[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[OT] spam filtering with exim



I've been using exim as my MTA since it became the default Debian MTA.
I have the following line in /etc/exim.conf:
rbl_domains = rbl.maps.vix.com/reject : outputs.orbs.org/warn : \
spamsource-netblocks.orbs.org/reject : blackholes.mail-abuse.org/reject\
:relays.mail-abuse.org/warn : inputs.orbs.org/warn : manual.orbs.org : \
spamsources.orbs.org/reject

(really that's all on one line, I've just broken it up for mail)

However, this fails to catch a lot of spam, because apparently it only
checks first hop taken by the mail message.  Most spammers these days
aren't using such a simple scheme.  Consider the following spam headers:

Received: from mail.foo.com (mail.foo.com) [::ffff:123.45.67.89]
        by spider.morgul.net with esmtp (Exim 3.12 #1 (Debian))
        id 14ij8d-0005l0-00; Thu, 29 Mar 2001 15:35:23 -0500
Received: from foobar.baz.com (foobar.baz.com [98.76.54.32])
        by mail.foo.com (Postfix) with SMTP
        id AE69838530; Thu, 29 Mar 2001 11:09:41 -0900 (AKST)

OK, the names and IP addresses of the other networks/hosts have been
changed.  mail.foo.com is hop right before reaching my mail server
(spider.morgul.net).  The thing is, mail.foo.com is the open relay, but
exim is only checking foobar.baz.com, which is not an open relay.

How can I handle such cases?  It would appear as though foobar.baz.com
actually generated the spam, as it's not a relay and it's the apparent
originator of this message.  I can contact them and request that they
stop (or contact their ISP), but I would still rather this message not 
reached my inbox to begin with.  I would like exim to add its special 
open relay header, which I filter to a different mailbox.

Thanks.
noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpBrmuedhppX.pgp
Description: PGP signature


Reply to: