Blacklist To: not working

Daniel Bird dbird at SGHMS.AC.UK
Wed Jan 19 12:52:55 GMT 2005


Dan Haris wrote:

>Hi,
>
>We get a lot of spam sent to specific non-existent users, which I'm trying
>to block. We use what I believe is the latest stable MailScanner (4.37.7)
>along with Exim 4.32, as a gateway server. I've seen some discussion in the
>mailing list archives about blocking non-existent users at the mta level,
>but this seems to have only been on sendmail. For various reasons (mainly
>paranoid management) we don't want to go this route at the moment, but if
>anyone can point me in the right direction for this I'd appreciate it as it
>may be of use as a last resort.
>
You'll want to use Exim's callout fuction:
http://www.exim.org/exim-html-4.40/doc/html/spec.html

A far better solution is to "block" at the MTA level IMHO.

regards
Dan

> Our main mail servers (E-Smith/SME server)
>run QMail I think authenticating against an LDAP user database (although I
>may be talking rubbish there!).
>
>Anyhow, here's the question:
>
>I'm trying to blacklist a To: address in my
>/etc/MailScanner/rules/spam.blacklist.rules file with an entry like this:
>
>To:     user at domain.co.uk               yes
>
>Unfortunately this does not seem to be behaving as expected. Since I added
>this rule, I've had several spam emails get through to this address. Looking
>at the relevant headers from one of them below, the address seems to have
>been recognised as blacklisted, but assigned a HIGH SPAM SCORE of zero and
>says "Found to be clean":
>
>Subject: {Spam? High Score 0} Downl0ad National Treasure Movie
>To: xxx at yyyy.co.uk
>X-yyyy-MailScanner-Information: Please contact the IT Dept for more
>information
>X-yyyy-MailScanner: Found to be clean
>X-yyyy-MailScanner-SpamCheck: spam (blacklisted)
>
>There is no entry in the log for this spam (presumably as I don't bother
>logging non-spam). However there is an entry like this:
>
>Jan 18 03:29:35 mailscan MailScanner[7058]: Message 1Cqk3g-0001vb-Ep from
>218.232.191.173 (livptxxxx at yyyy.co.uk) to yyyy.co.uk is spam (blacklisted)
>
>This email did not get through.
>
>My MailScanner.conf contains the following:
>
>Definite Spam Is High Scoring = yes
>Required SpamAssassin Score = 5
>High SpamAssassin Score = 10
>SpamAssassin Auto Whitelist = yes
>Check SpamAssassin If On Spam List = yes
>Spam Actions = forward spamtrap at yyyy.co.uk
>High Scoring Spam Actions = delete
>Non Spam Actions = deliver
>
>Any ideas anyone?
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>


--
____________________________________

Daniel Bird
Network and Systems Manager
Department Of Information Services
St. George's Hospital Medical School
Tooting
London SW17 0RE

P: +44 20 8725 2897
F: +44 20 8725 3583
E: dan at sghms.ac.uk
____________________________________

Computing Services Homepage:
http://www.intranet.sghms.ac.uk/depts/is/cu/

The Computing Services Handbook:
http://www.intranet.sghms.ac.uk/depts/is/cu/handbook2003-4.pdf

Everything is possible....except skiing through a revolving door.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list