like it. :-/ Unfortunately there were
> several service interruptions on the mail servers for relay domains which
> forced me to come up with some kind of solution.
>
>> I think this compromise is acceptable and avoids me having to know my
>> clients' email addresses.
> Having to know and/or deal with your clients' email addresses isn't a fun
> thing, but backscatter spam is worth trying to avoid if possible.

I can think of a hybrid that might be interesting to investigate, it
works a bit like a grey-list:

You "auto learn" your client's email addresses, thus:

* you accept or reject mail addresses that you have cached in a
local database (eg. MySQL)

* for new email messages not already in the database you perform
recipient verify
* if recipient verify succeeds, you add to the database a
'positive' record and process mail
* if recipient verify fails (actively rejected) you add to the
database a 'negative' record and reject the mail
* if recipient verify fails (host unavailable) then you return
a defer (421) to the sender

* you can timestamp each email address with a "last seen" and
expire ones over X months old

Mike

> -- Chris
>
> Chris Knadle
> Chris.Knadle [at] coredump
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Chris.Knadle at coredump

Jun 30, 2012, 8:20 PM

Post #12 of 13 (513 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

On Saturday, June 30, 2012 11:04:02 PM Michael J. Tubby B.Sc G8TIC wrote:
> On 01/07/2012 01:06, Chris Knadle wrote:
> > On Saturday, June 30, 2012 09:12:59 PM Michael J. Tubby B.Sc G8TIC wrote:
> >> Chris,
> >>
> >> While your idea is interesting its not necessarily scalable, I have 800+
> >> domains each with 1-1000 addresses...
> >
> > Absolutely. This solution is definitely not meant for that kind of scale.
> >
> > For the kind of scale you're dealing with, one of the things I've done in
> > the past is email routing via LDAP lookups and then using several
> > multi-master LDAP servers that keep each other in sync, and where the
> > respective local email administrators update their local LDAP server for
> > the domains they control. This solution makes the general assumption
> > that you can trust the other admins though, so it might be a solution
> > relegated to a single organization and it's subsidiaries.
> >
> > It think it's interesting to consider whether this kind of thing could
> > possibly be used cooperatively between organizations, though. It's not
> > unheard of even in large multi-organizations for there to be a combined
> > email solution. [.I remember reading about a large Exchange solution used
> > by Ford Motor Company combined with others, which really sounded like
> > trouble to me.]
> >
> >> I use recipient verify, i.e. I call out to the next hop host and verify
> >> the recipient. The host is usually present, however if it is not
> >> contactable then I default to accepting the mail and queuing it. This
> >> means there's a slightly higher chance of them getting spam (backscatter
> >> spam) while their host is offline.
> >
> > Yes, although your mail server(s) will be serving the backscatter spam
> > when
> > that inevitably happens. That's what happened to me when I tried using
> > this solution, and that's why I didn't like it. :-/ Unfortunately there
> > were several service interruptions on the mail servers for relay domains
> > which forced me to come up with some kind of solution.
> >
> >> I think this compromise is acceptable and avoids me having to know my
> >> clients' email addresses.
> >
> > Having to know and/or deal with your clients' email addresses isn't a fun
> > thing, but backscatter spam is worth trying to avoid if possible.
>
> I can think of a hybrid that might be interesting to investigate, it
> works a bit like a grey-list:
>
> You "auto learn" your client's email addresses, thus:
>
> * you accept or reject mail addresses that you have cached in a
> local database (eg. MySQL)
>
> * for new email messages not already in the database you perform
> recipient verify
>
> * if recipient verify succeeds, you add to the database a
> 'positive' record and process mail
> * if recipient verify fails (actively rejected) you add to the
> database a 'negative' record and reject the mail
> * if recipient verify fails (host unavailable) then you return
> a defer (421) to the sender
>
> * you can timestamp each email address with a "last seen" and
> expire ones over X months old

I considered something like this setup earlier, except I didn't think of
returning a defer (421) to the sender at the time. I tend to focus on black-
and-white "pass only what's good", which is why I've tended to work with a
definitive list of valid email addresses and hard rejecting anything else.
The other concern I had with the idea in general (before considering a "421"
response) was how well it would work out in combination with wildcard email
addressing.

Adding deferment, I think I like your idea and I think it would work. For
wildcard addresses there will be several entries instead of a single regex,
but that's probably okay.

The only tiny twist I see is that if an address has still been seen recently
that had previously been rejected but now would normally be accepted, that
might require manual intervention to update and mail to that address would be
rejected in the meantime. This is probably a very rare case, though. The
expiry idea is a nice addition as it gives the database some agility.

--

-- Chris

Chris Knadle
Chris.Knadle [at] coredump

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jgh at wizmail

Jul 1, 2012, 6:19 AM

Post #13 of 13 (512 views)
Permalink

Re: Exim is forwarding spam. [In reply to]

On 2012-06-30 17:57, Chris Knadle wrote:
> BTW are you doing any mail relaying? If you're relaying mail for any domains,
> you can end up in Exim sending "backscatter spam" due to not being able to
> validate the recipient of the email.

The next version of Exim should include a feature called "cutthrough routing"
which takes out another source of backscatter (when a domain you
forward to does content-filtering and rejects at DATA time).
--
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads