Re: exim filtering

To: Debian User List <debian-user@lists.debian.org>
Subject: Re: exim filtering
From: "Noah L. Meyerhans" <noahm@debian.org>
Date: Mon, 9 Dec 2002 23:17:07 -0500
Message-id: <[🔎] 20021210041707.GA16937@morgul.net>
Mail-followup-to: "Noah L. Meyerhans" <noahm@debian.org>, Debian User List <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20021209045238.GE3988@thebox.home.local>
References: <20021126164810.GP16937@morgul.net> <[🔎] 20021209045238.GE3988@thebox.home.local>

On Mon, Dec 09, 2002 at 03:52:38PM +1100, Rob Weir wrote:
> Another solution is to use spamassassin which does this amongst many
> other tests.  dman has a rather nice guide on his site, IIRC :)

No, it does not achieve what I want.  I do, of course, use spamassassin
and find it extremely useful.  However, in this case, I don't ever want
to even accept the messages from the spammer.  After all, if I accept it
and bounce it it will only go to an unread box at some webmail provider,
which has probably already been shut off or exceeded quota due to this
forgery.  I want to reject the mail as soon as I see "mail from:
<user>@yahoo.com" in an SMTP conversation with a non-yahoo host
(excluding my own MX hosts, of course).  Basically, I want the delivery
to fail while the spammer is still connected to my mail server, even if
it's only via some hijacked relay in Korea.

I have written a nice little script that comes very close to meeting my
exact requirements.  It is written in the exim filter language, and can
be enabled in exim.conf with the message_filter keyword.  The script is
attached, in case others find it interesting.  It works with woody's
exim and can either tag or reject forged yahoo or hotmail messages,
depending on which lines are commented out.  I've simply been having it
tag forged webmail, for debugging purposes, but it has worked flawlessly
for me, and I would feel comfortable having it reject them.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html

# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have several delivery attempts
#
# we express this in reverse so we can just bail out
# on inappropriate messages
#
if not first_delivery
then
  finish
endif

### flag messages from addresses @hotmail.com that lack the 
### X-Originating-IP header that the hotmail servers add.  With
### this in place, forged messages from hotmail should get caught.
### Uncomment the "fail" line if this works well...
if $sender_address contains "@hotmail.com" and
   $local_part does not contain "postmaster@" and
   "${if def:header_X-Originating-IP: {yes}{no}}" is "no"
then
   logfile /var/log/exim/hotmail.log
   logwrite "$message_id from $sender_address to $local_part did not really come from hotmail"
   headers add "X-Hotmail-Warning: This message did not pass through a hotmail server"
   #fail "This message did not pass through a hotmail server"
elif $sender_address contains "@yahoo.com" and
     $sender_address does not contain "abuse@yahoo.com" and
     $local_part does not contain "postmaster@" and
     $header_Received does not contain "mail.yahoo.com via HTTP"
then
     logfile /var/log/exim/webmail.log
     logwrite "$message_id from $sender_address to $local_part did not really come from yahoo"
     headers add "X-Webmail-Warning: This message did not pass through yahoo servers"
endif

Attachment: pgpfISqb2B1Do.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: exim filtering
  - From: Derrick 'dman' Hudson <dman@dman.ddts.net>

References:
- Re: exim filtering
  - From: Rob Weir <rweir@softhome.net>

Prev by Date: Re: wget PASV no route to host
Next by Date: Re: exim filtering
Previous by thread: Re: exim filtering
Next by thread: Re: exim filtering
Index(es):
- Date
- Thread