Debora is a huge spammers!!!!

Rick Cooper rcooper at dwford.com
Thu Nov 16 13:06:18 GMT 2006 

A little scary blocking debora@* but:

In your exim rcpt acl (change the denial message to suit you):

deny message  = $sender_address has been specifically blocked from this site
- bye bye!
	senders = wildlsearch;/somedir/Mail_Sender_Block.conf 

The format of /somedir/Mail_Sender_Block.conf would be

^\Ndebora@*\N
name at domain.com
^debora@*\.com

The way it works : if the line in the file begins with a circumflex (^) then
the line is treated as a regular expression otherwise it has to match
exactly. So line one and three are regex and line two must be
name at domain.com exactly.

As the keys in the search are subject to expansion you may want to stick to
the syntax:

^\Ndebora@*\N

The \N{expression}\N means "do not expand anything between the \N pairs" to
prevent expansion within the key (debora@|debora*@). If you just use
^debora@* then it will look for debora@, then debora*@ which would match
debora or deborah or deborackleter at .

You could certainly use a match condition instead, but by using the external
file you can add, subtract or modify the data without having to touch the
running exim process. I would put this before anything in the acl except any
host white listing and you might want to add some sanity checks for one of
your hosts and users like (if you use authentication):

!authenticated = *

And
hosts = !/somedir/Mail_local_net (which would contain your local network
like 10.10.10.0/24)

So the whole acl would be
deny message  = $sender_address has been specifically blocked from this site
- bye bye!
	!authenticated = *
	hosts = !/somedir/Mail_local_net
	senders = wildlsearch;/somedir/Mail_Sender_Block.conf 

So the denial would require the host not belong to you, the sender is not
authenticated and the address must appear in the file listing bad address,
or address regexs

Rick

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Michael S.
> Sent: Wednesday, November 15, 2006 10:54 PM
> To: 'MailScanner discussion'
> Subject: RE: Debora is a huge spammers!!!!
> 
> Where did you add these rules and what do they look like?
> 
> The debora*.* spam is such a huge problem at the moment!! They must be
> pumping out millions of these spam messages.
> 
> Anyone have Exim rules to stop this? I would like to add it 
> to exim to kill
> it at smtp time instead of waiting for it too get to mailscanner.
> 
> Thanks
> 
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of mikea
> Sent: Wednesday, November 15, 2006 10:32 AM
> To: MailScanner discussion
> Subject: Re: Debora is a huge spammers!!!!
> 
> On Tue, Nov 14, 2006 at 10:31:50AM -0000, Randal, Phil wrote:
> > Not here they weren't.
> > 
> > A simple grep leads to double-counting (because I run 
> milter-greylist),
> > but my point still stands.  Was handled well by my setup without any
> > additional response needed.
> 
> I've found that a lot of the "debora" spam, as well as a fair amount 
> of other spam, matches /6c822ecf/ in one or more of Message-ID and 
> Content-ID headers. I have yet to see a false positive. It's just as
> good as the /From: akstc.*@/ signature, which is nailing a bunch even
> now. 
> 
> If you run milter-regex, it's trivial to build rules for these. 
> 
> -- 
> Mike Andrews, W5EGO
> mikea at mikea.ath.cx
> Tired old sysadmin 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> 


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list