Lani's Study Books

Stopping Spam in the ACL

Exim ACL Spam Filters

This is a mirror of http://vamos-wentworth.org/exim-tricks.html (With a few very minor ammendments)
I have been unable to get to the site since september so I decided to mirror the above URL, It was very useful information for me when I first started out with exim hence my sharing it.

All credit goes to the original author, THIS IS NOT A DOCUMENT WRITTEN BY MYSELF so all rights go to the original author. rossz-work [at] vamos-wentworth [dot] org as well.

These antispam tips are for Exim 4.x. If you don't know how to modify the helo, rcpt, and data ACLs, then these suggestions won't do you much good.

###############################################################################
HELO ACL
###############################################################################

You can block a lot of spammers right after they say HELO. They have a tendency to lie but, fortunately, it's often easy to catch them in their lie.

The first thing a remote system is supposed to do when it connects is to say "HELO domain.com". It is legal to use an ip address with the HELO, but losing acceptance. A spammer might try to HELO with your own ip address. There is absolutely no legitimate reason for someone else to use your ip address here. Plug your own ip address in here where it says ##.##.##.##. Repeat this for each IP address you handle.

deny message = HELO/EHLO with my ip address. You are not me.
log_message = HELO/EHLO my.ip
condition = ${if eq {$sender_helo_name}{##.##.##.##} {yes}{no}}

Basically the same thing as the previous filter, but using your domain name instead of your ip address. You should repeat this filter for each domain you control.

deny message = HELO/EHLO with my domain name. You are not me.
log_message = HELO/EHLO my.domain
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}

Giving a domain name of 'none' isn't valid, so tell them to bugger off. This filter can be left out since the "period" filter below will catch it.

deny message = No HELO/EHLO name specified.
log_message = HELO/EHLO none
condition = ${if match {$sender_helo_name}{none} {yes}{no}}

A remote system saying they are localhost? Sure they are. This filter can also be omitted if you use the "period" filter below.

deny message = You are not localhost.
log_message = HELO/EHLO localhost
condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}

A proper domain will contain at least one period. A good percentage of spam worms HELO with random characters without a period.

deny message = Invalid HELO/EHLO. You are either spam/a virus, or your system administrator has incorrectly configured your network.
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

###############################################################################
RCPT ACL
###############################################################################

Spammers like to forge some big names when they send you email. We can't easily check all of them, not until Sender Permitted From (SPF) is widely used. At least we can check for some of the most commonly abused domains, Yahoo, Hotmail, MSN, and AOL. These four filters will reject email with forged From: addresses containing the "big four" domains.

#Fake Yahoo
deny message = Suspected Faked Yahoo Account, E-mail Rejected.
log_message = Fake Yahoo
senders = *@yahoo.com
condition = ${if match{$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

#Fake Hotmail
deny message = Suspected Faked Hotmail Account, E-mail Rejected.
log_message = Fake hotmail
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

#Fake MSN
deny message = Suspected Faked MSN Account, E-mail Rejected.
log_message = Fake MSN
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

# Fake AOL
deny message = Suspected Faked AOL Account, E-mail Rejected.
log_message = Fake AOL
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}

Of course, using a few good blacklists is a good idea. I put my blacklist checks immediately after the big four filters.

###############################################################################
DATA ACL
###############################################################################
A valid email should have a message id. Spamming software (and viruses) often don't. So refuse them. Note, this filter has been known to break the rare email sent from a highly customized Qmail server. Personally, I dont' care.

deny condition = ${if !def:h_Message-ID: {1}}
message = Message SHOULD have Message-ID: but does not

Email should have a proper date. So goodbye if it doesn't.

deny condition = ${if !def:h_Date: {1}}
message = Message SHOULD have Date: but does not

You'll need the Exiscan patch for the mime handling to work.

Required to do any mime handling, plus, a broken mime attachment might be an attempt to infect or break into your system.

deny message = Serious MIME defect detected ($demime_reason)
log_message = Broken MIME ($mime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

Refuse dangerous attachments. This gets a large number of viruses. It also catches a lot of spam with hidden surprises.

deny message = $found_extension files are not accepted here
log_message = Dangerous extension ($found_extension)
demime = com:vbs:bat:pif:scr:exe

For Windows clients, Microsoft has included a lovely little surprise. It is possible to attach a file with a CLSID in the name which causes Windows to hide the file extension. This is entirely independent of the "Hide file extensions for known file types" folder option. This is extremely dangerous, so lets just refuse the bastards.

deny message = Hiding of file extensions is not allowed!
log_message = Dangerous extension (CLSID hidden)
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

http://vamos-wentworth.org/exim-tricks.html
http://www.carbonstudios.co.uk/site/44/180.html