[svlug] rbl-ing .forwarded emails

Walt Reed svlug at linuxguy.com
Thu Jul 31 11:45:49 PDT 2003


On Thu, Jul 31, 2003 at 02:22:55PM -0400, Justin F. Knotzke said:
> <quote who=Walt Reed date=[030731 14:08]/>
> 
> > MTA level filtering really needs to happen at the ORIGINAL site of
> > reception. Once it gets into one of your inboxes, your best option is to
> > just /dev/null it.
> 
>    Ok, that's sorta what I figured. RBL checking at the MTA level is
> tricky business. I tried out trustic for about 3 hrs and it refused 5
> messages in those 3 hours that I know are from legit addresses. 
> 
>    The other problem I am having is how to block mail at the MTA level
> using an RBL that wasn't forwarded. I _think_ exim has a "trusted" list
> that allows me to bypass rbl checking: (ie if it comes from this address
> don't bother rbl checking).
> 
>    I'll have to dig through the exim docs to find that param.
> 
>    It just seems to me that sending spam to /dev/null isn't going to
> stop SPAM, its only going to stop me from seeing it..

Well, yeah. The same thing with RBL's, spamassasin in the MTA, etc. You
still GET spam, you just don't see it. With RBL's, you tend to use a
little less bandwidth than message / header scanning, and it tends to
work better with some spamware. Some bad software keeps pounding you if
you reject after the DATA phase.

I see you are using exim 3 which is REALLY old.  You should upgrade to
exim 4. You can do SO much more with exim 4.x. Exim 3 also has virtually
zero support from the Exim guys. (I REALLY wish Debian would ship with
exim 4 as default.) If you are running unstable, exim4 is a fairly easy
upgrade (although the conf file has changed quite a bit - you won't be
able to use your old one at all.) There are also unofficial exim4
packages out there for Woody.

Marc also has some Great stuff at:
http://marc.merlins.org/linux/exim/

(Thanks Marc!!)

With Exim 4, I use something like this snippit in my RCPT ACL to
whitelist certain hosts that are listed in various RBL's:

  accept  local_parts = postmaster : abuse
          domains = +local_domains

  deny    ! hosts = /etc/exim4/rblwhitelist
          message =  Rejected: $sender_host_address in block list $dnslist_domain
          dnslists = relays.osirusoft.com : relays.orbd.org : blackholes.easynet.nl

Some of the RBL's are a little too strict. I ALWAYS let in anything sent
to "postmaster" and "abuse" which gives anyone who is blocked a way to
get to me. I actually put a pointer to a web page in my reject message
so people can get a little more info.

I also use my own local blacklist that's Very aggressive, where I even
filter out entire countries (Korea and China are horrible about dealing
with spam.)




More information about the svlug mailing list