Re: Debian Lists, USENET & Spam
On Tue, Jan 08, 2002 at 12:40:06AM +0100, martin f krafft wrote:
| also sprach Karsten M. Self <kmself@ix.netcom.com> [2002.01.07.2215 +0100]:
| > ...how would one do this via procmail, filtering on 'Recieved'
| > lines? Anything from this domain should be forwarded to a spam
| > complain addresses and shitcanned.
|
| well, the best way (and the most complicated) is to set up your own
| rbl domain and then use your MTA's features,
What does it take to setup an RBL domain? My guess is that you just
need a DNS server.
(I can't filter on IPs anyways since 99.99% of my mail comes out of
pony-express.cs.rit.edu due to my .forward file there, if you use
"dman@dman.ddts.net" it will go straight to my machine)
| why can't you block with exim system-wide?
You can setup various thing in exim's main config, or install a system
filter (which can do stuff a user's filter can't such as 'fail'). I
haven't gotten into the details of a system filter yet.
| and dman said that exim can incorporate your own filters on a user
| basis...
Yes -- I've got both ~/.exim/filter, which is the filter file for
messages to be delivered to me, and ~/.exim/bouncelist which is a list
of regexes for rejecting senders (that exim, not my filter file,
checks).
| i don't know if it can do that for IP ranges, but it's worth a try.
|
| dman, any hints?
Untested, but you in general :
if $header_Received: matches "The PCRE you want" then
# what do you want to do?
# we can create a new mail message to send somewhere
mail <blah>
# we can drop it in a junk folder
save path/to/folder/
# or we can pretend it is delivered though it isn't
# (effectively save to /dev/null but without any file writes)
seen finish
endif
This assumes that the contents of the $header_Received: variable (any
header can be accessed via $header_Name:) is structured the way you
want. If you want to check for the given IP in a flat-file list of
IPs something like the following should work :
(the if is all one line)
if "${lookup {${sg{$header_Received:}{<pattern>}{<replacement>}}} lsearch {$home/.exim/rbl_list} {Relay} }" is "Relay"
then
# deal with is as above
seen finish
endif
See section 9 of spec.txt.gz for a full explanation of string
expansions. Also read filter.txt.gz for full details on filtering.
Each ${} thing is a string expansion. The ${lookup <...>} expansion
looks up the key with the given method (lsearch, ldap, nis+, posgres,
etc). It looks for an exact key. A note about lsearch : you can't
have colons in the data. It is not really a flat list, but a mapping,
and a colon separates the key from the value. If EOL is reached
before finding a colon then the value is the empty string. The ${sg }
expansion is like sed or perl's s/pattern/replacement/g construct.
The last value ( {Relay} ) is the value the string takes if the lookup
is successful. Comparing it with the 'is' operator determines whether
or not the given "key" was located.
I don't know how effective this will be -- a lot hinges on your ability
to parse out the IP from the Received: headers. Not only that, but
exim's filter language is not Turing complete. You don't have any
general iteration mechanism nor can you assign to variables. I think
that would be essential to check each IP from each Received: header.
-----
The above was written based on my current knowledge and experience
(aside from looking up ${sg}). The below are some musings based on my
reading of spect.txt.gz just now.
-----
>From section 7.13 "Host lists" :
. If the item is of the form
net<number>-<search-type>;<search-data>
for example:
net24-dbm;/networks.db
then the IP address of the subject host is masked using <number> as the
mask length; a textual string is then constructed from the masked value,
followed by the mask, and this is then used as the key for the lookup.
For example, if the host's IP address is 192.168.34.6 then the key that
is looked up for the above example is '192.168.34.0/24'. IPv6 addresses
are converted to a text value using lower case letters and full stops
(periods) as separators instead of the more usual colon, because colon is
the key terminator in "lsearch" files. Full, unabbreviated IPv6 addresses
are always used.
. If the item is of the form
net-<search-type>;<search-data>
then the text form of the IP address of the subject host is used unmasked
as the lookup key. This is not the same as specifying "net32" for an IPv4
address or "net128" for an IPv6 address, because the mask value is not
included in the key. However, IPv6 addresses are still converted to an
unabbreviated form, using lower case letters and full stops as
Ok, so it will be easy for you to make a blacklist with an lsearch
file. Now I'll look some more to see which director option(s) to set
for this too.
In section 11 "Main Configuration" the following variable is mentioned.
host_reject Type: host list Default: unset
If this option is set, incoming SMTP calls from the hosts listed (possibly
also qualified by an RFC 1413 identification) are rejected as soon as the
connection is made. See chapter 46 for more details.
A snippet from section 46 :
46.2 Other host checking
Exim rejects incoming SMTP calls from any host that matches "host_reject".
<example snipped>
Calls are rejected as a result of these options by sending a 5xx error code as
soon as the connection is received. Since this does not relate to any
particular message, the remote host is likely to keep on trying to send mail
<more snippage,
I'm trying to make this as short as possible, but still complete>
but when dealing with incoming spam, for
example, one normally wants messages to be rejected once and for all, and in
this case, "host_reject_recipients" should be used instead of "host_reject".
A call from a host which matches "host_reject_recipients" is not rejected at
the start; instead, every RCPT command is subsequently rejected, which should
cause the remote MTA to cease trying to deliver the message. This style of
blocking also has the advantage of catering for exceptions for certain
recipients, via the "recipients_reject_except" option. This is commonly set to
the local postmaster address.
(Philip Hazel has done a great job of making an easily configureable
and flexible MTA and has documented it equally well)
Ok, back up to section 11 :
host_reject_recipients Type: host list Default: unset
If this option is set, all recipients in incoming SMTP calls from the
hosts listed, possibly also qualified by an RFC 1413 identification, are
rejected. Chapter 46 contains details of this facility, which differs from
"host_reject" only in the point in the SMTP dialogue at which the
rejection occurs.
So, Karsten, put this in the first section of your exim.conf file :
host_reject_recipients = net16-lsearch;/etc/exim/host_blacklist
and create /etc/exim/host_blacklist that looks like
--------------
216.242.0.0/16
--------------
If you want to use other block sizes just add them to the host list
above; eg net32-lsearch;/etc/exim/host_blacklist. The differing
subnet masks won't interfere since the lookup is done on an exact key.
I'll keep the discussion of filtering above in case someone finds it
interesting to read.
HTH,
-D
--
It took the computational power of three Commodore 64s to fly to the moon.
It takes at least a 486 to run Windows 95.
Something is wrong here.
Reply to: