On Tue, Nov 26, 2002 at 11:48:10AM -0500, Noah L. Meyerhans wrote: | A particularly effective anti-spam tool that I've see in use is to block | mail claiming to be from a webmail provider (e.g. hotmail) that never | actually passed through a server controlled by that webmail provider. | | Has anybody written such a filter for exim that can be run system-wide? | I want to do it in exim because I don't have a global procmail filter in | place and would rather not introduce one if I can get away with it.
I haven't tested this out, but Dave C. on the exim-users list posted
this a while back :
# All hotmail.com mail should have this header
warn sender_domains = hotmail.com
message = X-Forgery: HOTMAIL
condition = ${if def:header_X-Originating-IP:{no}{yes}}
# All aol.com mail should have this header
warn sender_domains = aol.com
message = X-Forgery: AOL (mailer)
condition = ${if match {$h_X-Mailer:}{.*[Aa][Oo][Ll].*} {no}{yes}}
# All aol.com mail should have a matching received header
warn sender_domains = aol.com
message = X-Forgery: AOL (server)
condition = ${if match
{$h_Received:}{.*by.*[Aa][Oo][Ll]\.[Cc][Oo][Mm].*} {no}{yes}}
## -----------------------------------------------------------------------
This goes inside the rcpt acl. (acls are a feature added in the 4.x
series. unfortunately the debian maintainer hasn't packaged it yet.)
All the acl does here is add an X-Forgery: header to the message (due
to the use of 'warn'). To test this I recommend deliverying matching
messages to a separate folder and looking for false hits. If you are
satisfied that the test works well enough then change 'warn' to 'deny'
and exim will reject the mail outright. (don't do that if you use
fetchmail because fetchmail will complain that it couldn't deliver the
message)
Of course, if someone has a hotmail or aol account but instead uses
Outhouse to send mail "from" that account it will fail these tests.
Looking at the set of messages I haven't deleted yet, I have 2
messages (from one person) which were tagged for this reason, and a
lot of known junk which was tagged.
On a different mailing list someone suggested a similar same tactic for
postfix. I believe, but am not quite sure, that this postfix config
only allows hotmail.com mail to be received from a host in the
hotmail.com ip range.
---
In postfix' main.cf:
1) add to your smtpd_sender_restrictions the access file
hash:$config_directory/freemail_access
2) create or add: smtpd_restriction_classes = from_yahoo_host,
from_aol_host, from_hotmail_host, from_msn_host
3) For each of aol/hotmail/msn/yahoo add a line like this:
from_yahoo_host = check_client_access hash:$config_directory/host_yahoo, reject
and the host_yahoo file containing just "yahoo.com OK"
4) postmap the freemail_access and *_host files.
here's the freemail_access file:
yahoo.com from_yahoo_host
aol.com from_aol_host
hotmail.com from_hotmail_host
msn.com from_msn_host
note that some people send @msn.com mail from hotmail servers, so the
host_hotmail and host_msn files should contain both domains each.
---
HTH,
-D
--
If your life is a hard drive,
Christ can be your backup.
http://dman.ddts.net/~dman/
msg15437/pgp00000.pgp
Description: PGP signature
