[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] spam filtering with exim



on Thu, Mar 29, 2001 at 04:42:12PM -0500, Noah L. Meyerhans (frodo@morgul.net) wrote:
> I've been using exim as my MTA since it became the default Debian MTA.
> I have the following line in /etc/exim.conf:
> rbl_domains = rbl.maps.vix.com/reject : outputs.orbs.org/warn : \
> spamsource-netblocks.orbs.org/reject : blackholes.mail-abuse.org/reject\
> :relays.mail-abuse.org/warn : inputs.orbs.org/warn : manual.orbs.org : \
> spamsources.orbs.org/reject
> 
> (really that's all on one line, I've just broken it up for mail)
> 
> However, this fails to catch a lot of spam, because apparently it only
> checks first hop taken by the mail message.  Most spammers these days
> aren't using such a simple scheme.  Consider the following spam headers:
> 
> Received: from mail.foo.com (mail.foo.com) [::ffff:123.45.67.89]
>         by spider.morgul.net with esmtp (Exim 3.12 #1 (Debian))
>         id 14ij8d-0005l0-00; Thu, 29 Mar 2001 15:35:23 -0500
> Received: from foobar.baz.com (foobar.baz.com [98.76.54.32])
>         by mail.foo.com (Postfix) with SMTP
>         id AE69838530; Thu, 29 Mar 2001 11:09:41 -0900 (AKST)

My understanding is that the spam block only works if the direct
connection is coming from an RBL/ORBS listed IP.  In which case, exim
drops or refuses the connnection.

> OK, the names and IP addresses of the other networks/hosts have been
> changed.  mail.foo.com is hop right before reaching my mail server
> (spider.morgul.net).  The thing is, mail.foo.com is the open relay, but
> exim is only checking foobar.baz.com, which is not an open relay.
> 
> How can I handle such cases?  

procmail?

-- 
Karsten M. Self <kmself@ix.netcom.com>    http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?       There is no K5 cabal
  http://gestalt-system.sourceforge.net/         http://www.kuro5hin.org

Attachment: pgpOfVGiWk6N2.pgp
Description: PGP signature


Reply to: