1

I've got local_acl_check_data to reject the typical spammer tactic of using the same address as From: and To:, but since some less-spammy sources, such as Yahoo Groups, do this, I'm using a whitelist as well. Here is the ACL:

 # block spammers who use the same "from" and "to" address accept senders = ${if exists{CONFDIR/local_sender_whitelist}\ {CONFDIR/local_sender_whitelist}\ {}} deny condition = ${if eqi{${address:$h_from:}}{${address:$h_to:}}{true}{false}} log_message = rejecting spam with to:${address:$h_to:} and from:${address:$h_from:} message = Message identified as spam. If you think this is wrong, get in touch with postmaster

Problem is, when I test with:

 jcomeau@tektonic:~$ cat bin/testacl exim4 -bh 66.163.168.186 <<EOT helo tester mail from: [email protected] rcpt to: [email protected] data from: [email protected] to: [email protected] subject: should be ok this one should not reject . mail from: [email protected] rcpt to: [email protected] data from: [email protected] to: [email protected] subject: should reject this one should be rejected . quit EOT

It works as expected: the first message is accepted because it found yahoogroups.com in the whitelist, and the second was rejected. But in real operation, the yahoogroups.com emails are rejected by that ACL along with the spammers. I'm using 4.72-6, and this has happened for all the versions I've been using for the last few years. I've run out of ideas.

As requested, the log of exim4 rejecting a message which should have passed:

 jcomeau@tektonic:~$ grep -C2 Freecycle /var/log/exim4/rejectlog 2011-02-25 09:52:00 1Psz1U-00020g-79 H=n52c.bullet.mail.sp1.yahoo.com [66.163.168.186] F=<sentto-15991578-2122-1298645513-jc=example.com@returns.groups.yahoo.com> rejected after DATA: rejecting spam with to:[email protected] and from:[email protected] Envelope-from: <sentto-15991578-2122-1298645513-jc=example.com@returns.groups.yahoo.com> Envelope-to: <[email protected]> -- MIME-Version: 1.0 I Message-ID: Mailing-List: list [email protected]; contact [email protected] Delivered-To: mailing list [email protected] List-Id: <PetalumaFreecycle.yahoogroups.com> Precedence: bulk List-Unsubscribe: <mailto:[email protected]> Date: 25 Feb 2011 14:51:53 -0000 F From: [email protected] T To: [email protected] Subject: [Petaluma Freecycle] Digest Number 2122 X-Yahoo-Newman-Property: groups-digest-trad-m R Reply-To: "No Reply"<[email protected]> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

And here's what my testacl script shows for the first test:

 >>> using ACL "acl_check_data" >>> processing "accept" >>> check senders = ${if exists{/etc/exim4/local_sender_whitelist}{/etc/exim4/local_sender_whitelist}{}} >>> yahoogroups.com in "yahoogroups.com"? yes (matched "yahoogroups.com") >>> [email protected] in "/etc/exim4/local_sender_whitelist"? yes (matched "yahoogroups.com" in /etc/exim4/local_sender_whitelist) >>> accept: condition test succeeded LOG: 1PuxAz-0005jZ-B0 <= [email protected] H=n52c.bullet.mail.sp1.yahoo.com (tester) [66.163.168.186] P=smtp S=380 250 OK id=1PuxAz-0005jZ-B0
Improve this question
4
  • There is very little meat on your question. You need to post logs. What do the logs look like when you receive the mail you think should be blocked? What happens when you set it to another IP you control and both run it with -bh and actually receive email from that IP. Change your -bh example to use -d to get debugging output. In the controlled live example, set exim to listen to port 26 and run it in debug mode to see exactly what's happeneing. Commented Mar 2, 2011 at 20:05
  • OK, I didn't know if by posting logs I'd be overloading people with too much data. I'll try the things you suggest. Commented Mar 3, 2011 at 0:48
  • I ran it in debugging mode: exim4 -bd -d -oX 2525, and it does the same thing as when I did the -bh test. it accepts yahoogroups.com and rejects yahoo.com. next step set exim4 to log at the debug level? Commented Mar 3, 2011 at 2:10
  • I could kick myself; I was whitelisting the envelope-from address, which isn't the same as the From: address, it's returns.groups.yahoo.com. Fixed and waiting for another group email to confirm. Commented Mar 13, 2011 at 2:45

3 Answers 3

Reset to default
2

I have noticed this pattern, but don't think much is getting through. Try this 

 warn message = Message identified as spam. If you think this is wrong, \ get in touch with postmaster log_message = Possible spam with ${h_to:} as both from and to !senders = ${if exists{CONFDIR/local_sender_whitelist}\ {CONFDIR/local_sender_whitelist} {}} condition = ${if eqi{$h_from:}{$h_to:}{true}} control = freeze

I use control = freeze to hold messages for inspection when I am testing rules. If I find it accurate enough I change it to a deny rule.

EDIT: I tested this rule in my database of emails. Using zen.spamhaus.org as a DNS blacklist catches almost all these cases (467 of 483). Greylisting catches most of the rest (11 of 16). I found five message made it past those to tests. Of those three (60%) were legitimate email. The others had helo names which where either hostnames or second level domains. Adding a condition to check to ensure the helo name is at least a third level domain makes the rule reasonably safe. I am testing with:

 condition = ${if eq{${extract{3}{.}{$sender_helo_name}}}{}{true}}
Improve this answer
1
  • @jcomeau_ictx On its own this rule is quite accurate, but after applying other rules, it becomes highly inaccurate. I am testing with the added condition added in my edit. I no longer allow Spamhaus listed senders to send the email body, so my stats will be understated for the percentage that Spamhaus rejected. Commented Mar 3, 2011 at 1:18
2

The "sender", as Exim sees it is the envelope-from address, and that was in domain returns.groups.yahoo.com. Once I put that domain (completely; groups.yahoo.com doesn't work, neither does yahoo.com) into my local_sender_whitelist, the ACL worked.

It had worked during testing because I had used the envelope-from address of yahoogroups.com, the same as the From: address. Never bothered to check if that was the case in the emails from yahoo groups.

Improve this answer
1

You found a solution, and it's probably valid for your acl, but I just wanted to add this since it's something other people might run in to, even if it wasn't the problem in your specific use case.

exim -bh checks a lot of things, but doesn't connect to other hosts. If your ACL fails (or tempfails) if your callout checks fail, you need to use -bhc.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.